Vaspera Hardening MCP Server

Enterprise-grade security certification for codebases with deterministic scanners and LLM-powered analysis.

What's New in v2.2.0

NIST SP 800-53 Rev. 5

Full NIST 800-53 compliance framework with 1000+ controls:

• All 20 control families - AC, AU, CA, CM, CP, IA, IR, MA, MP, PE, PL, PM, PS, PT, RA, SA, SC, SI, SR, SU
• Cross-mappings - Auto-map to SOC 2, ISO 27001, PCI-DSS, CIS v8
• Control status - Compliant/At-Risk/Non-Compliant per control
• Gap analysis - Identify missing security controls

MCP Resources & Prompts

Native MCP resource and prompt support:

• Resources: compliance-control://{framework}/{id}, compliance-framework://{framework}
• Prompts: "Run full certification", "Remediate findings", "Compliance gap analysis", "Scanner setup"
• Claude discovery - Resources and prompts visible in MCP inspector

History & Trends API

Track certification history and analyze trends over time:

• history_query - Query certification/scan history with filters
• history_trends - Calculate trends by day/week/month/quarter/year
• history_recent - Get recent activity summary
• Append-only storage - .vaspera/history.jsonl

Cost Forecasting

Estimate certification costs before running:

• cost_forecast - Estimate costs based on file count, lines, and agents
• Historical learning - Improves estimates from past certifications
• Budget planning - Know costs before committing resources

Model Performance Leaderboard

Track and compare model performance across certifications:

• leaderboard_view - View model rankings by precision/recall
• leaderboard_record - Record metrics from model runs
• leaderboard_recommend - Get model recommendation for a task
• Smart routing - Pick best models based on historical performance

Additional Exporters

Export findings to enterprise security platforms:

• SonarQube - Generic Issue Import JSON format
• Snyk - Snyk JSON vulnerability format
• Checkmarx - CxXML results format
• SARIF - GitHub Security tab (existing)

Release Automation

Scripted changelog and release notes:

• Changesets - Automated version management
• Release notes - Auto-generated from conventional commits
• npm scripts - npm run changeset, npm run version, npm run release

What's New in v2.1.0

Auto-Detect Languages

Automatically detect project languages and enable appropriate scanners:

• certification_detect_languages - Detect JS, Python, Go, Ruby, Java, Docker, Terraform
• auto_detect mode - Pass auto_detect: true to certification_scan
• Smart scanner selection - Enables Bandit for Python, Gosec for Go, Brakeman for Ruby, etc.

Brakeman Scanner (Ruby on Rails)

Complete Ruby security scanning with Brakeman:

• SQL injection - ActiveRecord query analysis
• XSS - Cross-site scripting in views
• CSRF - Cross-site request forgery detection
• Mass assignment - Dangerous model updates
• Remote code execution - eval, system, backticks
• CWE mappings - All findings mapped to CWE identifiers

GDPR Compliance Framework

Full GDPR compliance mapping with 30+ controls:

• Principles (Art. 5) - Lawfulness, purpose limitation, data minimization
• Data Protection by Design (Art. 25) - Privacy by default
• Security of Processing (Art. 32) - Encryption, integrity, availability
• Breach Notification (Art. 33-34) - Incident response requirements
• Control mapping - Automatic finding-to-control linking

What's New in v2.0.1

Batch Auto-Fix

• autofix_batch - Apply all safe fixes at once with dry-run support
• 16 fix patterns - IDOR, rate limiting, CSRF, cookies, SQL injection, XSS, and more

Scanner Install Helper

• certification_install_scanners - Platform-specific install commands
• run_install option - Execute installation with confirmation
• macOS/Linux/Windows - Automatic platform detection

SBOM Improvements

• output_file - Write SBOM directly to file

What's New in v2.0.0

Cost Tracking

Track and control LLM API costs across certifications:

• Token counting - Track input/output tokens per model
• Budget limits - Set cost budgets with automatic abort
• Cost estimation - Estimate costs before running
• 13 models supported - Claude, GPT-4, Gemini pricing

Consensus Aggregation

Aggregate findings from multiple runs for higher confidence:

• Record findings - From external agent runs (Claude, GPT, Gemini, etc.)
• Disagreement detection - Flag when runs produce conflicting results
• Fleiss' kappa reliability - Statistical inter-rater agreement
• Weighted consensus - Configurable weights per source

Note: These tools aggregate results from external runs. They do not call LLM APIs directly.

