SSDLC Security Toolkit
БесплатноНе проверенAutomates 85-95% of the Secure Software Development Lifecycle (SSDLC) planning phase through multi-role AI orchestration, enabling business analysis, threat mod
Описание
Automates 85-95% of the Secure Software Development Lifecycle (SSDLC) planning phase through multi-role AI orchestration, enabling business analysis, threat modeling, test strategy design, and security code review.
README
Automate 85-95% of SSDLC planning phase through multi-role AI orchestration.
🎯 Achievement: 90.75% coverage | 99.9% time savings | 45% token efficiency
🚀 Quick Start
Installation
# Clone repository
git clone https://github.com/vuongdat67/mcp-ssdlc-security-toolkit
cd mcp-ssdlc-security-toolkit
# Install dependencies
pnpm install
# Build packages
cd packages/security-kb && pnpm build
cd ../ssdlc-planner && pnpm build
Configure Claude Desktop
# Windows - Edit configuration file
notepad %APPDATA%\Claude\claude_desktop_config.json
Add:
{
"mcpServers": {
"ssdlc-planner": {
"command": "node",
"args": ["C:\\path\\to\\packages\\ssdlc-planner\\dist\\index.js"]
}
}
}
Restart Claude Desktop → Ready to use!
Test Installation
# Run demo
cd packages/ssdlc-planner
pnpm tsx scripts/demo-simple.ts
See: CLAUDE-DESKTOP-SETUP.md for detailed instructions
Project Structure
packages/
├── core/ # Shared types, utilities, validators
├── ssdlc-planner/ # Main MCP server with role-based tools
├── security-kb/ # CVE/CWE/OWASP knowledge base
├── test-strategy/ # Test planning tools
└── git-workflow/ # Git workflow design tools
📚 Documentation
Getting Started
- QUICKSTART.md - Installation, usage examples, troubleshooting
- CLAUDE-DESKTOP-SETUP.md - Step-by-step MCP configuration
- PHASE-9-11-COMPLETE.md - Implementation details & metrics
Technical Reference
- packages/ssdlc-planner/README.md - API documentation
- .github/copilot-instructions.md - AI agent development guide
- docs/plan.md - Original design (Vietnamese)
🛠️ Features
Phase 9-11: SSDLC Planning Orchestration ✅
Multi-Role Intelligence:
- Business Analyst (Phase 9A): Requirements → user stories, abuse cases, NFRs, data classification
- Tech Lead (Phase 9B): Architecture → components, trust boundaries, data flows, Mermaid diagrams
- Security Engineer (Phase 10): STRIDE threats → CWE/OWASP/CVE mapping, mitigations
- QA Engineer (Phase 11): Test strategy → 18+ security test cases, penetration test plan
Phase 8: Production SAST Engine ✅
- Code review with CWE/CVE/OWASP intelligence
- Risk scoring (0-10) with exploited-in-wild flags
- AI-powered explanations and remediation guidance
Workflow Example
User: "Plan security for e-commerce with payment processing"
↓
BA Tool → User stories + Abuse cases (AB-1: Card theft)
↓
Tech Lead Tool → Architecture + Trust boundaries
↓
Security Tool → STRIDE: 12 threats (3 critical, 5 high)
↓
QA Tool → 18 test cases (83% automated)
↓
Result: Complete SSDLC artifacts in 60 seconds
🎯 Coverage Metrics
| Phase | Component | Target | Achieved | Status |
|---|---|---|---|---|
| 9A | BA Requirements | 90-95% | 95% | ✅ |
| 9B | Tech Lead Architecture | 85-90% | 90% | ✅ |
| 10 | Security Threat Model | 85-95% | 90% | ✅ |
| 11 | QA Test Strategy | 85-90% | 88% | ✅ |
| Overall | SSDLC Planning | 85-95% | 90.75% | ✅ |
Performance:
- ⚡ 99.9% time savings (11-16 hours → 60 seconds)
- 🎯 45% token efficiency vs. prompt chains
- 🏗️ 120.56 KB build output in 27ms
🔧 MCP Tools
Phase 9-11 (Complete)
ba_analyze_requirements_security- Business Analyst- Input: project description, users, goals, compliance
- Output: User stories, abuse cases, NFRs, data classification
techlead_design_architecture- Tech Lead- Input: user stories, tech constraints, scale expectations
- Output: Components, trust boundaries, data flows, Mermaid diagrams
security_threat_model- Security Engineer- Input: components, data flows, trust boundaries
- Output: STRIDE threats with CWE/OWASP/CVE mapping
qa_design_test_strategy- QA Engineer- Input: threats, abuse cases, compliance requirements
- Output: Security test cases, penetration test plan
security_review_code- Security (Phase 8)- Input: language, code snippet
- Output: Vulnerabilities with remediation guidance
Roadmap
- Phase 12: PM sprint planning tool
- Phase 12: DevOps CI/CD pipeline design
- Orchestration: Auto-sequence all phases in one call
📦 Project Structure
mcp-ssdlc-security-toolkit/
├── packages/
│ ├── core/ # Shared types, utilities, validators
│ ├── ssdlc-planner/ # Main MCP server
│ │ ├── src/
│ │ │ ├── tools/
│ │ │ │ ├── business-analyst/
│ │ │ │ │ └── analyze-requirements.ts (240 lines)
│ │ │ │ ├── tech-lead/
│ │ │ │ │ └── design-architecture.ts (280 lines)
│ │ │ │ ├── security/
│ │ │ │ │ ├── threat-model.ts (320 lines)
│ │ │ │ │ └── security-review-tool.ts (Phase 8)
│ │ │ │ └── qa/
│ │ │ │ └── design-test-strategy.ts (360 lines)
│ │ │ └── index.ts # MCP server entry point
│ │ ├── scripts/
