# contrastapi > Security intelligence API and MCP server for AI agents. 25 tools, 35+ endpoints: CVE/EPSS/KEV, domain recon, SSL, IP reputation, threat intel, email security, code scanning. Free, no signup. - **URL**: https://www.freshcrate.ai/projects/contrastapi - **Author**: UPinar - **Category**: MCP Servers - **Latest version**: `v1.33.22` (2026-06-01) - **License**: MIT - **Source**: https://github.com/UPinar/contrastapi - **Homepage**: https://api.contrastcyber.com - **Language**: Python - **GitHub**: 20 stars, 2 forks - **Registry**: github - **Tags**: `ai-agents`, `api`, `cve`, `cybersecurity`, `domain-reconnaissance`, `fastapi`, `mcp`, `mcp-server`, `python` ## Description Security intelligence API and MCP server for AI agents. 25 tools, 35+ endpoints: CVE/EPSS/KEV, domain recon, SSL, IP reputation, threat intel, email security, code scanning. Free, no signup. ## Recent releases | Version | Date | Urgency | Changes | | --- | --- | --- | --- | | `v1.33.22` | 2026-06-01 | High | ## Fix: lean MCP `outputSchema` now accepts `null` for optional fields (#42) Optional response fields (`T \| None`) were advertised in the lean `tools/list` `outputSchema` by their non-null type only — e.g. `verdict` as `{"type": "object"}`. A tool returning `null` for such a field (where it isn't computed pre-enrichment) then failed strict MCP client validation: `-32602 ... must be object`. **Fix:** the null arm is preserved as a **flat** 2-element type array — `verdict: {"type": ["object", "n | | `v1.33.18` | 2026-05-25 | High | ### Fixes #38 — MCP `outputSchema` field-type accuracy The lean `outputSchema` advertised in `tools/list` previously declared nearly every field as `{"type":"object"}`, regardless of the field's real value type, because optional fields (`T \| None`) are encoded as `anyOf` in the source schema and the flattener only inspected a top-level `type` key. Strict MCP clients (e.g. opencode/dcp) rejected valid tool responses whose values were strings, arrays, numbers, or booleans. **Fix:** resolve the r | | `v1.33.14` | 2026-05-22 | High | ## Lean (flat) outputSchema reintroduced on `tools/list` v1.33.13 stripped `outputSchema` entirely to fix a Smithery catalog-gateway availability issue (309KB→81KB) — but that dropped Smithery's **"Output schemas" quality criterion to 0/53** (−10.37pt). This release reintroduces a **lean, flat** `outputSchema` per tool: the success model's top-level field names + primitive types only (no `$defs`/`$ref`/`anyOf`/prose, ~0.5KB/tool). Each tool re-advertises its output shape **and** the whole `too | | `v1.33.4` | 2026-05-16 | High | Hotfix on top of v1.33.3. ### Added - API keys are now accepted via the `X-API-Key: cc_` request header, in addition to the existing `Authorization: Bearer cc_`. This unblocks Pro authentication for clients that send the key as `X-API-Key` (e.g. the Smithery MCP marketplace connection config and the official Python SDK), which previously fell back to the keyless Free tier. - `Authorization: Bearer` takes precedence when both headers are present; whitespace-tolerant (parity with Bearer | | `v1.30.2` | 2026-05-09 | High | ## Agent Chain — 6 batches, 23 MCP tools Every tool in this batch returns `next_calls: list[PivotHint] \| None` — contextual drilldown hints for agent runners. Each `PivotHint` carries `tool` + `input` + `reason` so the agent can pivot without re-prompting. \| Batch \| Module \| Tools \| \|---\|---\|---\| \| B2 \| domain (core) \| 5 \| \| B3 \| web-intel \| 8 \| \| B4 \| domain (misc) + codesec \| 2 \| \| B5a \| cve \| 2 \| \| B5b \| atlas + d3fend \| 4 \| \| B6 \| ioc \| 2 \| **Wire-compat:** purely additive — existing cons | | `v1.27.1` | 2026-05-04 | High | ## Hotfix on top of v1.27.0 Standalone runners (Glama Docker, raw \`python3 mcp_server.py\` from repo root) hit \`ModuleNotFoundError: No module named 'schemas'\` because per-package schema files do \`from schemas import BaseSuccessResponse\` which needs \`app/\` on \`sys.path\`. Production uvicorn launches from \`app/\` cwd so the path is implicit; standalone runners only have the repo root on the path. Fix: \`mcp_server.py\` now inserts both \`_REPO_ROOT\` and \`_REPO_ROOT/app/\` into \`sys. | | `v1.19.1` | 2026-04-29 | High | ## Summary Token-efficiency patch for v1.19.0. No wire-breaking changes; all additions are backward compatible. Three response-size fixes after live smoke against the production catalog (224 ATLAS records + 149 D3FEND defenses + 3,234 mappings) revealed that some calls returned 50–100 KB of mostly drillable text: 1. **ATLAS technique search now slim by default.** `/v1/atlas/techniques` previously echoed the full multi-paragraph description (1–2 KB) for every result; with the default `limit=50 | | `v1.11.0` | 2026-04-24 | High | ## Highlights ### IP Intelligence — Phase 1 + Phase 4 - `/v1/ip/{ip}` now returns **ASN + holder name + country** inline (via RIPE Stat), closing a 2-call pattern for agents (`5840057`). - **Reputation** block on Free tier: FireHOL level1 blocklist check. Pro tier: +AbuseIPDB + Shodan (`1108631`). - Stale-cache poisoning fix: partial-cache-fill when only one RIPE side was previously cached (`667ba22`). ### MCP Contract Audit — Tier 1 + 2 + 3 Agent-readable response schemas, end-to-end: - **Tie | | `v1.9.0` | 2026-04-20 | High | ## ContrastAPI v1.9.0 — OSV.dev 6th Source + CVE Enrichment + MCP UX Hardening ### New - **OSV.dev 6th enrichment source:** `cve_lookup` now cross-references OSV.dev after NVD/MITRE/GHSA/EPSS/KEV. Delta backfill (`since=2026-04-15`, `limit=500`) covers post-Apr-15 NIST enrichment gap. CVSS:3.x via `cvss==3.6` (lazy import), CWE from `database_specific.cwe_ids`, ecosystem→vendor map for 11 OSS ecosystems (npm, PyPI, Maven, Go, RubyGems, NuGet, crates.io, Packagist, Hex, Pub, SwiftURL). Selective | | `v1.8.0` | 2026-04-18 | High | ## ContrastAPI v1.8.0 — MITRE CNA Parser + check_dependencies + 31 MCP Tools ### New - **MITRE CNA parser:** `cve_lookup` now extracts CVSS/CWE/CPE from the MITRE cvelistV5 CNA container, not just NVD. CNA-only CVEs (pre-NVD, 0-day bursts) return full severity from day 0. Retroactive backfill of 340K+ existing CVEs in progress — CNA-only entries that previously returned `severity=null` are being upgraded to full CVSS/CWE. - **`check_dependencies` MCP tool:** requirements.txt / package.json depe | ## Citation - HTML: https://www.freshcrate.ai/projects/contrastapi - Markdown: https://www.freshcrate.ai/projects/contrastapi.md - Dependencies JSON: https://www.freshcrate.ai/api/projects/contrastapi/deps _Generated by freshcrate.ai. Indexes github releases for AI-agent ecosystem packages._