mcp-server-scf
v1.0.12
Published
MCP server for the SCF Controls Platform — security compliance controls, frameworks, evidence, and risk management for AI agents
Maintainers
markac007Readme
mcp-server-scf
Security compliance controls, frameworks, and risk management for AI agents.
Give your AI assistant access to 1,451 SCF security controls, 354+ framework mappings (NIST 800-53, ISO 27001, SOC 2, FedRAMP, GDPR), evidence tracking, risk registers, and vendor risk management — all through the Model Context Protocol.
Built for the SCF Controls Platform. Maintained by ComplianceGenie.io.
Having trouble? → docs/troubleshooting.md · API key setup → docs/authentication.md · How it works → docs/architecture.md
Overview
mcp-server-scf connects AI assistants to the SCF Controls Platform via MCP, enabling natural language interaction with your compliance program. Your AI can browse the full SCF control catalog, track implementation progress, manage evidence collection, assess risks, and monitor third-party vendors — all without leaving your editor or chat.
72 tools across 8 domains — click through for full parameter tables and example prompts:
| Domain | Tools | Description | | ------------------------------------------------ | ----- | ------------------------------------------------------------------------------------- | | Catalog | 6 | Browse 1,451 controls, 354+ frameworks, 5,736 assessment objectives | | Control Scoping | 6 | Track implementation status across an 8-state workflow | | Evidence | 19 | Manage evidence collection, validation, maturity scoring, and windowed AI assessments | | Risk Management | 12 | 5x5 risk matrix, risk register, custom risks and control mapping | | Vendor Risk (TPRM) | 7 | Vendor registry, AI-powered security research, DPSIA | | Organization | 7 | Users, orgs, audit trail, work queue, notifications | | Capabilities | 9 | KSI capability themes, scorecards, evidence posture, systems inventory | | Webhooks | 6 | Webhook endpoints, delivery logs, secret rotation |
Try it with MCP Inspector
Kick the tires without adding the server to a client — MCP Inspector launches a local UI that introspects every tool, its schema, and its description:
npx @modelcontextprotocol/inspector npx -y mcp-server-scfInspector opens on http://localhost:6274 and connects to mcp-server-scf over stdio. You'll see all 72 tools, grouped by domain, with their Zod schemas rendered as a live form.
Live tool calls need an API key — export SCF_API_KEY in the same shell before launching Inspector, or set it under the "Environment Variables" tab inside the Inspector UI. Without a key, you can still browse schemas and descriptions; tool calls return 401.
Quick Start
1. Get an API key
- Sign up at scfcontrolsplatform.com (or uk.scfcontrolsplatform.app for UK data residency).
- Settings → API Keys → Generate New Key.
- Copy the key — shown once. Starts with
scf_.
Full walkthrough (rotation, region selection, scopes): docs/authentication.md.
2. Install — one-click
Pick the route for your client.
Claude Desktop — the one-click path is the signed .mcpb Desktop Extension below. Claude Desktop does not register a custom URL scheme, so there is no clickable deeplink; instead you drag the .mcpb onto Settings → Extensions and paste your API key once. See anthropics/claude-code#26952 for the upstream tracking issue.
Cursor — click the badge below. Cursor registers the cursor:// scheme, so the deeplink opens the IDE with the server config pre-filled:
Smithery — managed hosted deployment:
Prefer to edit config by hand, or on a client without a deeplink (Windsurf, Docker)? See 3. Manual config below.
Claude Desktop Extension (.mcpb)
For Claude Desktop ≥ 0.11.0, the easiest install is a signed .mcpb bundle — no JSON editing, no npx runtime, no Node required on the host:
- Download
mcp-server-scf-<version>.mcpbfrom the latest GitHub release. - Double-click the file (or drag it onto Claude Desktop → Settings → Extensions).
- When prompted, paste your
scf_…API key. It's stored in your OS keychain, not in a config file. - Claude Desktop restarts the server and all 72 tools are available.
To uninstall or update the API key later: Settings → Extensions → SCF Controls Platform → Configure.
3. Manual config
Claude Desktop — edit ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows):
{
"mcpServers": {
"scf": {
"command": "npx",
"args": ["-y", "mcp-server-scf"],
"env": {
"SCF_API_KEY": "scf_your_api_key_here",
"SCF_API_URL": "https://uk.scfcontrolsplatform.app"
}
}
}
}Claude Code:
claude mcp add scf -- npx -y mcp-server-scf
export SCF_API_KEY="scf_your_api_key_here"
export SCF_API_URL="https://uk.scfcontrolsplatform.app"Cursor / Windsurf — same JSON shape as Claude Desktop in .cursor/mcp.json (or the equivalent Windsurf path).
Docker:
{
"mcpServers": {
"scf": {
"command": "docker",
"args": ["run", "-i", "--rm", "-e", "SCF_API_KEY", "markac007/mcp-server-scf"],
"env": { "SCF_API_KEY": "scf_your_api_key_here" }
}
}
}Configuration
| Variable | Required | Default | Description |
| ------------- | -------- | ------------------------------------ | ---------------------------------------------- |
| SCF_API_KEY | Yes | — | Your SCF platform API key (starts with scf_) |
| SCF_API_URL | No | https://uk.scfcontrolsplatform.app | Platform API endpoint |
Example Prompts
Once connected, try asking your AI assistant:
- "What NIST 800-53 controls apply to access control?"
- "Show me my organization's control implementation progress."
- "List all critical vendors and their risk scores."
- "Create a risk assessment for our cloud migration."
- "What evidence do I need to collect for SOC 2 audit?"
- "Show the 5x5 risk matrix for my organization."
- "Run a DPSIA on our cloud provider vendor."
More examples live in each per-domain doc under docs/tools/.
Documentation
- docs/authentication.md — API key setup, rotation, region selection, scopes.
- docs/architecture.md — request flow, error model, rate limiting, what the server does and does not do.
- docs/troubleshooting.md — symptom/cause/fix for the common failure modes.
- docs/tools/ — per-domain reference with full parameter tables.
Security
- API keys are never logged or included in error messages.
- All communication uses HTTPS; keys are SHA-256 hashed server-side.
- Rate limiting: 100 req/min read, 20 req/min write.
- Multi-tenant — all operations scoped to your organization.
- npm package published with provenance attestation via OIDC trusted publishing.
- CI includes Gitleaks secret detection, CodeQL analysis, and Semgrep SAST.
See SECURITY.md to report a vulnerability.
Development
git clone https://github.com/MarkAC007/mcp-server-scf.git
cd mcp-server-scf
npm install
npm run build
npm run dev # Watch mode
npm run lint # ESLint
npm test # VitestTesting with MCP Inspector
SCF_API_KEY=scf_your_key npx @modelcontextprotocol/inspector node build/index.jsContributing
Contributions welcome! Please read CONTRIBUTING.md before submitting PRs.
This project follows the Contributor Covenant — see CODE_OF_CONDUCT.md. By participating, you are expected to uphold this code.
- Fork the repository
- Create your feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
License
MIT — see LICENSE.
Links
- SCF Controls Platform — the compliance platform
- ComplianceGenie.io — maintainer
- Model Context Protocol — MCP specification
- SCF Framework — Secure Controls Framework
- npm Package — npm registry
- Changelog — release history