mcp-server-scf

CI Security OpenSSF Scorecard Socket.dev

npm version npm downloads install size License: MIT MCP

MCP Registry smithery badge

Security compliance controls, frameworks, and risk management for AI agents.

Give your AI assistant access to 1,451 SCF security controls, 354+ framework mappings (NIST 800-53, ISO 27001, SOC 2, FedRAMP, GDPR), evidence tracking, risk registers, and vendor risk management — all through the Model Context Protocol.

Built for the SCF Controls Platform. Maintained by ComplianceGenie.io.

Having trouble? → docs/troubleshooting.md · API key setup → docs/authentication.md · How it works → docs/architecture.md

---

Overview

mcp-server-scf connects AI assistants to the SCF Controls Platform via MCP, enabling natural language interaction with your compliance program. Your AI can browse the full SCF control catalog, track implementation progress, manage evidence collection, assess risks, and monitor third-party vendors — all without leaving your editor or chat.

72 tools across 8 domains — click through for full parameter tables and example prompts:

Domain	Tools	Description
Catalog	6	Browse 1,451 controls, 354+ frameworks, 5,736 assessment objectives
Control Scoping	6	Track implementation status across an 8-state workflow
Evidence	19	Manage evidence collection, validation, maturity scoring, and windowed AI assessments
Risk Management	12	5x5 risk matrix, risk register, custom risks and control mapping
Vendor Risk (TPRM)	7	Vendor registry, AI-powered security research, DPSIA
Organization	7	Users, orgs, audit trail, work queue, notifications
Capabilities	9	KSI capability themes, scorecards, evidence posture, systems inventory
Webhooks	6	Webhook endpoints, delivery logs, secret rotation

---

Try it with MCP Inspector

Kick the tires without adding the server to a client — MCP Inspector launches a local UI that introspects every tool, its schema, and its description:

npx @modelcontextprotocol/inspector npx -y mcp-server-scf

Inspector opens on http://localhost:6274 and connects to mcp-server-scf over stdio. You'll see all 72 tools, grouped by domain, with their Zod schemas rendered as a live form.

Live tool calls need an API key — export SCF_API_KEY in the same shell before launching Inspector, or set it under the "Environment Variables" tab inside the Inspector UI. Without a key, you can still browse schemas and descriptions; tool calls return 401.

---

Quick Start

1. Get an API key

1. Sign up at scfcontrolsplatform.com (or uk.scfcontrolsplatform.app for UK data residency).
2. Settings → API Keys → Generate New Key.
3. Copy the key — shown once. Starts with scf_.

Full walkthrough (rotation, region selection, scopes): docs/authentication.md.

2. Install — one-click

Pick the route for your client.

Claude Desktop — the one-click path is the signed .mcpb Desktop Extension below. Claude Desktop does not register a custom URL scheme, so there is no clickable deeplink; instead you drag the .mcpb onto Settings → Extensions and paste your API key once. See anthropics/claude-code#26952 for the upstream tracking issue.

Cursor — click the badge below. Cursor registers the cursor:// scheme, so the deeplink opens the IDE with the server config pre-filled:

Install in Cursor

Smithery — managed hosted deployment:

Try on Smithery

Prefer to edit config by hand, or on a client without a deeplink (Windsurf, Docker)? See 3. Manual config below.

Claude Desktop Extension (.mcpb)

For Claude Desktop ≥ 0.11.0, the easiest install is a signed .mcpb bundle — no JSON editing, no npx runtime, no Node required on the host:

1. Download mcp-server-scf-<version>.mcpb from the latest GitHub release.
2. Double-click the file (or drag it onto Claude Desktop → Settings → Extensions).
3. When prompted, paste your scf_… API key. It's stored in your OS keychain, not in a config file.
4. Claude Desktop restarts the server and all 72 tools are available.

To uninstall or update the API key later: Settings → Extensions → SCF Controls Platform → Configure.

3. Manual config

Claude Desktop — edit ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows):

{
  "mcpServers": {
    "scf": {
      "command": "npx",
      "args": ["-y", "mcp-server-scf"],
      "env": {
        "SCF_API_KEY": "scf_your_api_key_here",
        "SCF_API_URL": "https://uk.scfcontrolsplatform.app"
      }
    }
  }
}

Claude Code:

claude mcp add scf -- npx -y mcp-server-scf
export SCF_API_KEY="scf_your_api_key_here"
export SCF_API_URL="https://uk.scfcontrolsplatform.app"

Cursor / Windsurf — same JSON shape as Claude Desktop in .cursor/mcp.json (or the equivalent Windsurf path).

Docker:

{
  "mcpServers": {
    "scf": {
      "command": "docker",
      "args": ["run", "-i", "--rm", "-e", "SCF_API_KEY", "markac007/mcp-server-scf"],
      "env": { "SCF_API_KEY": "scf_your_api_key_here" }
    }
  }
}

---

Configuration

Variable	Required	Default	Description
SCF_API_KEY	Yes	—	Your SCF platform API key (starts with scf_)
SCF_API_URL	No	https://uk.scfcontrolsplatform.app	Platform API endpoint

---

Example Prompts

Once connected, try asking your AI assistant:

• "What NIST 800-53 controls apply to access control?"
• "Show me my organization's control implementation progress."
• "List all critical vendors and their risk scores."
• "Create a risk assessment for our cloud migration."
• "What evidence do I need to collect for SOC 2 audit?"
• "Show the 5x5 risk matrix for my organization."
• "Run a DPSIA on our cloud provider vendor."

More examples live in each per-domain doc under docs/tools/.

---

Documentation

• docs/authentication.md — API key setup, rotation, region selection, scopes.
• docs/architecture.md — request flow, error model, rate limiting, what the server does and does not do.
• docs/troubleshooting.md — symptom/cause/fix for the common failure modes.
• docs/tools/ — per-domain reference with full parameter tables.

---

Security

• API keys are never logged or included in error messages.
• All communication uses HTTPS; keys are SHA-256 hashed server-side.
• Rate limiting: 100 req/min read, 20 req/min write.
• Multi-tenant — all operations scoped to your organization.
• npm package published with provenance attestation via OIDC trusted publishing.
• CI includes Gitleaks secret detection, CodeQL analysis, and Semgrep SAST.

See SECURITY.md to report a vulnerability.

---

Development

git clone https://github.com/MarkAC007/mcp-server-scf.git
cd mcp-server-scf
npm install
npm run build
npm run dev        # Watch mode
npm run lint       # ESLint
npm test           # Vitest

Testing with MCP Inspector

SCF_API_KEY=scf_your_key npx @modelcontextprotocol/inspector node build/index.js

---

Contributing

Contributions welcome! Please read CONTRIBUTING.md before submitting PRs.

This project follows the Contributor Covenant — see CODE_OF_CONDUCT.md. By participating, you are expected to uphold this code.

1. Fork the repository
2. Create your feature branch (git checkout -b feature/amazing-feature)
3. Commit your changes (git commit -m 'Add amazing feature')
4. Push to the branch (git push origin feature/amazing-feature)
5. Open a Pull Request

---

License

MIT — see LICENSE.

---

Links

• SCF Controls Platform — the compliance platform
• ComplianceGenie.io — maintainer
• Model Context Protocol — MCP specification
• SCF Framework — Secure Controls Framework
• npm Package — npm registry
• Changelog — release history