framework-mcp 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.github/workflows/ci.yml +61 -0
- package/LICENSE +26 -0
- package/README.md +298 -0
- package/dist/index.d.ts +3 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +693 -0
- package/dist/index.js.map +1 -0
- package/docs/installation.md +71 -0
- package/examples/example-usage.md +42 -0
- package/examples/vendors.csv +5 -0
- package/examples/vendors.json +17 -0
- package/package.json +45 -0
- package/src/index.ts +841 -0
- package/tsconfig.json +23 -0
|
@@ -0,0 +1,61 @@
|
|
|
1
|
+
name: CI
|
|
2
|
+
|
|
3
|
+
on:
|
|
4
|
+
push:
|
|
5
|
+
branches: [ main, develop ]
|
|
6
|
+
pull_request:
|
|
7
|
+
branches: [ main ]
|
|
8
|
+
|
|
9
|
+
jobs:
|
|
10
|
+
test:
|
|
11
|
+
runs-on: ubuntu-latest
|
|
12
|
+
|
|
13
|
+
strategy:
|
|
14
|
+
matrix:
|
|
15
|
+
node-version: [18.x, 20.x]
|
|
16
|
+
|
|
17
|
+
steps:
|
|
18
|
+
- uses: actions/checkout@v4
|
|
19
|
+
|
|
20
|
+
- name: Use Node.js ${{ matrix.node-version }}
|
|
21
|
+
uses: actions/setup-node@v4
|
|
22
|
+
with:
|
|
23
|
+
node-version: ${{ matrix.node-version }}
|
|
24
|
+
cache: 'npm'
|
|
25
|
+
|
|
26
|
+
- name: Install dependencies
|
|
27
|
+
run: npm ci
|
|
28
|
+
|
|
29
|
+
- name: Run linter
|
|
30
|
+
run: npm run lint --if-present
|
|
31
|
+
|
|
32
|
+
- name: Build
|
|
33
|
+
run: npm run build
|
|
34
|
+
|
|
35
|
+
- name: Run tests
|
|
36
|
+
run: npm test --if-present
|
|
37
|
+
|
|
38
|
+
publish:
|
|
39
|
+
needs: test
|
|
40
|
+
runs-on: ubuntu-latest
|
|
41
|
+
if: github.ref == 'refs/heads/main'
|
|
42
|
+
|
|
43
|
+
steps:
|
|
44
|
+
- uses: actions/checkout@v4
|
|
45
|
+
|
|
46
|
+
- name: Use Node.js
|
|
47
|
+
uses: actions/setup-node@v4
|
|
48
|
+
with:
|
|
49
|
+
node-version: '20.x'
|
|
50
|
+
registry-url: 'https://registry.npmjs.org'
|
|
51
|
+
|
|
52
|
+
- name: Install dependencies
|
|
53
|
+
run: npm ci
|
|
54
|
+
|
|
55
|
+
- name: Build
|
|
56
|
+
run: npm run build
|
|
57
|
+
|
|
58
|
+
- name: Publish to npm
|
|
59
|
+
run: npm publish --if-present
|
|
60
|
+
env:
|
|
61
|
+
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
|
package/LICENSE
ADDED
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
Creative Commons Attribution 4.0 International License
|
|
2
|
+
|
|
3
|
+
Copyright (c) 2025 Cyber RISE, Inc
|
|
4
|
+
|
|
5
|
+
This work is licensed under the Creative Commons Attribution 4.0 International License.
|
|
6
|
+
|
|
7
|
+
You are free to:
|
|
8
|
+
|
|
9
|
+
Share — copy and redistribute the material in any medium or format
|
|
10
|
+
Adapt — remix, transform, and build upon the material for any purpose, even commercially.
|
|
11
|
+
|
|
12
|
+
The licensor cannot revoke these freedoms as long as you follow the license terms.
|
|
13
|
+
|
|
14
|
+
Under the following terms:
|
|
15
|
+
|
|
16
|
+
Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use.
|
|
17
|
+
|
|
18
|
+
No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.
|
|
19
|
+
|
|
20
|
+
Notices:
|
|
21
|
+
|
|
22
|
+
You do not have to comply with the license for elements of the material in the public domain or where your use is permitted by an applicable exception or limitation.
