input-output-Lab/argus

# Argus MCP A threat intelligence [MCP](https://modelcontextprotocol.io) server that gives AI security agents real-time access to security news, CVE vulnerability data, and indicators of compromise (IOCs). Argus ingests from public threat feeds via automated crons and exposes the data through 10 structured MCP tools backed by a PostgreSQL + [pgvector](https://github.com/pgvector/pgvector) database with semantic search. ## What It Does | Tier | Source | Data | |---|---|---| | News | BleepingComputer, Krebs on Security, CISA | Security articles, breach reports, advisories | | CVEs | NIST NVD, CISA KEV, OSV.dev | Vulnerability records with severity and exploit status | | IOCs | AlienVault OTX | IPs, domains, file hashes, URLs — with campaign context | ## Prerequisites - **Node.js** 20+ - **PostgreSQL** 16+ with [pgvector](https://github.com/pgvector/pgvector) extension - **PM2** — `npm install -g pm2` - **Google Gemini API key** — [get one here](https://aistudio.google.com/) - **AlienVault OTX API key** — [free account](https://otx.alienvault.com) - **NIST NVD API key** — optional, but raises rate limits ([register here](https://nvd.nist.gov/developers/request-an-api-key)) - **GitHub classic PAT** with `repo` scope — for OSV dependency scanning of private repos ## Setup ### 1. Install dependencies npm install ### 2. Configure environment cp .env.example .env # Edit .env and fill in all required values See [docs/ARCHITECTURE.md §8](docs/ARCHITECTURE.md#8-environment-variables) for the full variable reference. ### 3. Configure your repositories (OSV scanning) cp config/repos.example.json config/repos.json # Edit config/repos.json with your repos and dependency manifest paths ### 4. Provision the database # Requires a PostgreSQL superuser connection string ARGUS_DB_ADMIN_URL="postgresql://postgres:password@localhost:5432/postgres" \ bash scripts/provision-db.sh ### 5. Build and start npm run build pm2 start ecosystem.config.js pm2 save # persist process list across reboots pm2 startup # follow the printed command to enable boot persistence ### 6. Verify curl -H "Authorization: Bearer " http://localhost:3006/health # → {"status":"ok","service":"argus-mcp","version":"1.0.0"} pm2 status # all 7 processes should show online or stopped (crons) ## MCP Tools All tools are available at `POST /mcp` via the [MCP StreamableHTTP](https://modelcontextprotocol.io) protocol. Every request requires a Bearer token. | Tool | Description | |---|---| | `query_threat_news` | Semantic search over ingested security articles | | `get_news_digest` | Summarized digest of recent security news | | `query_cves` | Semantic search over CVE records with severity/exploit filters | | `check_cve` | Direct lookup of a CVE by ID (e.g. `CVE-2024-29041`) | | `scan_dependencies` | Check a dependency manifest snippet for known CVEs | | `get_stack_exposure` | CVEs flagged as affecting your configured repos | | `lookup_ioc` | Look up an IP, domain, hash, or URL against the IOC database | | `get_active_campaigns` | IOC clusters grouped by threat actor / campaign | | `get_security_brief` | Daily brief combining all three tiers | | `get_threat_context` | Cross-tier semantic search around a single topic | Full parameter reference: [docs/ARCHITECTURE.md §4](docs/ARCHITECTURE.md#4-mcp-tool-reference) ## Cron Pipeline Six crons keep the database current. All are managed by PM2. | Cron | Schedule | Source | |---|---|---| | `cron-nvd-delta` | Daily 02:00 | NIST NVD API v2 — CVEs modified in last 24h | | `cron-kev-sync` | Daily 04:00 | CISA KEV catalog — marks exploited CVEs | | `cron-osv-scan` | Daily 05:00 | OSV.dev — tags CVEs affecting your repos | | `cron-news-rss` | Daily 06:00 | BleepingComputer, Krebs, CISA RSS feeds | | `cron-otx-pulses` | Every 6h | AlienVault OTX — IOCs from subscribed pulses | | `cron-ioc-cleanup` | Weekly Sun 03:00 | Deletes expired IOCs (90-day TTL) | ## Authentication All endpoints require a Bearer token: Authorization: Bearer Generate a token: `openssl rand -hex 32` Set it in `.env` as `ARGUS_MCP_AUTH_TOKEN`. When rotating, update your MCP client config and restart PM2. ## Architecture Full architecture, data model, embedding service details, and ADRs: [docs/ARCHITECTURE.md](docs/ARCHITECTURE.md) ## Security See [SECURITY.md](SECURITY.md) for the vulnerability disclosure policy. ## License [MIT](LICENSE) — Copyright (c) 2026 [Input Output Labs](https://github.com/input-output-labs)

标签：自动化攻击