mcp-server-scf

# mcp-server-scf

<!-- Build & Security -->
[![CI](https://github.com/MarkAC007/mcp-server-scf/actions/workflows/ci.yml/badge.svg)](https://github.com/MarkAC007/mcp-server-scf/actions/workflows/ci.yml)
[![Security](https://github.com/MarkAC007/mcp-server-scf/actions/workflows/security.yml/badge.svg)](https://github.com/MarkAC007/mcp-server-scf/actions/workflows/security.yml)

<!-- Package & License -->
[![npm version](https://img.shields.io/npm/v/mcp-server-scf.svg)](https://www.npmjs.com/package/mcp-server-scf)
[![npm downloads](https://img.shields.io/npm/dm/mcp-server-scf)](https://www.npmjs.com/package/mcp-server-scf)
[![License: MIT](https://img.shields.io/badge/License-MIT-green.svg)](LICENSE)
[![MCP](https://img.shields.io/badge/MCP-compatible-green.svg)](https://modelcontextprotocol.io)

<!-- Tech Stack -->
![TypeScript](https://img.shields.io/badge/TypeScript-5-blue?logo=typescript&logoColor=white)
![Node.js](https://img.shields.io/badge/node-%3E%3D18-brightgreen?logo=node.js&logoColor=white)

**Security compliance controls, frameworks, and risk management for AI agents.**

Give your AI assistant access to 1,451 SCF security controls, 354+ framework mappings (NIST 800-53, ISO 27001, SOC 2, FedRAMP, GDPR), evidence tracking, risk registers, and vendor risk management — all through the [Model Context Protocol](https://modelcontextprotocol.io).

Built and maintained by [ComplianceGenie.io](https://compliancegenie.io) | Platform: [SCF Controls Platform](https://scfcontrolsplatform.com/)

---

## Overview

`mcp-server-scf` connects AI assistants to the [SCF Controls Platform](https://scfcontrolsplatform.com/) via MCP, enabling natural language interaction with your compliance program. Your AI can browse the full SCF control catalog, track implementation progress, manage evidence collection, assess risks, and monitor third-party vendors — all without leaving your editor or chat.

**38 tools** across 7 domains:

| Domain | Tools | Description |
|--------|-------|-------------|
| [Catalog](#catalog-reference-data) | 6 | Browse 1,451 controls, 354+ frameworks, 5,736 assessment objectives |
| [Control Scoping](#control-scoping) | 6 | Track implementation status across an 8-state workflow |
| [Evidence](#evidence-collection) | 4 | Manage evidence collection and maturity scoring |
| [Risk Management](#risk-management) | 5 | 5x5 risk matrix, risk register, severity summaries |
| [Vendor Risk (TPRM)](#vendor-risk-tprm) | 7 | Vendor registry, AI-powered security research, DPSIA |
| [Organization](#organization--platform) | 7 | Users, orgs, audit trail, work queue, notifications |
| [Capabilities](#capabilities--systems) | 4 | KSI capability themes, systems inventory |

---

## Quick Start

### Getting an API Key

1. Sign up at [scfcontrolsplatform.com](https://scfcontrolsplatform.com/)
2. Go to **Settings > API Keys**
3. Click **Generate New Key**
4. Copy the key (shown once) — it starts with `scf_`

### Claude Desktop

Add to `~/Library/Application Support/Claude/claude_desktop_config.json` (macOS) or `%APPDATA%\Claude\claude_desktop_config.json` (Windows):

```json
{
  "mcpServers": {
    "scf": {
      "command": "npx",
      "args": ["-y", "mcp-server-scf"],
      "env": {
        "SCF_API_KEY": "scf_your_api_key_here",
        "SCF_API_URL": "https://eu.scfcontrolsplatform.app"
      }
    }
  }
}
```

### Claude Code

```bash
claude mcp add scf -- npx -y mcp-server-scf
```

Then set environment variables in your shell:

```bash
export SCF_API_KEY="scf_your_api_key_here"
export SCF_API_URL="https://eu.scfcontrolsplatform.app"
```

