mcp-server-scf

Security compliance controls, frameworks, and risk management for AI agents.

Give your AI assistant access to 1,451 SCF security controls, 354+ framework mappings (NIST 800-53, ISO 27001, SOC 2, FedRAMP, GDPR), evidence tracking, risk registers, and vendor risk management — all through the Model Context Protocol.

Built for the SCF Controls Platform. Maintained by ComplianceGenie.io.

🆕 The platform is now open-source, self-hosted software. The SCF Controls Platform — SCF-native GRC tooling for the free Secure Controls Framework content — is published under AGPL-3.0 at scf-controls-platform-oss. Companies download and host it themselves via Docker Compose.

Having trouble? → docs/troubleshooting.md · API key setup → docs/authentication.md · How it works → docs/architecture.md

---

Overview

mcp-server-scf connects AI assistants to the SCF Controls Platform via MCP, enabling natural language interaction with your compliance program. Your AI can browse the full SCF control catalog, track implementation progress, manage evidence collection, assess risks, and monitor third-party vendors — all without leaving your editor or chat.

74 tools across 8 domains — click through for full parameter tables and example prompts:

Domain	Tools	Description
Catalog	6	Browse 1,451 controls, 354+ frameworks, 5,736 assessment objectives
Control Scoping	6	Track implementation status across an 8-state workflow
Evidence	21	Manage evidence collection, validation, maturity scoring, windowed AI assessments, and control-composite rollups
Risk Management	12	5x5 risk matrix, risk register, custom risks and control mapping
Vendor Risk (TPRM)	7	Vendor registry, AI-powered security research, DPSIA
Organization	7	Users, orgs, audit trail, work queue, notifications
Capabilities	9	KSI capability themes, scorecards, evidence posture, systems inventory
Webhooks	6	Webhook endpoints, delivery logs, secret rotation

---

Try it with MCP Inspector

Kick the tires without adding the server to a client — MCP Inspector launches a local UI that introspects every tool, its schema, and its description:

npx @modelcontextprotocol/inspector npx -y mcp-server-scf

Inspector opens on http://localhost:6274 and connects to mcp-server-scf over stdio. You'll see all 74 tools, grouped by domain, with their Zod schemas rendered as a live form.

Live tool calls need an API key — export SCF_API_KEY in the same shell before launching Inspector, or set it under the "Environment Variables" tab inside the Inspector UI. Without a key, you can still browse schemas and descriptions; tool calls return 401.

---

Quick Start

1. Self-host the platform & get an API key

The SCF Controls Platform is open-source software you host yourself — there is no sign-up. Deploy it from scf-controls-platform-oss (a Docker Compose stack with bundled PostgreSQL, Redis, and MinIO), then:

1. Set an API_KEY in the platform's .env (generate one with openssl rand -hex 32), or create a key in Settings → API Keys once the app is running.
2. Note your instance's API URL — http://localhost:8000 by default, or your deployed host.

Use that key as SCF_API_KEY and the instance URL as SCF_API_URL (see Configuration).

2. Install — one-click

Pick the route for your client.

Claude Desktop — the one-click path is the signed .mcpb Desktop Extension below. Claude Desktop does not register a custom URL scheme, so there is no clickable deeplink; instead you drag the .mcpb onto Settings → Extensions and paste your API key once. See anthropics/claude-code#26952 for the upstream tracking issue.

Cursor — click the badge below. Cursor registers the cursor:// scheme, so the deeplink opens the IDE with the server config pre-filled:

Smithery — managed hosted deployment:

Prefer to edit config by hand, or on a client without a deeplink (Windsurf, Docker)? See 3. Manual config below.

Claude Desktop Extension (.mcpb)

For Claude Desktop ≥ 0.11.0, the easiest install is a signed .mcpb bundle — no JSON editing, no npx runtime, no Node required on the host:

1. Download mcp-server-scf-<version>.mcpb from the latest GitHub release.
2. Double-click the file (or drag it onto Claude Desktop → Settings → Extensions).
3. When prompted, paste your scf_… API key. It's stored in your OS keychain, not in a config file.
4. Claude Desktop restarts the server and all 74 tools are available.