Compliance Mapping

Map findings to enterprise compliance frameworks:

• SOC 2 Type II - All Trust Service Criteria
• ISO 27001 - Annex A controls
• PCI-DSS v4.0 - Payment card security
• HIPAA - Healthcare data protection
• GDPR - EU data protection (v2.1.0)
• CIS Controls - Security best practices
• Control status - Compliant/At-Risk/Non-Compliant
• Gap analysis - Identify missing controls

SBOM & Provenance

Software Bill of Materials and supply chain security:

• CycloneDX SBOM - Dependency inventory
• SLSA Provenance - Build attestation
• Sigstore signing - Real cryptographic signing via Fulcio + Rekor

Signing requires OIDC identity (GitHub Actions, GitLab CI, or SIGSTORE_ID_TOKEN).

Features

Deterministic Scanner Backbone

Ground every finding in verifiable evidence with industry-standard scanners:

• Semgrep - OWASP Top 10, custom rules
• gitleaks - Secrets detection
• npm audit - Dependency vulnerabilities
• TypeScript - Type safety analysis
• ESLint - Code quality and security rules
• Bandit - Python security analysis
• Gosec - Go security checker
• Brakeman - Ruby on Rails security (v2.1.0)
• Trivy - Container/IaC vulnerability scanning

Enterprise Certification

Multi-agent validation with cross-verification:

• 6 specialized agents: security, reliability, typesafety, performance, quality, redteam
• Cross-verification between agents for high-confidence findings
• Consensus scoring with certification levels

GitHub Action Integration

CI/CD integration with PR comments and Sigstore signing:

• Security certification workflow - Auto-detect languages, run scanners, generate reports
• Sigstore signing - OIDC-based signing with Fulcio + Rekor (requires id-token: write)
• Automatic PR comments - Findings summary on pull requests
• SARIF upload - GitHub Security tab integration

See .github/workflows/certify.yml for example.

Evaluation Harness

Measure scanner accuracy with labeled test fixtures:

• Precision, recall, F1 score metrics
• Stability testing across multiple runs
• Target thresholds for publication

Quick Start

Installation

npm install vaspera-hardening-mcp-server
# or
git clone https://github.com/RCOLKITT/hardening-mcp.git
cd hardening-mcp
npm install && npm run build

Add to Claude Desktop

Edit ~/Library/Application Support/Claude/claude_desktop_config.json:

{
  "mcpServers": {
    "vaspera-hardening": {
      "command": "node",
      "args": ["/path/to/vaspera-hardening-mcp/dist/index.js"],
      "env": {
        "VASPERA_PROJECTS_DIR": "/path/to/your/projects"
      }
    }
  }
}

MCP Tools

Hardening Commands

| Tool | Description | |------|-------------| | hardening_list_projects | Discover all projects in workspace | | hardening_install | Install hardening commands into a project | | hardening_install_all | Install commands into all projects | | hardening_get_command | Get a specific command prompt | | hardening_read_audit | Read AUDIT.md from a project | | hardening_read_report | Read HARDENING-REPORT.md | | hardening_dashboard | Portfolio-wide readiness dashboard | | hardening_list_commands | List available commands |

Enterprise Certification

| Tool | Description | |------|-------------| | certification_start | Initialize enterprise certification | | certification_scan | Run deterministic scanners (supports auto_detect) | | certification_detect_languages | Auto-detect project languages for scanner selection | | certification_scanners_available | Check scanner availability | | certification_install_scanners | Get install commands for missing scanners | | certification_status | Get certification progress | | certification_consensus | Calculate consensus score | | certification_finalize | Generate certification artifacts | | certification_dashboard | Portfolio certification view |

Agent Tools

| Tool | Description | |------|-------------| | agent_submit_finding | Submit a finding from an agent | | agent_complete | Mark agent run as complete | | agent_cross_verify | Cross-verify another agent's finding | | redteam_challenge | Challenge an area marked clean |

Utilities

| Tool | Description | |------|-------------| | certification_cross_verify | Batch cross-verify critical findings | | certification_summary | Progressive disclosure summary | | certification_filter | Filter findings by criteria | | certification_export_sarif | Export to SARIF format | | autofix_preview | Preview auto-fix for a finding | | autofix_apply | Apply auto-fix | | autofix_batch | Batch apply all safe fixes | | autofix_list_patterns | List available fix patterns |

Custom Rules

| Tool | Description | |------|-------------| | rules_load | Load custom rules from config | | rules_templates | List built-in rule templates | | rules_generate_config | Generate sample rules config | | rules_check_file | Check file against custom rules |

Evaluation

| Tool | Description | |------|-------------| | certification_eval | Run evaluation against test fixtures | | certification_eval_fixtures | Get fixture statistics |

