MCP Hub
Back to servers

Git-Fabric CVE

Provides tools for autonomous CVE detection, enrichment, and remediation across managed repositories using GHSA and NVD data. It enables automated triage and pull request creation for dependency fixes based on configurable severity policies.

glama
APIs & ServicesData & AnalyticsDevelopment Tools
Updated
Feb 21, 2026
View Source
Claim this server

@git-fabric/cve

@git-fabric/cve

CVE detection-to-remediation fabric app. Scan, enrich, triage, and fix vulnerabilities across managed repos — autonomously.

Part of the git-fabric ecosystem.

Architecture

Five composable layers, each independently consumable:

Detection  →  Intelligence  →  Decision  →  Action  →  State
   │               │              │            │          │
   │  Scan deps    │  NVD enrich  │  Policy    │  Branch  │  JSONL queue
   │  query GHSA   │  CVSS/CWE    │  triage    │  commit  │  dedup
   │               │              │  plans     │  PR      │  stats
   └───────────────┴──────────────┴────────────┴──────────┴──────────
LayerWhat it doesSide effects?
DetectionReads dependency manifests, queries GitHub Advisory DatabaseNo (produces findings)
IntelligenceEnriches CVEs from NVD with CVSS scores, status, CWENo (pure data transform)
DecisionApplies severity policy, produces triage plansNo (pure logic)
ActionCreates branches, commits dependency bumps, opens PRsYes (writes to GitHub)
StateManages the CVE queue (JSONL), dedup, filtering, statsYes (writes to state repo)

Quick Start

As an MCP Server

# Set environment
export GITHUB_TOKEN="ghp_..."
export STATE_REPO="ry-ops/git-steer-state"
export MANAGED_REPOS="ry-ops/git-steer,ry-ops/blog"

# Start MCP server (stdio)
npx @git-fabric/cve start

Claude Desktop Config

{
  "mcpServers": {
    "git-fabric-cve": {
      "command": "npx",
      "args": ["@git-fabric/cve", "start"],
      "env": {
        "GITHUB_TOKEN": "ghp_...",
        "STATE_REPO": "ry-ops/git-steer-state",
        "MANAGED_REPOS": "ry-ops/git-steer,ry-ops/blog"
      }
    }
  }
}

CLI

# Scan repos for vulnerable deps
fabric-cve scan --severity-threshold HIGH

# Enrich a single CVE from NVD
fabric-cve enrich CVE-2024-45519

# Triage pending queue entries (dry run)
fabric-cve triage --dry-run true

# Queue operations
fabric-cve queue list --status pending
fabric-cve queue stats

MCP Tools

ToolDescription
cve_scanScan managed repos for vulnerable dependencies via GHSA
cve_enrichFetch enriched details for a CVE from NVD
cve_batchBatch enrich and rank multiple CVEs by severity
cve_triageProcess pending queue entries and open PRs per policy
cve_queue_listList queue entries filtered by status/severity
cve_queue_statsQueue health dashboard
cve_queue_updateManually update entry status (e.g. skip with reason)

Severity Policy

The decision layer applies configurable policy:

SeverityDefault ActionPR Type
CRITICALAuto-PRConfirmed
HIGHAuto-PRDraft
MEDIUMSkipManual review
LOWSkipNoise reduction

Override via CLI flags or MCP tool arguments:

fabric-cve triage \
  --auto-pr-threshold CRITICAL \
  --max-prs-per-run 3 \
  --require-patched-version true

GitHub Actions

Two workflows for autonomous operation:

  • cve-scan.yml — Weekly Monday scan, queries GHSA for all managed repos, queues findings
  • cve-triage.yml — Dispatch-only, reads queue, applies policy, opens PRs

The scan explicitly dispatches triage after completing — no push-trigger race condition.

Required Secrets & Variables

NameTypeDescription
GIT_FABRIC_TOKENSecretGitHub token with repo + workflow access
NVD_API_KEYSecretNVD API key (optional, raises rate limit 5→50 req/30s)
STATE_REPOVariableState repo path (e.g. ry-ops/git-steer-state)
MANAGED_REPOSVariableComma-separated repos to manage

Consuming from git-steer

git-steer can delegate to the fabric by implementing the GitHubAdapter and StateAdapter interfaces:

import { layers } from "@git-fabric/cve";

// Detection
const result = await layers.detection.detect(repos, "HIGH", githubAdapter);

// Queue
await layers.state.enqueue(result.findings, stateAdapter);

// Triage
const pending = await layers.state.pending(stateAdapter);
const plans = layers.decision.triage(pending, policy);
const results = await layers.action.execute(plans, githubAdapter);

Project Structure

src/
├── types.ts              # Shared types + adapter interfaces
├── index.ts              # Barrel export
├── layers/
│   ├── detection.ts      # GHSA scanning + manifest parsing
│   ├── intelligence.ts   # NVD enrichment
│   ├── decision.ts       # Severity policy engine
│   ├── action.ts         # Branch + commit + PR creation
│   └── state.ts          # JSONL queue management
├── mcp/
│   └── server.ts         # MCP server (7 tools)
└── adapters/
    └── env.ts            # Env var → Octokit adapter

License

MIT

Reviews

No reviews yet

Sign in to write a review