Command Palette

Search for a command to run...

UnylyUnyly
Весь каталог

Security Framework

БесплатноНе проверен

Unified MCP server integrating NIST and OWASP security frameworks with live vulnerability data, enabling security searches, compliance mapping, threat modeling,

GitHubEmbed

Описание

Unified MCP server integrating NIST and OWASP security frameworks with live vulnerability data, enabling security searches, compliance mapping, threat modeling, and checklist generation.

README

security-framework-mcp

Unified NIST + OWASP security framework MCP server

License: MIT Python 3.11+ MCP Compatible NIST OWASP

한국어


Search and query 4,700+ security data points through a single MCP interface — NIST (1,196 SP 800-53 controls with 53A assessments and 53B baselines, CSF 2.0, PF 1.0, SP 800-37 RMF, 613 publications, CMVP, NICE, glossary, CSF↔800-53 mappings) and OWASP (Top 10, API/LLM/MCP Top 10, ASVS 5.0, WSTG, MASVS, Proactive Controls, 815+ CWEs, 559 CAPEC attack patterns, 113+ Cheat Sheets, 418+ projects) — with live NVD/CVE + CISA KEV + EPSS, PDF reading, compliance mapping, STRIDE threat modeling, and MCP security assessment.

Quick Start

pip install git+https://github.com/zer0-kr/security-framework-mcp.git

Claude Desktop (claude_desktop_config.json):

{
  "mcpServers": {
    "security": {
      "command": "security-framework-mcp"
    }
  }
}

Claude CLI (Claude Code):

claude mcp add security -- security-framework-mcp
Other MCP clients (Cursor, OpenCode)
{ "security": { "command": "security-framework-mcp" } }

First run automatically builds the local database (~15-20 seconds). Auto-refreshes weekly.

Data Sources (22 local + 3 live)

NIST (10)

Source Records Description
SP 800-53 Rev. 5 Controls 1,196 Security/privacy controls + 53A assessment objectives/methods + 53B baselines (LOW/MODERATE/HIGH)
CSF 2.0 225 Cybersecurity Framework (6 functions, 22 categories, 197 subcategories)
PF 1.0 92 Privacy Framework (5 functions)
SP 800-37 RMF 7 steps Risk Management Framework (7-step process)
Publications 613 Full NIST cybersecurity publications (SP 800, FIPS, IR, CSWP)
CSF ↔ 800-53 Mappings 57 Framework cross-references
Glossary 39 Core cybersecurity terms
Synonyms 53 Security acronym expansions (MFA↔multi-factor authentication, etc.)
CMVP 15 FIPS 140 validated crypto modules
NICE Work Roles 43 Cybersecurity Workforce Framework roles

OWASP (12)

Source Records Description
Projects 418 Flagship/Production/Lab/Incubator projects
ASVS 5.0 345 Application Security Verification Standard
WSTG 111 Web Security Testing Guide
Top 10 2021 / API Top 10 2023 / LLM Top 10 2025 / MCP Top 10 2025 10 each Web/API/LLM/MCP security risks + CWE mappings
Proactive Controls 2024 10 Developer defense controls
MASVS 23 Mobile Application Security Verification Standard
CWE Database 815+ Full MITRE CWE + OWASP cross-references
Cheat Sheets 113+ Security implementation guides (on-demand)
CAPEC Attack Patterns 559 MITRE CAPEC attack patterns + CWE cross-references

Live APIs

Source Description
NVD CVE API 2.0 Real-time CVE search
CISA KEV Known Exploited Vulnerabilities catalog
FIRST EPSS Exploit Prediction Scoring System

Tools (41)

NIST

Tool Description
search_nist Search all 10 NIST sources
get_nist_control SP 800-53 control — statement, guidance, 53A assessment, 53B baseline filter (LOW/MODERATE/HIGH), family filter
get_nist_csf CSF 2.0 functions/categories/subcategories
get_nist_pf PF 1.0
get_nist_rmf SP 800-37 RMF steps, tasks, key documents
get_nist_publication 613 publications (SP 800, FIPS, IR, CSWP)
read_publication Download + convert NIST PDFs to Markdown
get_nist_mapping CSF 2.0 ↔ SP 800-53 bidirectional mappings
get_nist_glossary Cybersecurity terms
get_nist_cmvp FIPS 140 validated modules
get_nice_roles NICE workforce roles

OWASP

Tool Description
list_projects Browse 418+ projects by level/type
search_projects Full-text search across projects
get_project Project details
get_asvs ASVS 5.0 — filter by chapter, level, query
get_wstg WSTG test cases — filter by category, query
get_top10 Top 10 2021 + CWE mappings
get_api_top10 API Security Top 10 2023
get_llm_top10 LLM Top 10 2025
get_mcp_top10 MCP Top 10 2025
get_proactive_controls Proactive Controls 2024
get_masvs MASVS mobile security
get_cheatsheet 113+ Cheat Sheets

Vulnerability & CWE

Tool Description
get_cwe CWE lookup + auto OWASP cross-references
search_cve Live NVD search
get_cve_detail Full CVE details
search_kev CISA KEV — vendor/product/date/ransomware filters

