Attestd for Developers
Attestd connects to Claude Code, Cursor, and Windsurf via the Model Context Protocol. Once configured, your coding assistant can check any dependency for CVE risk and supply chain compromise before you install it. Setup takes under five minutes.
The same deterministic signal your autonomous systems will rely on is available in your IDE today. When your workflow reaches a point where no human is in the loop, Attestd is already integrated. No migration cost.
Per-client setup guides
Recommended system prompt
Add this to your project system prompt or global assistant settings. Without it, your coding assistant may have the Attestd tool available but not call it unprompted when you ask about a dependency. The key lines are the outsideCoverage instruction. An assistant that has never seen this prompt may treat no data as a safe signal, which is incorrect.
You are a security-aware deployment assistant with access to the Attestd MCP server.
Before approving any software dependency, infrastructure component, or package version:
1. Call check_package_vulnerability with the product slug and exact version.
2. Block deployment if riskState is "critical" or "high".
3. Block immediately if activelyExploited is true, regardless of riskState.
4. Block immediately if supplyChainCompromised is true.
5. If outsideCoverage is true, state explicitly that the risk is UNKNOWN. Do not treat it as safe.
6. If patchAvailable is true, include fixedVersion in your recommendation.
Use list_covered_products if you are unsure whether a product slug is supported.A typical interaction
When you ask about a package, your coding assistant calls check_package_vulnerability with the package name and exact version. Attestd returns a structured response. The assistant reads risk_state, actively_exploited, and supply_chain.compromised and states the answer directly.
You: Is litellm 1.82.7 safe to install?
Assistant: Checking Attestd...
check_package_vulnerability("litellm", "1.82.7")
→ supplyChainCompromised: true
Do not install litellm 1.82.7. Attestd has detected a confirmed supply chain
compromise on this version. No safe version is currently flagged as patched.
Remove it from your dependencies entirely.Tiers
Free tier: 5,000 calls per month, no time limit. Solo: $19.99 per month for 250,000 calls. No credit metering. Sonatype Guide Pro is $1,200/year with credit-based usage.
- → Attestd for Developers overview : marketing overview and per-client pitch
- → MCP server : full MCP reference, both transports, all return fields
- → Attestd vs Sonatype Guide
- → Quickstart : API quickstart without an MCP client