Cost Tracking (v2.0.0)

| Tool | Description | |------|-------------| | cost_track | Start tracking costs for a certification | | cost_estimate | Estimate cost before running | | cost_status | Get current cost status | | cost_report | Generate cost report | | cost_budget | Set/update budget limits | | cost_models | List supported models and pricing |

Consensus Aggregation (v2.0.0)

These tools aggregate findings from external runs - they do NOT call LLM APIs.

| Tool | Description | |------|-------------| | consensus_record | Record findings from an external agent run | | consensus_calculate | Calculate consensus with Fleiss' kappa | | consensus_disagreements | Get disagreements between runs | | consensus_merged | Get deduplicated findings after consensus | | consensus_summary | Generate consensus summary | | consensus_models | List model configurations | | consensus_clear | Clear recorded results |

Compliance Mapping (v2.0.0+)

| Tool | Description | |------|-------------| | compliance_report | Generate compliance report for a framework | | compliance_multi_report | Generate report for multiple frameworks | | compliance_controls | List controls for a framework |

Supported frameworks: SOC2, ISO27001, PCI-DSS, HIPAA, GDPR, CIS, NIST-800-53 (v2.2.0)

History & Trends (v2.2.0)

| Tool | Description | |------|-------------| | history_query | Query certification/scan history with filters | | history_trends | Calculate trends over time periods | | history_recent | Get recent activity summary |

Cost Forecasting (v2.2.0)

| Tool | Description | |------|-------------| | cost_forecast | Estimate certification costs before running |

Model Leaderboard (v2.2.0)

| Tool | Description | |------|-------------| | leaderboard_view | View model performance rankings | | leaderboard_record | Record metrics from model runs | | leaderboard_recommend | Get model recommendation for task type |

Export Formats (v2.2.0)

| Tool | Description | |------|-------------| | export_findings | Export findings to SonarQube, Snyk, or Checkmarx |

Use certification_export_sarif for SARIF/GitHub Security tab.

SBOM & Provenance (v2.0.0)

| Tool | Description | |------|-------------| | sbom_generate | Generate CycloneDX SBOM | | sbom_provenance | Generate SLSA provenance attestation | | sbom_sign | Sign content with Sigstore (requires OIDC) | | sbom_verify_provenance | Verify provenance attestation |

Typical Workflows

Run Security Scan

You: "Scan this project for security issues"
→ Claude calls certification_scan
→ Returns findings from Semgrep, gitleaks, npm audit, TypeScript

Full Enterprise Certification

You: "Start enterprise certification for this project"
→ Claude calls certification_start
→ Claude calls certification_scan (deterministic pre-pass)
→ Claude runs each agent (security, reliability, typesafety, etc.)
→ Claude calls certification_cross_verify (batch verify critical findings)
→ Claude calls certification_consensus
→ Claude calls certification_finalize
→ Generates CERTIFICATION.md and CERTIFICATION.json

Evaluate Scanner Accuracy

You: "Run the evaluation harness to test scanner accuracy"
→ Claude calls certification_eval
→ Returns precision, recall, F1 scores against labeled fixtures

Cost-Controlled Certification (v2.0.0)

You: "Run certification with a $5 budget limit"
→ Claude calls cost_track with budget: 5.00
→ Claude runs agents, tracking costs in real-time
→ If budget exceeded, certification pauses
→ Claude calls cost_report for final breakdown

Consensus Aggregation (v2.0.0)

You: "Calculate consensus from my security agent runs"
→ User runs security agent via different MCP clients or APIs
→ User calls consensus_record for each run's findings
→ Claude calls consensus_calculate for agreement metrics
→ Claude calls consensus_disagreements for disputed findings

Note: Consensus tools aggregate external results. Run agents separately.

Compliance Report (v2.0.0)

You: "Generate SOC 2 compliance report from certification"
→ Claude calls compliance_report with framework: "SOC2"
→ Returns control-by-control status with findings mapped
→ Identifies at-risk controls and gaps

Generate SBOM (v2.0.0)

You: "Generate an SBOM for this project"
→ Claude calls sbom_generate
→ Returns CycloneDX SBOM with all dependencies
→ Claude calls sbom_provenance for build attestation

Install Missing Scanners (v2.0.1)

You: "What scanners are missing and how do I install them?"
→ Claude calls certification_install_scanners
→ Returns platform-specific install commands for each scanner
→ Claude calls with run_install: true to execute installation

Batch Auto-Fix (v2.0.1)

You: "Apply all safe fixes to the certification findings"
→ Claude calls autofix_batch with dry_run: true (preview)
→ Shows what would be changed
→ Claude calls autofix_batch with dry_run: false (apply)
→ Reports fixes applied by pattern and file