Analysis & Assessment

Tool Description
lookup_compliance Reverse lookup: PCI-DSS/ISO 27001 requirement → NIST/ASVS
triage_cve CVE triage with EPSS + CVSS + KEV composite scoring
map_finding CWE/CVE → complete remediation chain
get_attack_pattern CAPEC attack patterns with CWE cross-references
search_owasp Search all 22 sources (NIST + OWASP unified)
cross_reference CWE → Top 10 / ASVS / WSTG
compliance_map ASVS → PCI-DSS 4.0 / ISO 27001:2022 / NIST 800-53
nist_compliance_map SP 800-53 families → PCI-DSS 4.0 / ISO 27001:2022
assess_stack Tech stack security assessment
generate_checklist Security checklist (web/api/mobile/llm/full × basic/standard/comprehensive)
assess_mcp_security MCP Top 10 assessment
threat_model STRIDE threat modeling
update_database Rebuild index
database_status DB status

Prompts (4)

Prompt Description
security_review Guided security review
threat_analysis Threat analysis workflow
compliance_check Compliance assessment
secure_code_review Code security review

Use Cases

Vulnerability Management

> Triage CVE-2021-44228 and CVE-2023-44487 — show EPSS, CVSS, KEV status

> Show all CISA KEV entries for Microsoft added after 2025-01-01

> Show only KEV vulnerabilities with known ransomware campaign use

> What attack patterns target CWE-502 (deserialization)?

> Map CWE-79 to OWASP Top 10, ASVS requirements, WSTG tests, and remediation guidance

Compliance & Audit

> What NIST SP 800-53 controls and ASVS requirements map to PCI-DSS 8.3?

> Map ASVS V4 to PCI-DSS 4.0, ISO 27001, and NIST 800-53

> Map NIST SP 800-53 AC family to PCI-DSS and ISO 27001

> Show SP 800-53 LOW baseline controls for the IA (Identification and Authentication) family

> Show SP 800-53 AC-1 control with 53A assessment objectives

Threat Modeling & Architecture Review

> Generate a STRIDE threat model: payment API, JWT auth, PostgreSQL, Redis cache

> Assess my stack: React, Node.js, PostgreSQL, REST API, AWS Lambda

> Find CAPEC attack patterns related to SQL injection

> Search all NIST and OWASP sources for "zero trust"

Development Security

> Generate a comprehensive security checklist for a web API project

> Show OWASP Cheat Sheet for Authentication

> Cross-reference CWE-352 (CSRF) to Top 10, ASVS, and WSTG test cases

> Show ASVS V3 (Session Management) level 2 requirements

> Search NVD for critical log4j CVEs

Configuration

Variable Default Description
SECURITY_MCP_DATA_DIR ~/.security-framework-mcp Database directory
SECURITY_MCP_UPDATE_INTERVAL 604800 (7 days) Refresh interval
NVD_API_KEY (none) Optional NVD API key

Architecture

┌─────────────────────────────────┐
│         MCP Client              │
│  (Claude / Cursor / OpenCode)   │
└──────────────┬──────────────────┘
               │ stdio
┌──────────────▼──────────────────┐
│   security-framework-mcp        │
│  41 tools · 4 prompts · 6 rsrc │
├──────────────┬──────────────────┤
│  SQLite FTS5 │  Live APIs       │
│  (~6.2MB)    │  NVD+KEV+EPSS   │
├──────────────┴──────────────────┤
│  NIST Collectors (10)           │
│  OWASP Collectors (12)          │
└──────────────┬──────────────────┘
               │ httpx (retry)
┌──────────────▼──────────────────┐
│  NIST OSCAL/CSRC · OWASP GitHub │
└─────────────────────────────────┘

Development

git clone https://github.com/zer0-kr/security-framework-mcp.git
cd security-framework-mcp
pip install -e ".[dev]"
python -m pytest tests/test_unit_db.py tests/test_unit_collectors.py -v
python tests/test_comprehensive.py

Contributing

  1. Fork → 2. Branch → 3. Test (python -m pytest) → 4. PR

License

MIT


Not affiliated with OWASP Foundation or NIST. Data sourced from public repositories.

from github.com/zer0-kr/security-framework-mcp

Установка Security Framework

У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.

▸ github.com/zer0-kr/security-framework-mcp

FAQ

Security Framework MCP бесплатный?

Да, Security Framework MCP бесплатный — установка в пару кликов через Unyly без оплаты.

Нужен ли API-ключ для Security Framework?

Нет, Security Framework работает без API-ключей и переменных окружения.

Security Framework — hosted или self-hosted?

Доступен hosted-вариант: Unyly запускает сервер в облаке, локальная установка не обязательна.

Как установить Security Framework в Claude Desktop, Claude Code или Cursor?

Открой Security Framework на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.

Похожие MCP

Compare Security Framework with

Не уверен что выбрать?

Найди свой стек за 60 секунд

Автор?

Embed-бейдж для README

Похожее

Все в категории development