Press "Enter" to skip to content

Deb Dev Builds Graphical Debian Vulnerability Exporter for Prometheus

Built on debsecan, debvulns‑exporter surfaces Debian security metadata for Prometheus and Grafana.

A screenshot of debvulns‑exporter’s Grafana dashboard from developer Vasudeva Kamath’s personal blog showing Debian vulnerability metrics at a glance.

What do developers do when they discover the tools available for performing a certain important task are all proprietary? If you’re Vasudeva Kamath, you get to work developing open source alternatives.

Kamath is a software engineer who works out of Bangalore, India. At his day job he writes code mainly in the C programming language, but in his spare time he likes to write in Python, although he also knows Java, PHP, a bit of Perl, Go, and Rust — or at least enough of each to “hack on it and solve the problems.” He uses his skills to contribute to a number of open source projects, most notably Debian.

About three weeks ago he scratched an itch and released ‘debvulns: CLI’ as something of an improvement on the debsecan-mcp server, a Model Context Protocol server that lets an AI assistant perform Debian security vulnerability analysis using debsecan’s data and logic. In his blog, he said he did this partly because the debsecan utility lacks modern output formats such as JSON and CSV, and that it doesn’t use a large amount of the data contained in the Debian Security team’s daily snapshot.

In addition, he said that the persistent running of MCP server introduces a high amount of costly AI overhead.

“For debsecan-mcp, the MCP Inspector utility shows an overhead of roughly 150 tokens,” he said. “By contrast, an LLM can parse a standard CLI help menu on-demand without permanently draining the context window. Integrating the CLI into a persistent agent workflow can be achieved via a skill file, allowing the LLM to leverage the tool without repeated discovery overhead.”

Introducing the Debvulns-Exporter

On July 12 (an obvious typo on his blog lists the date as July 21, which is 9 days away), Kamath released debvulns-exporter, which he’s calling a “Prometheus exporter for Debian System Vulnerabilities.” The tool uses both Prometheus, an open‑source systems monitoring and alerting toolkit that’s maintained by the Cloud Native Computing Foundation, and Grafana, an open‑source web app for visualizing data in charts, graphs, and dashboards, which is often used to monitor systems, applications, and infrastructure.

Simply put, debvulns-exporter exposes Debian vulnerability information as Prometheus metrics, which can then be visualized in human‑readable form with Grafana. In some ways, Kamath is reinventing the wheel, as proprietary commercial vulnerability platforms such as Tenable and Rapid7 are already available.

“While these platforms provide extensive feature sets, I noticed a distinct lack of open-source tools tailored for this specific pipeline,” he said. “While debsecan exists, it lacks a structured, parseable format suitable for building dashboards aimed at management consumption. What started as an experimental MCP server for learning purposes evolved into a practical question: why not convert it into a Prometheus exporter? Given that Prometheus is the de facto standard metrics platform across the industry, this architecture was the logical next step.”

** If you're finding this article useful, please consider supporting our work through our FOSS Force Independence 2026 fundraiser. **

“The exporter is implemented as a native Prometheus exporter utilizing the prometheus-client library,” he added. “It operates using two threads: one handles fetching the vulnerability data, parsing EPSS feeds, and cross-referencing installed packages to identify local vulnerabilities; the second handles serving the metrics endpoint.”

As to getting human graspable results on screen through a Grafana dashboard, he chose to do a little vibe coding and let Claude 4.6 Sonnet and Antigravity do the grunt work. The Grafana dashboard implementation is included directly in debvulns’ source code.

Nextcloud 7/7/25 336px rectangle 05.

To test exporter, he spun up instances of a couple of older versions of the distro — Debian 11 and Debian 12 — with known vulnerabilities.

Availability

Although debvulns continues to use debsecan as its “ground-truth standard” and continuously verifies its output against debsecan to ensure perfect functional parity and data consistency, Kamath said he’s put the entire ecosystem under the debvulns name in order to avoid namespace conflicts and confusion with Debian’s native debsecan utility.

“The core CLI is named debvulns, the exporter is debvulns-exporter, and the MCP component is debvulns-mcp,” he explained.

If you’re a Deb dev and you want to download it and try it for yourself, you can find it on its own PyPI page.

“While this began as a personal utility to fill a niche tool gap, I expect it will be useful for others managing Debian infrastructure at scale,” he said. “My next objective is to formalize Debian packaging for both the CLI and the exporter. The MCP component will likely remain available as an independent artifact.”

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *