Command Palette

Search for a command to run...

UnylyUnyly
Весь каталог

SSDLC Security Toolkit

БесплатноНе проверен

Automates 85-95% of the Secure Software Development Lifecycle (SSDLC) planning phase through multi-role AI orchestration, enabling business analysis, threat mod

GitHubEmbed

Описание

Automates 85-95% of the Secure Software Development Lifecycle (SSDLC) planning phase through multi-role AI orchestration, enabling business analysis, threat modeling, test strategy design, and security code review.

README

Automate 85-95% of SSDLC planning phase through multi-role AI orchestration.

🎯 Achievement: 90.75% coverage | 99.9% time savings | 45% token efficiency

🚀 Quick Start

Installation

# Clone repository
git clone https://github.com/vuongdat67/mcp-ssdlc-security-toolkit
cd mcp-ssdlc-security-toolkit

# Install dependencies
pnpm install

# Build packages
cd packages/security-kb && pnpm build
cd ../ssdlc-planner && pnpm build

Configure Claude Desktop

# Windows - Edit configuration file
notepad %APPDATA%\Claude\claude_desktop_config.json

Add:

{
  "mcpServers": {
    "ssdlc-planner": {
      "command": "node",
      "args": ["C:\\path\\to\\packages\\ssdlc-planner\\dist\\index.js"]
    }
  }
}

Restart Claude Desktop → Ready to use!

Test Installation

# Run demo
cd packages/ssdlc-planner
pnpm tsx scripts/demo-simple.ts

See: CLAUDE-DESKTOP-SETUP.md for detailed instructions

Project Structure

packages/
├── core/              # Shared types, utilities, validators
├── ssdlc-planner/    # Main MCP server with role-based tools
├── security-kb/      # CVE/CWE/OWASP knowledge base
├── test-strategy/    # Test planning tools
└── git-workflow/     # Git workflow design tools

📚 Documentation

Getting Started

Technical Reference

🛠️ Features

Phase 9-11: SSDLC Planning Orchestration ✅

Multi-Role Intelligence:

  • Business Analyst (Phase 9A): Requirements → user stories, abuse cases, NFRs, data classification
  • Tech Lead (Phase 9B): Architecture → components, trust boundaries, data flows, Mermaid diagrams
  • Security Engineer (Phase 10): STRIDE threats → CWE/OWASP/CVE mapping, mitigations
  • QA Engineer (Phase 11): Test strategy → 18+ security test cases, penetration test plan

Phase 8: Production SAST Engine ✅

  • Code review with CWE/CVE/OWASP intelligence
  • Risk scoring (0-10) with exploited-in-wild flags
  • AI-powered explanations and remediation guidance

Workflow Example

User: "Plan security for e-commerce with payment processing"
  ↓
BA Tool → User stories + Abuse cases (AB-1: Card theft)
  ↓
Tech Lead Tool → Architecture + Trust boundaries
  ↓
Security Tool → STRIDE: 12 threats (3 critical, 5 high)
  ↓
QA Tool → 18 test cases (83% automated)
  ↓
Result: Complete SSDLC artifacts in 60 seconds

🎯 Coverage Metrics

Phase Component Target Achieved Status
9A BA Requirements 90-95% 95%
9B Tech Lead Architecture 85-90% 90%
10 Security Threat Model 85-95% 90%
11 QA Test Strategy 85-90% 88%
Overall SSDLC Planning 85-95% 90.75%

Performance:

  • 99.9% time savings (11-16 hours → 60 seconds)
  • 🎯 45% token efficiency vs. prompt chains
  • 🏗️ 120.56 KB build output in 27ms

🔧 MCP Tools

Phase 9-11 (Complete)

  1. ba_analyze_requirements_security - Business Analyst

    • Input: project description, users, goals, compliance
    • Output: User stories, abuse cases, NFRs, data classification
  2. techlead_design_architecture - Tech Lead

    • Input: user stories, tech constraints, scale expectations
    • Output: Components, trust boundaries, data flows, Mermaid diagrams
  3. security_threat_model - Security Engineer

    • Input: components, data flows, trust boundaries
    • Output: STRIDE threats with CWE/OWASP/CVE mapping
  4. qa_design_test_strategy - QA Engineer

    • Input: threats, abuse cases, compliance requirements
    • Output: Security test cases, penetration test plan
  5. security_review_code - Security (Phase 8)

    • Input: language, code snippet
    • Output: Vulnerabilities with remediation guidance

Roadmap

  • Phase 12: PM sprint planning tool
  • Phase 12: DevOps CI/CD pipeline design
  • Orchestration: Auto-sequence all phases in one call

📦 Project Structure

mcp-ssdlc-security-toolkit/
├── packages/
│   ├── core/                      # Shared types, utilities, validators
│   ├── ssdlc-planner/            # Main MCP server
│   │   ├── src/
│   │   │   ├── tools/
│   │   │   │   ├── business-analyst/
│   │   │   │   │   └── analyze-requirements.ts    (240 lines)
│   │   │   │   ├── tech-lead/
│   │   │   │   │   └── design-architecture.ts     (280 lines)
│   │   │   │   ├── security/
│   │   │   │   │   ├── threat-model.ts            (320 lines)
│   │   │   │   │   └── security-review-tool.ts    (Phase 8)
│   │   │   │   └── qa/
│   │   │   │       └── design-test-strategy.ts    (360 lines)
│   │   │   └── index.ts          # MCP server entry point
│   │   ├── scripts/
│   │   │   └── demo-simple.ts    # E-commerce demo
│   │   └── dist/                 # Build output (120.56 KB)
│   └── security-kb/              # CVE/CWE/OWASP knowledge base
│       ├── src/
│       │   ├── db/               # SQLite database (969 CWEs, OWASP mappings)
│       │   ├── intelligence/     # Security intelligence engine
│       │   └── report-generator.ts
│       └── dist/                 # Build output (118.51 KB)
├── docs/                         # Planning documents (Vietnamese)
├── QUICKSTART.md                 # Installation & usage guide
├── CLAUDE-DESKTOP-SETUP.md       # MCP configuration guide
└── PHASE-9-11-COMPLETE.md        # Implementation report
  • Security Engineer: Threat modeling (STRIDE), automated security code review
  • QA Engineer: Comprehensive test strategy design, test case generation
  • DevOps Engineer: CI/CD pipeline design with security scanning (GitHub Actions, Kubernetes)
  • Project Manager: Sprint planning with task breakdown and timeline (Gantt charts)

Phase 2 Features ✅

Security Knowledge Base (@mcp-ssdlc/security-kb):

  • CVE vulnerability database with severity scores
  • CWE common weakness enumeration
  • OWASP Top 10 (2021 edition)
  • Secure coding patterns for Python, JavaScript, Go, C#

Enhanced Pseudocode Generation:

  • Language-specific templates (Python, JS, TS, Go, C#)
  • Security annotations and best practices
  • Integration with security KB for pattern recommendations
  • Related function dependencies and test requirements

CI/CD Pipeline Design:

  • Platform support: GitHub Actions, GitLab CI, Azure DevOps
  • Deployment targets: Kubernetes, Docker, VM, Serverless
  • Security stages: SAST, SCA, DAST, container scanning
  • Automated deployment strategies (blue-green, canary)

Sprint Planning:

  • Velocity-based backlog selection
  • Task breakdown (design, development, testing, security)
  • Timeline generation with Gantt charts
  • Risk analysis and capacity planning

Phase 3 Features ✅ (NEW!)

🚀 Full Pipeline Orchestration (orchestrate_ssdlc_pipeline):

  • Complete SSDLC automation: BA → Tech Lead → Security → QA → PM → DevOps
  • Single-command planning: Generate all artifacts in one invocation
  • Coverage validation: Automatic 85-95% target verification
  • 7-tool workflow: Chains all role-based tools with context preservation
  • Comprehensive reports: JSON artifacts + Markdown documentation

🧪 Test Strategy Design (qa_design_test_strategy):

  • 6 test levels: Unit, integration, system, acceptance, performance, security
  • Framework selection: Automatic based on tech stack (Jest, pytest, JUnit, etc.)
  • Risk-based coverage: Critical (90%), High (85%), Medium (80%), Low (75%)
  • Automation strategy: CI/CD integration, priority areas, tools matrix
  • 5-phase timeline: Strategy, environment, development, execution, validation

🔒 Security Code Review (security_review_code):

  • 10+ security rules: SQL injection, XSS, hardcoded secrets, weak crypto
  • CWE/OWASP mapping: Links findings to industry standards
  • Risk scoring: 0-100 scale based on severity (Critical: 40, High: 20, Medium: 5, Low: 1)
  • Secure patterns: KB-backed recommendations for remediation
  • Compliance notes: OWASP Top 10, penetration testing, logging

Coverage Metrics (Automated)

Metric Target Calculation
Requirements 90-95% Complete user stories with acceptance criteria
Security 85-95% Threats with defined mitigations
Testing 85-90% Test cases vs expected (3 per story)
Architecture 85-90% Components with defined interfaces
Overall 85-95% Weighted average (Req: 25%, Sec: 30%, Test: 25%, Arch: 20%)

Sprint Planning:

  • Velocity-based backlog selection
  • Task breakdown (design, development, testing, security)
  • Timeline generation with Gantt charts
  • Risk analysis and capacity planning

See PHASE2-SUMMARY.md for complete documentation.

License

MIT

from github.com/vuongdat67/mcp-ssdlc-security-toolkit

Установка SSDLC Security Toolkit

У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.

▸ github.com/vuongdat67/mcp-ssdlc-security-toolkit

FAQ

SSDLC Security Toolkit MCP бесплатный?

Да, SSDLC Security Toolkit MCP бесплатный — установка в пару кликов через Unyly без оплаты.

Нужен ли API-ключ для SSDLC Security Toolkit?

Нет, SSDLC Security Toolkit работает без API-ключей и переменных окружения.

SSDLC Security Toolkit — hosted или self-hosted?

Self-hosted: сервер запускается локально на твоей машине командой из раздела установки.

Как установить SSDLC Security Toolkit в Claude Desktop, Claude Code или Cursor?

Открой SSDLC Security Toolkit на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.

Похожие MCP

Compare SSDLC Security Toolkit with

Не уверен что выбрать?

Найди свой стек за 60 секунд

Автор?

Embed-бейдж для README

Похожее

Все в категории development