Command Palette

Search for a command to run...

UnylyUnyly
Весь каталог

Server Scf

БесплатноНе проверен

MCP server for the SCF Controls Platform — 72 tools for controls, evidence, risk, and TPRM.

GitHubEmbed

Описание

MCP server for the SCF Controls Platform — 72 tools for controls, evidence, risk, and TPRM.

README

SCF Controls Platform — MCP server for security compliance, frameworks, and risk management for AI agents. Maintained by ComplianceGenie.io.

mcp-server-scf

CI Security OpenSSF Scorecard Socket.dev

npm version npm downloads install size License: MIT MCP

MCP Registry smithery badge

TypeScript Node.js

Security compliance controls, frameworks, and risk management for AI agents.

Give your AI assistant access to 1,451 SCF security controls, 354+ framework mappings (NIST 800-53, ISO 27001, SOC 2, FedRAMP, GDPR), evidence tracking, risk registers, and vendor risk management — all through the Model Context Protocol.

Built for the SCF Controls Platform. Maintained by ComplianceGenie.io.

🆕 The platform is now open-source, self-hosted software. The SCF Controls Platform — SCF-native GRC tooling for the free Secure Controls Framework content — is published under AGPL-3.0 at scf-controls-platform-oss. Companies download and host it themselves via Docker Compose.

Having trouble? → docs/troubleshooting.md · API key setup → docs/authentication.md · How it works → docs/architecture.md


Overview

mcp-server-scf connects AI assistants to the SCF Controls Platform via MCP, enabling natural language interaction with your compliance program. Your AI can browse the full SCF control catalog, track implementation progress, manage evidence collection, assess risks, and monitor third-party vendors — all without leaving your editor or chat.

74 tools across 8 domains — click through for full parameter tables and example prompts:

Domain Tools Description
Catalog 6 Browse 1,451 controls, 354+ frameworks, 5,736 assessment objectives
Control Scoping 6 Track implementation status across an 8-state workflow
Evidence 21 Manage evidence collection, validation, maturity scoring, windowed AI assessments, and control-composite rollups
Risk Management 12 5x5 risk matrix, risk register, custom risks and control mapping
Vendor Risk (TPRM) 7 Vendor registry, AI-powered security research, DPSIA
Organization 7 Users, orgs, audit trail, work queue, notifications
Capabilities 9 KSI capability themes, scorecards, evidence posture, systems inventory
Webhooks 6 Webhook endpoints, delivery logs, secret rotation

Try it with MCP Inspector

Kick the tires without adding the server to a client — MCP Inspector launches a local UI that introspects every tool, its schema, and its description:

npx @modelcontextprotocol/inspector npx -y mcp-server-scf

Inspector opens on http://localhost:6274 and connects to mcp-server-scf over stdio. You'll see all 74 tools, grouped by domain, with their Zod schemas rendered as a live form.

Live tool calls need an API key — export SCF_API_KEY in the same shell before launching Inspector, or set it under the "Environment Variables" tab inside the Inspector UI. Without a key, you can still browse schemas and descriptions; tool calls return 401.


Quick Start

1. Self-host the platform & get an API key

The SCF Controls Platform is open-source software you host yourself — there is no sign-up. Deploy it from scf-controls-platform-oss (a Docker Compose stack with bundled PostgreSQL, Redis, and MinIO), then:

  1. Set an API_KEY in the platform's .env (generate one with openssl rand -hex 32), or create a key in Settings → API Keys once the app is running.
  2. Note your instance's API URL — http://localhost:8000 by default, or your deployed host.

Use that key as SCF_API_KEY and the instance URL as SCF_API_URL (see Configuration).

2. Install — one-click

Pick the route for your client.

Claude Desktop — the one-click path is the signed .mcpb Desktop Extension below. Claude Desktop does not register a custom URL scheme, so there is no clickable deeplink; instead you drag the .mcpb onto Settings → Extensions and paste your API key once. See anthropics/claude-code#26952 for the upstream tracking issue.

Cursor — click the badge below. Cursor registers the cursor:// scheme, so the deeplink opens the IDE with the server config pre-filled:

Install in Cursor

Smithery — managed hosted deployment:

Try on Smithery

Prefer to edit config by hand, or on a client without a deeplink (Windsurf, Docker)? See 3. Manual config below.