|
|
23
|
+
|
|
24
|
+
No warranties are given. The license may not give you all of the permissions necessary for your intended use. For example, other rights such as publicity, privacy, or moral rights may limit how you use the material.
|
|
25
|
+
|
|
26
|
+
Full license text: https://creativecommons.org/licenses/by/4.0/legalcode
|
package/README.md
ADDED
|
@@ -0,0 +1,298 @@
|
|
|
1
|
+
# Vendor Framework Analyzer MCP Server
|
|
2
|
+
|
|
3
|
+
[](https://badge.fury.io/js/framework-mcp)
|
|
4
|
+
[](https://creativecommons.org/licenses/by/4.0/)
|
|
5
|
+
[](https://github.com/therealcybermattlee/FrameworkMCP)
|
|
6
|
+
[](https://cyberrise.org)
|
|
7
|
+
|
|
8
|
+
A Model Context Protocol (MCP) server that analyzes vendor responses against the **CIS Controls Framework** using a 4-attribute methodology. This tool helps security professionals evaluate vendor capabilities against specific CIS Control safeguards with detailed sub-taxonomical analysis.
|
|
9
|
+
|
|
10
|
+
## 🎯 Purpose
|
|
11
|
+
|
|
12
|
+
This MCP server enables security teams to:
|
|
13
|
+
- **Analyze vendor responses** against specific CIS Control safeguards (1.1, 5.1, 6.3, etc.)
|
|
14
|
+
- **Validate coverage claims** (FULL/PARTIAL) with evidence-based assessment
|
|
15
|
+
- **Categorize vendor capabilities** across 4 key attributes: Governance, Facilitates, Coverage, and Validates
|
|
16
|
+
- **Generate detailed reports** showing sub-element coverage and compliance gaps
|
|
17
|
+
|
|
18
|
+
## 🔧 The 4 Analysis Attributes
|
|
19
|
+
|
|
20
|
+
| Attribute | Description | Example |
|
|
21
|
+
|-----------|-------------|---------|
|
|
22
|
+
| **Governance** | GRC platform capabilities for policy/process management | Policy management, documented processes, compliance workflows |
|
|
23
|
+
| **Facilitates** | Enhancement capabilities that enable others to implement safeguards better/faster/stronger (does not perform safeguard directly) | Automation tools, optimization platforms, streamlined workflows |
|
|
24
|
+
| **Coverage** | Scope of safeguard elements directly addressed by tools that perform the safeguard (Full/Partial) | Percentage of sub-taxonomical elements actually implemented |
|
|
25
|
+
| **Validates** | Verification capabilities providing evidence and reporting | Audit logs, compliance reports, evidence collection |
|
|
26
|
+
|
|
27
|
+
## 🎨 CIS Controls Framework Integration
|
|
28
|
+
|
|
29
|
+
The server uses the CIS Controls visual framework with color-coded categorization:
|
|
30
|
+
|
|
31
|
+
- **🟠 Orange Elements**: Governance requirements that MUST be met
|
|
32
|
+
- **🟢 Green Elements**: Core "what" of the safeguard
|
|
33
|
+
- **🟡 Yellow Elements**: Sub-taxonomical components
|
|
34
|
+
- **⚫ Gray Elements**: Implementation suggestions and methods
|
|
35
|
+
|
|
36
|
+
## 🚀 Installation
|
|
37
|
+
|
|
38
|
+
### Prerequisites
|
|
39
|
+
- Node.js 18+
|
|
40
|
+
- Claude Code CLI tool
|
|
41
|
+
|
|
42
|
+
### Install from npm
|
|
43
|
+
```bash
|
|
44
|
+
npm install -g framework-mcp
|
|
45
|
+
```
|
|
46
|
+
|
|
47
|
+
### Install from source
|
|
48
|
+
```bash
|
|
49
|
+
git clone https://github.com/therealcybermattlee/FrameworkMCP.git
|
|
50
|
+
cd FrameworkMCP
|
|
51
|
+
npm install
|
|
52
|
+
npm run build
|
|
53
|
+
```
|
|
54
|
+
|
|
55
|
+
## ⚙️ Configuration
|
|
56
|
+
|
|
57
|
+
### Claude Code Integration
|
|
58
|
+
|
|
59
|
+
Add to your MCP configuration file (`~/.config/claude-code/mcp.json`):
|
|
60
|
+
|
|
61
|
+
```json
|
|
62
|
+
{
|
|
63
|
+
"mcpServers": {
|
|
64
|
+
"framework-analyzer": {
|
|
65
|
+
"command": "node",
|
|
66
|
+
"args": ["/path/to/FrameworkMCP/dist/index.js"],
|
|
67
|
+
"env": {}
|
|
68
|
+
}
|
|
69
|
+
}
|
|
70
|
+
}
|
|
71
|
+
```
|
|
72
|
+
|
|
73
|
+
### Verify Installation
|
|
74
|
+
```bash
|
|
75
|
+
claude-code "List available CIS Control safeguards"
|
|
76
|
+
```
|
|
77
|
+
|
|
78
|
+
## 📋 Usage Examples
|
|
79
|
+
|
|
80
|
+
### Analyze Single Vendor Response
|
|
81
|
+
|
|
82
|
+
```bash
|
|
83
|
+
claude-code "Analyze this vendor response for safeguard 5.1:
|
|
84
|
+
Vendor: SecureIAM Corp
|
|
85
|
+
Response: 'Our tool is a full identity provider with comprehensive account management. We maintain detailed user inventories including names, usernames, departments, and access rights. Automated quarterly reviews ensure all accounts are authorized and compliant.'"
