Selvo MCP Server

selvo

Know what's actually dangerous on your Linux servers.

selvo scans your installed packages, checks every CVE against 8 data sources, filters out what your distro already patched, and ranks the rest by blast radius and exploit probability. Not just a list — a prioritized action plan.

Primary interfaces are the CLI and the MCP server (for Claude Desktop, Cursor, and other agent clients). A daily public sample report runs at copelabs.dev/selvo-report/.

Note — hosted SaaS is archived. selvo previously shipped a hosted REST API. That surface has been retired and is preserved under archive/saas/ for revival if there's demand. selvo today is a local-use tool: pip install selvo and run the CLI or wire up the MCP server.

---

Quick Start

pip install selvo

Scan your own machine:

selvo analyze --context local --ecosystem all --limit 50

Or wire the MCP server into Claude Desktop / Cursor:

{
  "mcpServers": {
    "selvo": { "command": "selvo-mcp" }
  }
}

Then ask your agent "triage this box" or use the built-in /selvo:triage, /selvo:kev_check, /selvo:patch_safe slash commands.

---

What Makes It Different

Distro-aware CVE filtering. If Debian backported a fix into zlib 1.2.11, we don't flag it. We cross-reference the Debian Security Tracker to remove CVEs your distro already patched. Other scanners miss this and massively over-report.

Blast radius scoring. A CVE in a library that 200 packages depend on ranks higher than one in a leaf package. We build real dependency graphs from Debian Packages.gz, Alpine APKINDEX, and Arch repo DBs.

Exploit intelligence. CISA KEV status, public exploit availability, EPSS exploitation probability — not just CVSS severity.

Agent-native contract. The MCP server exposes 16 tools with formal output schemas, structured errors with error_code for deterministic branching, cache-first idempotency on the expensive analyze_packages call, tool annotations (readOnlyHint, idempotentHint) so MCP clients auto-approve safely, and streaming progress on first-run pipelines.

---

MCP Server (Agent Integration)

16 tools for Claude Desktop, Cursor, and any MCP-compatible client. Entry points:

Every response carries staleness metadata (snapshot_age_hours, stale) and every error carries error_code + remediation.tool so agents can branch deterministically.

Prompts (slash commands)

• /selvo:triage — top 5 risks on this machine with patch guidance
• /selvo:kev_check — actively exploited CVEs (CISA KEV / weaponized)
• /selvo:patch_safe — what's safe to deploy today

Telemetry (opt-in, off by default)

The MCP server can emit anonymous per-tool-call events to help tune which tools agents actually use. Off by default — enable with:

export SELVO_TELEMETRY=1

Payload is minimum-data: install_id (random UUID at ~/.cache/selvo/install_id — delete to reset), tool_name, success, error_code, duration_ms, selvo_version, python_version, os_family, transport. No package names, no CVE IDs, no hostnames, no paths.

There is no default ingest URL — the hosted service that used to receive these events was retired. Point the client at your own ingest via SELVO_TELEMETRY_ENDPOINT=…; without it, enabling the flag is a no-op.

---

CLI

The full analysis pipeline runs locally without a hosted service:

selvo analyze --ecosystem debian --limit 50
selvo scan requirements.txt --output sarif --file results.sarif
selvo policy check                       # policy-as-code gate
selvo fix --dry-run --top 5              # preview upstream PR fixes
selvo fleet scan hosts.txt               # SSH multi-machine
sudo selvo runtime                       # loaded .so files in live processes
selvo compliance --framework fedramp
selvo sla
selvo trend
selvo diff

All commands operate on a local SQLite cache under ~/.cache/selvo/.

---

GitHub Action

Cope-Labs/selvo-action runs the selvo CLI on GitHub runners against the runner's own installed packages, posts results as a PR comment, and fails CI on CISA KEV / weaponized exploits. See the action's own README for current usage.

---

Scoring (0–100)

Packages with no security signal are capped at 20. Runtime-loaded packages with CVEs get a 1.5× multiplier.

Post-April-2026 NVD caveat: NIST stopped enriching the long tail of CVEs with CVSS scores (NIST NVD policy change). When a CVE lacks CVSS, selvo redistributes the 10% CVSS weight to EPSS (+7%) and exploit maturity (+3%) — the remaining severity signals that are available. Scores stay comparable across CVSS-scored and CVSS-unscored CVEs instead of silently compressing by 10 points.

---

Policy-as-Code

Define security gates in YAML and evaluate with selvo policy check:

version: 1
block:
  on_kev: true
  on_weaponized: true
  min_cvss: 9.0
  min_score: 80
warn:
  on_poc: true
  min_cvss: 7.0
sla:
  critical: 7
  high: 30
  medium: 90
  low: 365
allow:
  cves:
    - id: CVE-2023-12345
      reason: "Not reachable in our deployment"
      expires: 2025-12-31

The CLI auto-discovers selvo.policy.yml in the working directory.

---

Data Sources

---

Supported Ecosystems

Native OSV coverage (11): Debian, Ubuntu, Fedora, Alpine, Rocky Linux, AlmaLinux, SUSE, openSUSE, Wolfi, Chainguard, Mageia.

Via Debian namespace (5): Arch, NixOS, Homebrew, Chocolatey, Winget.

Plus: CycloneDX/SPDX SBOM, Grype/Trivy JSON, and 11 lockfile formats (requirements.txt, package-lock.json, Cargo.lock, go.sum, Gemfile.lock, composer.json, pom.xml, and more).

---

License

Elastic License 2.0 (ELv2) — free to use, modify, and self-host. You may not offer selvo as a managed service to third parties. For managed-service licensing, contact licensing@cope-labs.dev.

---

Built by Cope Labs LLC.