explaingit

gl-tches/altais-mcp

1TypeScriptAudience · developerComplexity · 3/5ActiveLicenseSetup · moderate

TLDR

Read-only MCP server with 132 security tools across 24 modules that lets AI coding agents scan code, model threats, audit dependencies, and check compliance, all offline with bundled CWE, OWASP, and OSV data.

Mindmap

mindmap
  root((altais-mcp))
    Inputs
      Source code paths
      Configuration files
      TOML module switches
    Outputs
      Vulnerability reports
      Threat models
      Compliance mappings
    Use Cases
      Claude Code security scan
      Supply chain audit
      Secrets detection
      Cryptography review
    Tech Stack
      TypeScript
      Node.js
      MCP
      CWE
      OWASP
      OSV

Things people build with this

USE CASE 1

Plug into Claude Code over stdio so the agent can run OWASP and CWE checks on a repo before commit.

USE CASE 2

Run as a localhost HTTP service with a bearer token for a multi agent setup that shares one scanner.

USE CASE 3

Switch on the cryptography, container, and IaC modules for a deeper offline review of a deploy pipeline.

USE CASE 4

Use the bundled supply chain audit tools in an air gapped environment with no outbound network calls.

Tech stack

TypeScriptNode.jsMCP

Getting it running

Difficulty · moderate Time to first run · 30min

Needs Node.js 20 or newer plus a clone, npm install, and npm run build before the MCP client can connect.

MIT license, free to use, modify, and redistribute as long as the original copyright notice stays.

In plain English

altais-mcp is an open-source server that helps AI coding agents check code for security problems. It follows a standard called the Model Context Protocol, which is the way tools like Claude Code talk to outside helpers. The server offers 132 different tools grouped into 24 modules. An AI agent can call those tools to scan code for vulnerabilities, model threats, audit dependencies, check compliance, or get advice on fixes. A key design choice is that every tool is read-only. The server looks at code, configuration, and architecture, but it never changes, runs, or sends anywhere the code it inspects. It also makes no network calls while running, because all the reference data such as CWE, OWASP, and OSV lists are bundled inside the package itself. The project is written in TypeScript and needs Node.js version 20 or higher. You install it by cloning the repo, running npm install, then npm run build. After that, you point your MCP client at the built file. There are two ways to connect: stdio for local use with something like Claude Code, and a streamable HTTP transport for remote or multi-agent setups. The HTTP mode binds only to localhost and requires a bearer token on every request. The 24 modules cover a wide spread of security topics. Some are on by default, including general scanning, threat modeling, OWASP coverage, secrets detection, HTTP header checks, supply chain audits, and authentication review. Others are opt-in and cover cryptography, containers, infrastructure as code, APIs, compliance mapping, machine learning security, agent security, runtime advice, and more. The configuration is a single TOML file where you switch modules on or off. The project is MIT licensed and the name comes from Altais, a star in the constellation Draco.

Copy-paste prompts

Prompt 1
Clone altais-mcp, run npm install and npm run build, then point my Claude Code config at the stdio server.
Prompt 2
Configure altais-mcp via TOML to switch on the cryptography, container, IaC, and ML security modules only.
Prompt 3
Start altais-mcp in streamable HTTP mode bound to localhost with a bearer token and call it from a second agent process.
Prompt 4
Have Claude Code use altais-mcp to scan this Node project for secrets, missing HTTP security headers, and risky auth patterns.
Prompt 5
Write a script that diffs altais-mcp scan output across two git branches to see which security findings are new.
Open on GitHub → Explain another repo

Generated 2026-05-22 · Model: sonnet-4-6 · Verify against the repo before relying on details.