|
|
86
|
+
```
|
|
87
|
+
|
|
88
|
+
### Validate Coverage Claims
|
|
89
|
+
|
|
90
|
+
```bash
|
|
91
|
+
claude-code "Validate this coverage claim:
|
|
92
|
+
Vendor: ComplianceBot
|
|
93
|
+
Safeguard: 5.1
|
|
94
|
+
Claim: FULL coverage with Governance and Validates capabilities
|
|
95
|
+
Response: 'We provide automated account lifecycle management with real-time inventory tracking and compliance reporting.'"
|
|
96
|
+
```
|
|
97
|
+
|
|
98
|
+
### Analyze Multiple Vendors from File
|
|
99
|
+
|
|
100
|
+
Create `vendors.csv`:
|
|
101
|
+
```csv
|
|
102
|
+
vendor,safeguard,response
|
|
103
|
+
VendorA,5.1,"Complete IAM solution with policy management and quarterly reviews"
|
|
104
|
+
VendorB,5.1,"Basic user directory with manual account tracking"
|
|
105
|
+
VendorC,6.3,"MFA enforcement for all external applications with SSO integration"
|
|
106
|
+
```
|
|
107
|
+
|
|
108
|
+
```bash
|
|
109
|
+
claude-code "Analyze the vendor responses in vendors.csv and provide recommendations"
|
|
110
|
+
```
|
|
111
|
+
|
|
112
|
+
### Get Safeguard Details
|
|
113
|
+
|
|
114
|
+
```bash
|
|
115
|
+
claude-code "Show me the detailed breakdown of safeguard 5.1 including all sub-elements"
|
|
116
|
+
```
|
|
117
|
+
|
|
118
|
+
## 📊 Sample Output
|
|
119
|
+
|
|
120
|
+
```json
|
|
121
|
+
{
|
|
122
|
+
"vendor": "SecureIAM Corp",
|
|
123
|
+
"safeguardId": "5.1",
|
|
124
|
+
"safeguardTitle": "Establish and Maintain an Inventory of Accounts",
|
|
125
|
+
"governance": true,
|
|
126
|
+
"facilitates": true,
|
|
127
|
+
"coverage": "full",
|
|
128
|
+
"validates": true,
|
|
129
|
+
"confidence": 87,
|
|
130
|
+
"coverageBreakdown": {
|
|
131
|
+
"governance": 90,
|
|
132
|
+
"core": 85,
|
|
133
|
+
"subElements": 75,
|
|
134
|
+
"overall": 83
|
|
135
|
+
},
|
|
136
|
+
"governanceElementsCovered": [
|
|
137
|
+
"establish inventory process",
|
|
138
|
+
"maintain inventory process",
|
|
139
|
+
"validate all active accounts are authorized"
|
|
140
|
+
],
|
|
141
|
+
"evidence": [
|
|
142
|
+
"comprehensive account management",
|
|
143
|
+
"detailed user inventories",
|
|
144
|
+
"automated quarterly reviews"
|
|
145
|
+
]
|
|
146
|
+
}
|
|
147
|
+
```
|
|
148
|
+
|
|
149
|
+
## 🔧 Available Tools
|
|
150
|
+
|
|
151
|
+
| Tool | Description |
|
|
152
|
+
|------|-------------|
|
|
153
|
+
| `analyze_vendor_response` | Analyze vendor response for specific safeguard |
|
|
154
|
+
| `validate_coverage_claim` | Validate FULL/PARTIAL coverage claims |
|
|
155
|
+
| `get_safeguard_details` | Get detailed safeguard breakdown |
|
|
156
|
+
| `list_available_safeguards` | List all available CIS safeguards |
|
|
157
|
+
| `generate_coverage_report` | Generate detailed coverage analysis |
|
|
158
|
+
| `export_analysis` | Export results to JSON/CSV/Markdown |
|
|
159
|
+
|
|
160
|
+
## 📁 File Formats Supported
|
|
161
|
+
|
|
162
|
+
### JSON Format
|
|
163
|
+
```json
|
|
164
|
+
[
|
|
165
|
+
{
|
|
166
|
+
"name": "VendorName",
|
|
167
|
+
"safeguard_id": "5.1",
|
|
168
|
+
"response": "Vendor response text..."