Claude Desktop Extension (.mcpb)

For Claude Desktop ≥ 0.11.0, the easiest install is a signed .mcpb bundle — no JSON editing, no npx runtime, no Node required on the host:

  1. Download mcp-server-scf-<version>.mcpb from the latest GitHub release.
  2. Double-click the file (or drag it onto Claude Desktop → Settings → Extensions).
  3. When prompted, paste your scf_… API key. It's stored in your OS keychain, not in a config file.
  4. Claude Desktop restarts the server and all 74 tools are available.

To uninstall or update the API key later: Settings → Extensions → SCF Controls Platform → Configure.

3. Manual config

Claude Desktop — edit ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows):

{
  "mcpServers": {
    "scf": {
      "command": "npx",
      "args": ["-y", "mcp-server-scf"],
      "env": {
        "SCF_API_KEY": "your_api_key_here",
        "SCF_API_URL": "http://localhost:8000"
      }
    }
  }
}

Claude Code:

claude mcp add scf -- npx -y mcp-server-scf
export SCF_API_KEY="your_api_key_here"
export SCF_API_URL="http://localhost:8000"

Cursor / Windsurf — same JSON shape as Claude Desktop in .cursor/mcp.json (or the equivalent Windsurf path).

Docker:

{
  "mcpServers": {
    "scf": {
      "command": "docker",
      "args": ["run", "-i", "--rm", "-e", "SCF_API_KEY", "markac007/mcp-server-scf"],
      "env": { "SCF_API_KEY": "scf_your_api_key_here" }
    }
  }
}

Configuration

Variable Required Default Description
SCF_API_KEY Yes API key from your self-hosted platform instance
SCF_API_URL Yes Base URL of your self-hosted platform (e.g. http://localhost:8000). The former hosted default is decommissioned.

Example Prompts

Once connected, try asking your AI assistant:

  • "What NIST 800-53 controls apply to access control?"
  • "Show me my organization's control implementation progress."
  • "List all critical vendors and their risk scores."
  • "Create a risk assessment for our cloud migration."
  • "What evidence do I need to collect for SOC 2 audit?"
  • "Show the 5x5 risk matrix for my organization."
  • "Run a DPSIA on our cloud provider vendor."

More examples live in each per-domain doc under docs/tools/.


Documentation


Security

  • API keys are never logged or included in error messages.
  • All communication uses HTTPS; keys are SHA-256 hashed server-side.
  • Rate limiting: 100 req/min read, 20 req/min write.
  • Multi-tenant — all operations scoped to your organization.
  • npm package published with provenance attestation via OIDC trusted publishing.
  • CI includes Gitleaks secret detection, CodeQL analysis, and Semgrep SAST.

See SECURITY.md to report a vulnerability.


Development

git clone https://github.com/MarkAC007/mcp-server-scf.git
cd mcp-server-scf
npm install
npm run build
npm run dev        # Watch mode
npm run lint       # ESLint
npm test           # Vitest

Testing with MCP Inspector

SCF_API_KEY=scf_your_key npx @modelcontextprotocol/inspector node build/index.js

Contributing

Contributions welcome! Please read CONTRIBUTING.md before submitting PRs.

This project follows the Contributor Covenant — see CODE_OF_CONDUCT.md. By participating, you are expected to uphold this code.

  1. Fork the repository
  2. Create your feature branch (git checkout -b feature/amazing-feature)
  3. Commit your changes (git commit -m 'Add amazing feature')
  4. Push to the branch (git push origin feature/amazing-feature)
  5. Open a Pull Request

License

MIT — see LICENSE.


Links

from github.com/MarkAC007/mcp-server-scf

Установить Server Scf в Claude Desktop, Claude Code, Cursor

Рекомендуется · одна команда, все IDE
unyly install mcp-server-scf

Ставит в Claude Desktop, Claude Code, Cursor и VS Code — сам разбирается с npx, uvx и сборкой из исходников.

Впервые? Поставь CLI: curl -fsSL https://unyly.org/install | sh

Или настроить вручную

Выполни в терминале:

claude mcp add mcp-server-scf -- npx -y mcp-server-scf

FAQ

Server Scf MCP бесплатный?

Да, Server Scf MCP бесплатный — установка в пару кликов через Unyly без оплаты.

Нужен ли API-ключ для Server Scf?

Нет, Server Scf работает без API-ключей и переменных окружения.

Server Scf — hosted или self-hosted?

Self-hosted: сервер запускается локально на твоей машине командой из раздела установки.

Как установить Server Scf в Claude Desktop, Claude Code или Cursor?

Открой Server Scf на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.

Похожие MCP

Compare Server Scf with

Не уверен что выбрать?

Найди свой стек за 60 секунд

Автор?

Embed-бейдж для README

Похожее

Все в категории development