Auto-Detect and Scan (v2.1.0)

You: "Scan this project with auto-detection"
→ Claude calls certification_scan with auto_detect: true
→ Detects Python, JavaScript, Go files
→ Automatically enables Bandit, npm-audit, Gosec
→ Returns unified findings from all relevant scanners

GDPR Compliance Report (v2.1.0)

You: "Generate GDPR compliance report"
→ Claude calls compliance_report with framework: "GDPR"
→ Maps findings to GDPR articles (Art. 5, 25, 32, etc.)
→ Returns control status with gap analysis

Sigstore Signing (v2.1.1)

You: "Sign the SBOM with Sigstore"
→ Claude calls sbom_sign with the SBOM content
→ Gets OIDC token from GitHub Actions / GitLab CI
→ Obtains certificate from Fulcio
→ Records signature in Rekor transparency log
→ Returns signed bundle with log index

Requires CI environment with OIDC (GitHub Actions: permissions: id-token: write)

NIST 800-53 Compliance (v2.2.0)

You: "Generate NIST 800-53 compliance report"
→ Claude calls compliance_report with framework: "NIST-800-53"
→ Maps findings to NIST control families (AC, AU, SC, etc.)
→ Returns control-by-control status with gap analysis
→ Cross-references to SOC 2, ISO 27001 mappings

View Certification History (v2.2.0)

You: "Show me certification trends for this project"
→ Claude calls history_trends with period: "month"
→ Returns trend data: scores, finding counts, fixes over time
→ Visualizes security posture improvement

Estimate Certification Cost (v2.2.0)

You: "How much will a full certification cost?"
→ Claude calls cost_forecast with file count and agents
→ Returns estimated token usage and cost
→ Factors in historical data from past runs

Export to SonarQube (v2.2.0)

You: "Export findings to SonarQube format"
→ Claude calls export_findings with format: "sonarqube"
→ Returns Generic Issue Import JSON
→ Ready for SonarQube CI/CD integration

Architecture

┌─────────────────────────────────────────────────────────────────────────────────────────┐
│                              Pre-Pass Scanner Layer                                      │
├─────────┬─────────┬─────────┬─────────┬─────────┬─────────┬─────────┬─────────┬────────┤
│ Semgrep │npm audit│gitleaks │   tsc   │ ESLint  │ Bandit  │  Gosec  │Brakeman │  Trivy │
│ (OWASP) │ (CVEs)  │(secrets)│ (types) │ (lint)  │ (Python)│  (Go)   │ (Ruby)  │ (IaC)  │
└────┬────┴────┬────┴────┬────┴────┬────┴────┬────┴────┬────┴────┬────┴────┬────┴───┬────┘
     │         │         │         │         │         │         │         │        │
     └─────────┴─────────┴─────────┴─────────┴─────────┴─────────┴─────────┴────────┘
                                              │
                                    ┌─────────▼─────────┐
                                    │ Language Detector │ ◄── auto_detect: true
                                    │ (JS/Py/Go/Ruby)   │
                                    └─────────┬─────────┘
                                              │
                                    ┌─────────▼─────────┐
                                    │ Scanner Aggregator │
                                    │ (confidence: 100)  │
                                    └─────────┬─────────┘
                                              │
                          ┌───────────────────┴───────────────────┐
                          ▼                                       ▼
                ┌─────────────────┐                     ┌─────────────────┐
                │ Finding Store   │◄────────────────────│ LLM Agents      │
                │ (unified)       │                     │ (triage/enrich) │
                └─────────────────┘                     └─────────────────┘

Evidence Validation

Non-deterministic findings are validated to prevent hallucinations:

• Requires evidence (code snippet) for all LLM findings
• Validates evidence matches actual file content
• Deterministic scanner findings (confidence: 100) bypass validation

Evaluation Metrics

Target metrics for scanner accuracy:

| Metric | Target | Description | |--------|--------|-------------| | Precision | >90% | Low false positives | | Recall | >85% | Catches real issues | | Stability | >95% | Consistent across runs | | Agreement | >85% | Cross-agent confirmation |

GitHub Action

- uses: RCOLKITT/vaspera-hardening-action@v1
  with:
    mode: 'diff'  # scan | certify | diff
    fail-on: 'critical'  # critical | high | medium | none
    upload-sarif: true
    comment-on-pr: true
    anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}  # Optional for LLM features

Environment Variables

| Variable | Default | Description | |----------|---------|-------------| | VASPERA_PROJECTS_DIR | ~/Documents/GitHub | Base directory to scan | | ANTHROPIC_API_KEY | - | API key for LLM features (optional) |

License

MIT