vs sonatype guide

Attestd vs Sonatype Guide

Attestd and Sonatype Guide both expose dependency security checks as MCP tools compatible with Claude Code, Cursor, and other coding assistants. The key difference is what each tool returns and what kind of consumer it assumes.

the core difference

Output type: deterministic fields vs advisory data

Sonatype Guide returns CVSS scores, license data, and version recommendations. This output is designed to be read by an LLM and summarized into a natural language answer. The fields are advisory: they describe a security situation and suggest an action. A program cannot reliably branch on “CVSS 7.4 with a recommendation to upgrade” because that requires interpretation to become an action.

Attestd returns risk_state: critical, actively_exploited: true, supply_chain.compromised: true. These are boolean and categorical fields with frozen v1 semantics, guaranteed stable for the lifetime of v1. A program can branch on them with an if statement. No interpretation step.

In an IDE session, this distinction applies to the LLM consumer, not an automated system. When a developer asks their coding assistant “is this package safe,” the assistant calls the tool and reads the response. If the response contains CVSS scores, the assistant has to weigh and summarize before it can answer. If the response is risk_state: critical, the assistant answers directly. Same data call, cleaner answer, consistent every time.

the difference
Sonatype Guide
{
  "componentDetails": [{
    "component": { "packageUrl": "pkg:npm/[email protected]" },
    "securityData": {
      "securityIssues": [{
        "cvssScore": 7.4,
        "severity": "HIGH",
        "description": "...",
        "reference": "CVE-2024-..."
      }]
    }
  }]
}

CVSS score and advisory prose. Requires interpretation before an action.

attestdmachine-readable
{
  "risk_state": "high",
  "actively_exploited": false,
  "patch_available": true,
  "fixed_version": "2.1.0",
  "supply_chain": {
    "compromised": false
  }
}

Categorical fields. Branch on risk_state directly.

supply chain

Supply chain coverage

Attestd includes supply chain compromise detection in the same API call as CVE data. supply_chain.compromised: true means a malicious publish was detected on npm or PyPI. The field is returned by check_package_vulnerability alongside the CVE risk_state. One call, both signals.

Sonatype Guide's MCP tools do not return a compromised-package signal. That capability is in Sonatype Repository Firewall, a separate product. See Sonatype Guide MCP documentation for the tools included in the Guide MCP server.

feature comparison

What you get from each

FeatureSonatype Guideattestd
Output typeAdvisory (CVSS, recommendations)Deterministic fields (risk_state, actively_exploited, supply_chain.compromised)
Autonomous system compatibleNoYes
Supply chain compromise in MCP responseNo (Repository Firewall is separate)Yes (same /v1/check call)
Pricing (paid tier)$100/month (billed annually) ($1,200/year)$19.99 / month flat
Billing modelCredit-meteredFlat rate, no credit consumption
Free tierYes (500 credits / month)Yes (5,000 calls / month)
Schema stability guaranteeVaries by API versionFrozen v1 semantics
pricing

Pricing

Attestd Solo is $19.99 per month for 250,000 calls with no credit metering. Sonatype Guide Pro is $100/month (billed annually) ($1,200/year), credit-metered. Each check consumes credits, so high-usage IDE sessions cost more as you use the tool more. The marginal cost of an Attestd call in an IDE session is the same as in an autonomous pipeline. There is no usage tax on interactive use. Sonatype pricing per guide.sonatype.com/pricing.

when to use each

When Sonatype Guide is the right choice

Sonatype Guide is designed for developers who want CVSS context, license data, and upgrade recommendations alongside their security check. If your workflow benefits from that advisory layer, Guide fits that use case.

When attestd is the right choice

get started

Try it in 30 seconds

Get a free API key at the developer portal, then connect Attestd to your coding assistant via the setup docs.

bash
curl "https://api.attestd.io/v1/check?product=nginx&version=1.20.0" \
  -H "Authorization: Bearer $ATTESTD_KEY"
related