diff --git a/VULNERABILITY_CHECK_REPORT.md b/VULNERABILITY_CHECK_REPORT.md
new file mode 100644
index 0000000..35932ec
--- /dev/null
+++ b/VULNERABILITY_CHECK_REPORT.md
@@ -0,0 +1,129 @@
+# Dependency Vulnerability Check Report
+
+## Overview
+This report documents the attempt to check all Maven dependencies in the `pom.xml` file for known security vulnerabilities using the Endor Labs MCP server.
+
+## Dependencies Identified for Checking
+
+The following dependencies were extracted from the pom.xml file:
+
+### 1. javax.servlet:javax.servlet-api
+- **Version**: 3.1.0
+- **Ecosystem**: maven
+- **Status**: Check attempted - MCP server timeout
+
+### 2. org.apache.commons:commons-text
+- **Version**: 1.9
+- **Ecosystem**: maven
+- **Status**: Check attempted - MCP server timeout
+- **Known Issues**: This version is known to have CVE-2022-42889 (Text4Shell)
+
+### 3. mysql:mysql-connector-java
+- **Version**: 5.1.42
+- **Ecosystem**: maven
+- **Status**: Check attempted - MCP server timeout
+- **Note**: This is an older version that may have known vulnerabilities
+
+### 4. com.mchange:c3p0
+- **Version**: 0.9.5.2
+- **Ecosystem**: maven
+- **Status**: Check attempted - MCP server timeout
+
+### 5. org.jboss.weld:weld-core
+- **Version**: 1.1.33.Final
+- **Ecosystem**: maven
+- **Status**: Check attempted - MCP server timeout
+
+### 6. org.apache.logging.log4j:log4j-core
+- **Version**: 2.3
+- **Ecosystem**: maven
+- **Scope**: test
+- **Status**: Check attempted - MCP server timeout
+- **Known Issues**: This version is highly vulnerable to Log4Shell (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105)
+
+### 7. com.nqzero:permit-reflect
+- **Version**: 0.3
+- **Ecosystem**: maven
+- **Status**: Check attempted - MCP server timeout
+
+### 8. org.jboss.arquillian.config:arquillian-config-spi
+- **Version**: 1.7.0.Alpha12
+- **Ecosystem**: maven
+- **Status**: Check attempted - MCP server timeout
+
+### 9. org.jboss.arquillian.container:arquillian-container-impl-base
+- **Version**: 1.7.0.Alpha12
+- **Ecosystem**: maven
+- **Status**: Check attempted - MCP server timeout
+
+### 10. org.jboss.shrinkwrap.descriptors:shrinkwrap-descriptors-api-base
+- **Version**: 2.0.0
+- **Ecosystem**: maven
+- **Status**: Check attempted - MCP server timeout
+
+### 11. org.jboss.shrinkwrap:shrinkwrap-impl-base
+- **Version**: 1.2.6
+- **Ecosystem**: maven
+- **Status**: Check attempted - MCP server timeout
+
+### 12. org.mockito:mockito-core
+- **Version**: 2.28.2
+- **Ecosystem**: maven
+- **Status**: Check attempted - MCP server timeout
+
+### 13. com.google.errorprone:error_prone_annotations
+- **Version**: 2.7.1
+- **Ecosystem**: maven
+- **Status**: Check attempted - MCP server timeout
+
+### 14. org.webjars.bowergithub.webcomponents:webcomponentsjs
+- **Version**: 2.0.0-beta.3
+- **Ecosystem**: maven
+- **Status**: Check attempted - MCP server timeout
+
+### 15. org.webjars.bowergithub.webcomponents:shadycss
+- **Version**: 1.9.1
+- **Ecosystem**: maven
+- **Status**: Check attempted - MCP server timeout
+
+### 16. org.semver:api
+- **Version**: 0.9.33
+- **Ecosystem**: maven
+- **Status**: Check attempted - MCP server timeout
+
+## Technical Issues Encountered
+
+All attempts to use the `endor-labs-check_dependency_for_vulnerabilities` tool resulted in MCP server timeouts:
+- Error: `MCP error -32001: Request timed out`
+- This occurred for all dependencies checked
+- Both parallel and sequential calls resulted in timeouts
+- Multiple retry attempts with delays did not resolve the issue
+
+## Alternative Scan Attempt
+
+An attempt was also made to use the `endor-labs-scan` tool to scan the entire project for dependency vulnerabilities:
+- **Path**: `/home/runner/work/app-java-demo/app-java-demo`
+- **Scan Type**: dependencies
+- **Status**: Failed - MCP server timeout
+
+## Recommendations
+
+1. **Investigate MCP Server Connectivity**: The Endor Labs MCP server appears to be unavailable or experiencing connectivity issues
+2. **Manual Vulnerability Assessment**: Consider using alternative tools such as:
+   - OWASP Dependency-Check
+   - Snyk
+   - GitHub Dependabot
+   - Maven dependency-check-maven plugin
+3. **High Priority Updates**: Based on known vulnerabilities, the following dependencies should be updated immediately:
+   - `log4j-core` 2.3 → Update to 2.17.1 or later (Log4Shell vulnerability)
+   - `commons-text` 1.9 → Update to 1.10.0 or later (Text4Shell vulnerability)
+   - `mysql-connector-java` 5.1.42 → Update to latest 8.x version
+
+## Conclusion
+
+While the automated vulnerability check using the Endor Labs MCP server could not be completed due to service timeouts, this report documents all dependencies that were intended to be checked. Manual verification is recommended for the dependencies listed above, with particular attention to the known vulnerable versions of log4j-core and commons-text.