│ │ │ └── demo-simple.ts # E-commerce demo
│ │ └── dist/ # Build output (120.56 KB)
│ └── security-kb/ # CVE/CWE/OWASP knowledge base
│ ├── src/
│ │ ├── db/ # SQLite database (969 CWEs, OWASP mappings)
│ │ ├── intelligence/ # Security intelligence engine
│ │ └── report-generator.ts
│ └── dist/ # Build output (118.51 KB)
├── docs/ # Planning documents (Vietnamese)
├── QUICKSTART.md # Installation & usage guide
├── CLAUDE-DESKTOP-SETUP.md # MCP configuration guide
└── PHASE-9-11-COMPLETE.md # Implementation report
- Security Engineer: Threat modeling (STRIDE), automated security code review
- QA Engineer: Comprehensive test strategy design, test case generation
- DevOps Engineer: CI/CD pipeline design with security scanning (GitHub Actions, Kubernetes)
- Project Manager: Sprint planning with task breakdown and timeline (Gantt charts)
Phase 2 Features ✅
Security Knowledge Base (@mcp-ssdlc/security-kb):
- CVE vulnerability database with severity scores
- CWE common weakness enumeration
- OWASP Top 10 (2021 edition)
- Secure coding patterns for Python, JavaScript, Go, C#
Enhanced Pseudocode Generation:
- Language-specific templates (Python, JS, TS, Go, C#)
- Security annotations and best practices
- Integration with security KB for pattern recommendations
- Related function dependencies and test requirements
CI/CD Pipeline Design:
- Platform support: GitHub Actions, GitLab CI, Azure DevOps
- Deployment targets: Kubernetes, Docker, VM, Serverless
- Security stages: SAST, SCA, DAST, container scanning
- Automated deployment strategies (blue-green, canary)
Sprint Planning:
- Velocity-based backlog selection
- Task breakdown (design, development, testing, security)
- Timeline generation with Gantt charts
- Risk analysis and capacity planning
Phase 3 Features ✅ (NEW!)
🚀 Full Pipeline Orchestration (orchestrate_ssdlc_pipeline):
- Complete SSDLC automation: BA → Tech Lead → Security → QA → PM → DevOps
- Single-command planning: Generate all artifacts in one invocation
- Coverage validation: Automatic 85-95% target verification
- 7-tool workflow: Chains all role-based tools with context preservation
- Comprehensive reports: JSON artifacts + Markdown documentation
🧪 Test Strategy Design (qa_design_test_strategy):
- 6 test levels: Unit, integration, system, acceptance, performance, security
- Framework selection: Automatic based on tech stack (Jest, pytest, JUnit, etc.)
- Risk-based coverage: Critical (90%), High (85%), Medium (80%), Low (75%)
- Automation strategy: CI/CD integration, priority areas, tools matrix
- 5-phase timeline: Strategy, environment, development, execution, validation
🔒 Security Code Review (security_review_code):
- 10+ security rules: SQL injection, XSS, hardcoded secrets, weak crypto
- CWE/OWASP mapping: Links findings to industry standards
- Risk scoring: 0-100 scale based on severity (Critical: 40, High: 20, Medium: 5, Low: 1)
- Secure patterns: KB-backed recommendations for remediation
- Compliance notes: OWASP Top 10, penetration testing, logging
Coverage Metrics (Automated)
| Metric | Target | Calculation |
|---|---|---|
| Requirements | 90-95% | Complete user stories with acceptance criteria |
| Security | 85-95% | Threats with defined mitigations |
| Testing | 85-90% | Test cases vs expected (3 per story) |
| Architecture | 85-90% | Components with defined interfaces |
| Overall | 85-95% | Weighted average (Req: 25%, Sec: 30%, Test: 25%, Arch: 20%) |
Sprint Planning:
- Velocity-based backlog selection
- Task breakdown (design, development, testing, security)
- Timeline generation with Gantt charts
- Risk analysis and capacity planning
See PHASE2-SUMMARY.md for complete documentation.
License
MIT
Установка SSDLC Security Toolkit
У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.
▸ github.com/vuongdat67/mcp-ssdlc-security-toolkitFAQ
SSDLC Security Toolkit MCP бесплатный?
Да, SSDLC Security Toolkit MCP бесплатный — установка в пару кликов через Unyly без оплаты.
Нужен ли API-ключ для SSDLC Security Toolkit?
Нет, SSDLC Security Toolkit работает без API-ключей и переменных окружения.
SSDLC Security Toolkit — hosted или self-hosted?
Self-hosted: сервер запускается локально на твоей машине командой из раздела установки.
Как установить SSDLC Security Toolkit в Claude Desktop, Claude Code или Cursor?
Открой SSDLC Security Toolkit на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.
Похожие MCP
GitHub
PRs, issues, code search, CI status
автор: GitHubFilesystem
Secure file operations with configurable access controls.
Memory
Knowledge graph-based persistent memory system.
Template MCP Server
A CLI tool to create a new Model Context Protocol server project with TypeScript support, dual transport options, and an extensible structure
автор: mcpdotdirectCompare SSDLC Security Toolkit with
Не уверен что выбрать?
Найди свой стек за 60 секунд
Автор?
Embed-бейдж для README
Похожее
Все в категории development