To uninstall or update the API key later: Settings → Extensions → SCF Controls Platform → Configure.

3. Manual config

Claude Desktop — edit ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows):

{
  "mcpServers": {
    "scf": {
      "command": "npx",
      "args": ["-y", "mcp-server-scf"],
      "env": {
        "SCF_API_KEY": "your_api_key_here",
        "SCF_API_URL": "http://localhost:8000"
      }
    }
  }
}

Claude Code:

claude mcp add scf -- npx -y mcp-server-scf
export SCF_API_KEY="your_api_key_here"
export SCF_API_URL="http://localhost:8000"

Cursor / Windsurf — same JSON shape as Claude Desktop in .cursor/mcp.json (or the equivalent Windsurf path).

Docker:

{
  "mcpServers": {
    "scf": {
      "command": "docker",
      "args": ["run", "-i", "--rm", "-e", "SCF_API_KEY", "markac007/mcp-server-scf"],
      "env": { "SCF_API_KEY": "scf_your_api_key_here" }
    }
  }
}

---

Configuration

Variable	Required	Default	Description
SCF_API_KEY	Yes	—	API key from your self-hosted platform instance
SCF_API_URL	Yes	—	Base URL of your self-hosted platform (e.g. http://localhost:8000). The former hosted default is decommissioned.

---

Example Prompts

Once connected, try asking your AI assistant:

• "What NIST 800-53 controls apply to access control?"
• "Show me my organization's control implementation progress."
• "List all critical vendors and their risk scores."
• "Create a risk assessment for our cloud migration."
• "What evidence do I need to collect for SOC 2 audit?"
• "Show the 5x5 risk matrix for my organization."
• "Run a DPSIA on our cloud provider vendor."

More examples live in each per-domain doc under docs/tools/.

---

Documentation

• docs/authentication.md — API key setup, rotation, region selection, scopes.
• docs/architecture.md — request flow, error model, rate limiting, what the server does and does not do.
• docs/troubleshooting.md — symptom/cause/fix for the common failure modes.
• docs/tools/ — per-domain reference with full parameter tables.

---

Security

• API keys are never logged or included in error messages.
• All communication uses HTTPS; keys are SHA-256 hashed server-side.
• Rate limiting: 100 req/min read, 20 req/min write.
• Multi-tenant — all operations scoped to your organization.
• npm package published with provenance attestation via OIDC trusted publishing.
• CI includes Gitleaks secret detection, CodeQL analysis, and Semgrep SAST.

See SECURITY.md to report a vulnerability.

---

Development

git clone https://github.com/MarkAC007/mcp-server-scf.git
cd mcp-server-scf
npm install
npm run build
npm run dev        # Watch mode
npm run lint       # ESLint
npm test           # Vitest

Testing with MCP Inspector

SCF_API_KEY=scf_your_key npx @modelcontextprotocol/inspector node build/index.js

---

Contributing

Contributions welcome! Please read CONTRIBUTING.md before submitting PRs.

This project follows the Contributor Covenant — see CODE_OF_CONDUCT.md. By participating, you are expected to uphold this code.

1. Fork the repository
2. Create your feature branch (git checkout -b feature/amazing-feature)
3. Commit your changes (git commit -m 'Add amazing feature')
4. Push to the branch (git push origin feature/amazing-feature)
5. Open a Pull Request

---

License

MIT — see LICENSE.

---

Links

• scf-controls-platform-oss — the open-source, self-hosted platform (AGPL-3.0)
• ComplianceGenie.io — maintainer
• Model Context Protocol — MCP specification
• SCF Framework — Secure Controls Framework
• npm Package — npm registry
• Changelog — release history