Attestd vs Sonatype Guide
Attestd and Sonatype Guide both expose dependency security checks as MCP tools compatible with Claude Code, Cursor, and other coding assistants. The key difference is what each tool returns and what kind of consumer it assumes.
Output type: deterministic fields vs advisory data
Sonatype Guide returns CVSS scores, license data, and version recommendations. This output is designed to be read by an LLM and summarized into a natural language answer. The fields are advisory: they describe a security situation and suggest an action. A program cannot reliably branch on “CVSS 7.4 with a recommendation to upgrade” because that requires interpretation to become an action.
Attestd returns risk_state: critical, actively_exploited: true, supply_chain.compromised: true. These are boolean and categorical fields with frozen v1 semantics, guaranteed stable for the lifetime of v1. A program can branch on them with an if statement. No interpretation step.
In an IDE session, this distinction applies to the LLM consumer, not an automated system. When a developer asks their coding assistant “is this package safe,” the assistant calls the tool and reads the response. If the response contains CVSS scores, the assistant has to weigh and summarize before it can answer. If the response is risk_state: critical, the assistant answers directly. Same data call, cleaner answer, consistent every time.
{
"componentDetails": [{
"component": { "packageUrl": "pkg:npm/[email protected]" },
"securityData": {
"securityIssues": [{
"cvssScore": 7.4,
"severity": "HIGH",
"description": "...",
"reference": "CVE-2024-..."
}]
}
}]
}CVSS score and advisory prose. Requires interpretation before an action.
{
"risk_state": "high",
"actively_exploited": false,
"patch_available": true,
"fixed_version": "2.1.0",
"supply_chain": {
"compromised": false
}
}Categorical fields. Branch on risk_state directly.
Supply chain coverage
Attestd includes supply chain compromise detection in the same API call as CVE data. supply_chain.compromised: true means a malicious publish was detected on npm or PyPI. The field is returned by check_package_vulnerability alongside the CVE risk_state. One call, both signals.
Sonatype Guide's MCP tools do not return a compromised-package signal. That capability is in Sonatype Repository Firewall, a separate product. See Sonatype Guide MCP documentation for the tools included in the Guide MCP server.
What you get from each
| Feature | Sonatype Guide | attestd |
|---|---|---|
| Output type | Advisory (CVSS, recommendations) | Deterministic fields (risk_state, actively_exploited, supply_chain.compromised) |
| Autonomous system compatible | No | Yes |
| Supply chain compromise in MCP response | No (Repository Firewall is separate) | Yes (same /v1/check call) |
| Pricing (paid tier) | $100/month (billed annually) ($1,200/year) | $19.99 / month flat |
| Billing model | Credit-metered | Flat rate, no credit consumption |
| Free tier | Yes (500 credits / month) | Yes (5,000 calls / month) |
| Schema stability guarantee | Varies by API version | Frozen v1 semantics |
Pricing
Attestd Solo is $19.99 per month for 250,000 calls with no credit metering. Sonatype Guide Pro is $100/month (billed annually) ($1,200/year), credit-metered. Each check consumes credits, so high-usage IDE sessions cost more as you use the tool more. The marginal cost of an Attestd call in an IDE session is the same as in an autonomous pipeline. There is no usage tax on interactive use. Sonatype pricing per guide.sonatype.com/pricing.
When Sonatype Guide is the right choice
Sonatype Guide is designed for developers who want CVSS context, license data, and upgrade recommendations alongside their security check. If your workflow benefits from that advisory layer, Guide fits that use case.
When attestd is the right choice
- →You want a risk state your coding assistant can state directly, without a CVSS interpretation step
- →Your budget is $19.99 per month rather than $1,200 per year
- →You need supply chain compromise detection in the same API call as CVE data
- →You are building toward autonomous pipelines and want the same tool to work in both cases with no migration
Try it in 30 seconds
Get a free API key at the developer portal, then connect Attestd to your coding assistant via the setup docs.
curl "https://api.attestd.io/v1/check?product=nginx&version=1.20.0" \
-H "Authorization: Bearer $ATTESTD_KEY"