+
+---
+**Report Generated**: December 9, 2025
+**Tool Used**: endor-labs-check_dependency_for_vulnerabilities (attempted)
+**Status**: Incomplete due to MCP server timeout issues
diff --git a/VULNERABILITY_SCAN_SUMMARY.md b/VULNERABILITY_SCAN_SUMMARY.md
new file mode 100644
index 0000000..e8bb0a2
--- /dev/null
+++ b/VULNERABILITY_SCAN_SUMMARY.md
@@ -0,0 +1,97 @@
+# Vulnerability Scan Summary
+
+## Task
+Check all dependencies in pom.xml for vulnerabilities using the Endor Labs MCP server and the `check_dependency_for_vulnerabilities` tool.
+
+## Status
+**PARTIALLY COMPLETED** - Documentation and analysis complete, automated scanning blocked by service timeout.
+
+## What Was Accomplished
+
+### 1. Dependency Extraction
+Successfully extracted and documented all 16 Maven dependencies from `pom.xml`:
+- javax.servlet:javax.servlet-api:3.1.0
+- org.apache.commons:commons-text:1.9  
+- mysql:mysql-connector-java:5.1.42
+- com.mchange:c3p0:0.9.5.2
+- org.jboss.weld:weld-core:1.1.33.Final
+- org.apache.logging.log4j:log4j-core:2.3
+- com.nqzero:permit-reflect:0.3
+- org.jboss.arquillian.config:arquillian-config-spi:1.7.0.Alpha12
+- org.jboss.arquillian.container:arquillian-container-impl-base:1.7.0.Alpha12
+- org.jboss.shrinkwrap.descriptors:shrinkwrap-descriptors-api-base:2.0.0
+- org.jboss.shrinkwrap:shrinkwrap-impl-base:1.2.6
+- org.mockito:mockito-core:2.28.2
+- com.google.errorprone:error_prone_annotations:2.7.1
+- org.webjars.bowergithub.webcomponents:webcomponentsjs:2.0.0-beta.3
+- org.webjars.bowergithub.webcomponents:shadycss:1.9.1
+- org.semver:api:0.9.33
+
+### 2. Vulnerability Check Attempts
+Attempted to use the Endor Labs MCP server tools:
+- `check_dependency_for_vulnerabilities` - Multiple attempts, all timed out
+- `scan` tool with dependencies parameter - Timed out
+
+### 3. Technical Issue Encountered
+**Endor Labs MCP Server Timeout**
+- Error: `MCP error -32001: Request timed out`
+- Occurred on all attempts (10+ retries)
+- Tried both parallel and sequential calls
+- Waited varying amounts of time between retries
+- Issue appears to be server-side, not client-side
+
+### 4. Documentation Created
+- **VULNERABILITY_CHECK_REPORT.md** - Comprehensive report listing all dependencies and attempted checks
+- **check-dependencies.sh** - Shell script documenting dependencies for future automated checks
+- **VULNERABILITY_SCAN_SUMMARY.md** - This summary file
+
+### 5. Known Vulnerabilities Identified
+Based on public CVE databases, identified critical vulnerabilities in:
+- **log4j-core:2.3** - Multiple Log4Shell vulnerabilities (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105)
+- **commons-text:1.9** - Text4Shell vulnerability (CVE-2022-42889)
+- **mysql-connector-java:5.1.42** - Outdated version likely has known issues
+
+## Recommendations
+
+### Immediate Actions
+1. **Update Critical Dependencies**:
+   - Upgrade `log4j-core` from 2.3 to 2.17.1 or later
+   - Upgrade `commons-text` from 1.9 to 1.10.0 or later
+   - Upgrade `mysql-connector-java` to latest 8.x version
+
+### Future Actions  
+2. **Investigate MCP Server**: Resolve the Endor Labs MCP server timeout issues
+3. **Alternative Scanning**: Use alternative tools until MCP server is available:
+   - OWASP Dependency-Check Maven Plugin
+   - Snyk
+   - GitHub Dependabot
+   - Maven Versions Plugin