### Cursor / Windsurf

Add to your MCP config (`.cursor/mcp.json` or equivalent):

```json
{
  "mcpServers": {
    "scf": {
      "command": "npx",
      "args": ["-y", "mcp-server-scf"],
      "env": {
        "SCF_API_KEY": "scf_your_api_key_here",
        "SCF_API_URL": "https://eu.scfcontrolsplatform.app"
      }
    }
  }
}
```

### Docker

```json
{
  "mcpServers": {
    "scf": {
      "command": "docker",
      "args": ["run", "-i", "--rm", "-e", "SCF_API_KEY", "markac007/mcp-server-scf"],
      "env": {
        "SCF_API_KEY": "scf_your_api_key_here"
      }
    }
  }
}
```

---

## Configuration

| Variable | Required | Default | Description |
|----------|----------|---------|-------------|
| `SCF_API_KEY` | Yes | — | Your SCF platform API key (starts with `scf_`) |
| `SCF_API_URL` | No | `https://eu.scfcontrolsplatform.app` | Platform API endpoint |

---

## Tools

### Catalog (Reference Data)

Read-only access to the full SCF control catalog — 1,451 controls, 354+ frameworks, 272 evidence types, and 5,736 assessment objectives.

#### `list_controls`

List SCF security controls with search, domain, and framework filters.

| Parameter | Type | Required | Description |
|-----------|------|----------|-------------|
| `search` | string | No | Search by control title or description |
| `domain` | string | No | Filter by domain identifier (e.g., `GOV`, `AST`, `IAC`) |
| `framework` | string | No | Filter by framework (e.g., `nist-800-53`, `iso-27001`) |
| `limit` | number | No | Results to return (default: 25, max: 100) |
| `offset` | number | No | Results to skip for pagination (default: 0) |

#### `get_control`

Get detailed information about a specific SCF control including description, mapped frameworks, assessment objectives, and linked evidence items.

| Parameter | Type | Required | Description |
|-----------|------|----------|-------------|
| `scf_id` | string | Yes | SCF control identifier (e.g., `AST-01`, `IAC-15`, `GOV-02`) |

#### `list_frameworks`

List all 354+ compliance frameworks mapped in the SCF catalog (NIST 800-53, ISO 27001, SOC 2, FedRAMP, GDPR, and more).

*No parameters.*

#### `list_domains`

List all compliance domains in the SCF taxonomy. Domains group related security controls (e.g., GOV = Governance, AST = Asset Management, IAC = Identity & Access Control).

*No parameters.*

#### `list_evidence_catalog`

List the 272 standard evidence types from the SCF reference catalog that can be collected to demonstrate control implementation.

| Parameter | Type | Required | Description |
|-----------|------|----------|-------------|
| `search` | string | No | Search by evidence title or description |
| `limit` | number | No | Results to return (default: 25, max: 100) |
| `offset` | number | No | Results to skip for pagination (default: 0) |

#### `list_assessment_objectives`

List the 5,736 assessment test criteria used to evaluate control implementation. Can filter by specific control ID.

| Parameter | Type | Required | Description |
|-----------|------|----------|-------------|
| `control_id` | string | No | Filter by SCF control ID (e.g., `GOV-01`, `AST-02`) |
| `search` | string | No | Search term to filter objectives |
| `limit` | number | No | Results to return (default: 25, max: 100) |
| `offset` | number | No | Results to skip for pagination (default: 0) |

---

### Control Scoping

Track implementation status of controls scoped to your organization. Supports an 8-state workflow: `not_started`, `in_progress`, `implemented`, `ready_for_review`, `monitored`, `not_applicable`, `at_risk`, `deferred`.

#### `list_scoped_controls`

List controls scoped to your organization with implementation status. Supports filtering by status, domain, framework, and search.

| Parameter | Type | Required | Description |
|-----------|------|----------|-------------|
| `org_id` | string | Yes | Organization ID (UUID) — use `list_organizations` to find |
| `scope_status` | string | No | Filter by status: `not_started`, `in_progress`, `implemented`, `ready_for_review`, `monitored`, `not_applicable`, `at_risk`, `deferred` |
| `domain` | string | No | Filter by SCF domain (e.g., `GOV`, `AST`, `IAC`) |
| `framework` | string | No | Filter by framework |
| `search` | string | No | Search by control ID or title |
| `limit` | number | No | Results to return (default: 25, max: 100) |
| `offset` | number | No | Results to s

[truncated…]