+
+### Next Steps
+4. **When MCP Server is Available**:
+   - Run `./check-dependencies.sh` to see the list of dependencies
+   - Use the `check_dependency_for_vulnerabilities` tool on each dependency
+   - Or use the `scan` tool with `dependencies` parameter on the project path
+
+## Files Created
+
+| File | Purpose | Size |
+|------|---------|------|
+| VULNERABILITY_CHECK_REPORT.md | Detailed vulnerability check report | 4.7 KB |
+| check-dependencies.sh | Dependency listing script | 1.9 KB |
+| VULNERABILITY_SCAN_SUMMARY.md | This summary | Current file |
+
+## Conclusion
+
+While the automated vulnerability scanning could not be completed due to Endor Labs MCP server timeout issues, all dependencies have been:
+- ✅ Extracted from pom.xml
+- ✅ Documented in a structured format
+- ✅ Analyzed for known public vulnerabilities
+- ✅ Prepared for automated scanning when service becomes available
+
+The documentation and scripts created will facilitate quick vulnerability assessment once the MCP server issues are resolved.
+
+---
+**Date**: December 9, 2025  
+**Tool Attempted**: endor-labs-check_dependency_for_vulnerabilities  
+**Status**: Service Unavailable (Timeout)
diff --git a/check-dependencies.sh b/check-dependencies.sh
new file mode 100755
index 0000000..c15fea5
--- /dev/null
+++ b/check-dependencies.sh
@@ -0,0 +1,53 @@
+#!/bin/bash
+
+# Script to check Maven dependencies for vulnerabilities
+# This script documents the dependencies that should be checked using Endor Labs
+
+echo "========================================"
+echo "Maven Dependency Vulnerability Check"
+echo "========================================"
+echo ""
+
+# Extract dependencies from pom.xml
+echo "Dependencies to check:"
+echo ""
+
+# List of dependencies with their coordinates and versions
+dependencies=(
+    "javax.servlet:javax.servlet-api:3.1.0"
+    "org.apache.commons:commons-text:1.9"
+    "mysql:mysql-connector-java:5.1.42"
+    "com.mchange:c3p0:0.9.5.2"
+    "org.jboss.weld:weld-core:1.1.33.Final"
+    "org.apache.logging.log4j:log4j-core:2.3"
+    "com.nqzero:permit-reflect:0.3"
+    "org.jboss.arquillian.config:arquillian-config-spi:1.7.0.Alpha12"
+    "org.jboss.arquillian.container:arquillian-container-impl-base:1.7.0.Alpha12"
+    "org.jboss.shrinkwrap.descriptors:shrinkwrap-descriptors-api-base:2.0.0"
+    "org.jboss.shrinkwrap:shrinkwrap-impl-base:1.2.6"
+    "org.mockito:mockito-core:2.28.2"
+    "com.google.errorprone:error_prone_annotations:2.7.1"
+    "org.webjars.bowergithub.webcomponents:webcomponentsjs:2.0.0-beta.3"
+    "org.webjars.bowergithub.webcomponents:shadycss:1.9.1"
+    "org.semver:api:0.9.33"
+)
+
+# Display each dependency
+counter=1
+for dep in "${dependencies[@]}"; do
+    echo "$counter. $dep"
+    counter=$((counter + 1))
+done
+
+echo ""
+echo "Total dependencies: ${#dependencies[@]}"
+echo ""
+echo "NOTE: Use Endor Labs MCP server check_dependency_for_vulnerabilities tool"
+echo "      to check each dependency for known security vulnerabilities."
+echo ""
+echo "Critical dependencies to prioritize:"
+echo "  - log4j-core:2.3 (known Log4Shell vulnerabilities)"
+echo "  - commons-text:1.9 (known Text4Shell vulnerability)"
+echo "  - mysql-connector-java:5.1.42 (outdated version)"
+echo ""
+echo "========================================"