|
|
169
|
+
}
|
|
170
|
+
]
|
|
171
|
+
```
|
|
172
|
+
|
|
173
|
+
### CSV Format
|
|
174
|
+
```csv
|
|
175
|
+
vendor,safeguard,response
|
|
176
|
+
VendorName,5.1,"Response text..."
|
|
177
|
+
```
|
|
178
|
+
|
|
179
|
+
### Text Format
|
|
180
|
+
```
|
|
181
|
+
Vendor: VendorName - Safeguard: 5.1
|
|
182
|
+
Response text here...
|
|
183
|
+
|
|
184
|
+
Vendor: AnotherVendor - Safeguard: 6.3
|
|
185
|
+
Another response...
|
|
186
|
+
```
|
|
187
|
+
|
|
188
|
+
## 🎯 CIS Controls Coverage
|
|
189
|
+
|
|
190
|
+
Currently supports key safeguards including:
|
|
191
|
+
- **1.1** - Enterprise Asset Inventory
|
|
192
|
+
- **1.2** - Address Unauthorized Assets
|
|
193
|
+
- **5.1** - Inventory of Accounts
|
|
194
|
+
- **6.3** - MFA for Externally-Exposed Applications
|
|
195
|
+
- **7.1** - Vulnerability Management Process
|
|
196
|
+
|
|
197
|
+
*Additional safeguards can be easily added to the framework.*
|
|
198
|
+
|
|
199
|
+
## 🛠️ Development
|
|
200
|
+
|
|
201
|
+
### Build from Source
|
|
202
|
+
```bash
|
|
203
|
+
git clone https://github.com/therealcybermattlee/FrameworkMCP.git
|
|
204
|
+
cd FrameworkMCP
|
|
205
|
+
npm install
|
|
206
|
+
npm run build
|
|
207
|
+
```
|
|
208
|
+
|
|
209
|
+
### Add New Safeguards
|
|
210
|
+
Edit `src/index.ts` and add to the `CIS_SAFEGUARDS` object:
|
|
211
|
+
|
|
212
|
+
```typescript
|
|
213
|
+
"X.Y": {
|
|
214
|
+
id: "X.Y",
|
|
215
|
+
title: "Safeguard Title",
|
|
216
|
+
description: "Description...",
|
|
217
|
+
implementationGroup: "IG1",
|
|
218
|
+
governanceElements: [...], // Orange - MUST be met
|
|
219
|
+
coreRequirements: [...], // Green - The "what"
|
|
220
|
+
subTaxonomicalElements: [...], // Yellow - Sub-elements
|
|
221
|
+
implementationSuggestions: [...], // Gray - Suggestions
|
|
222
|
+
// ...
|
|
223
|
+
}
|
|
224
|
+
```
|
|
225
|
+
|
|
226
|
+
### Testing
|
|
227
|
+
```bash
|
|
228
|
+
npm test
|
|
229
|
+
```
|
|
230
|
+
|
|
231
|
+
## 🤝 Contributing
|
|
232
|
+
|
|
233
|
+
1. Fork the repository
|
|
234
|
+
2. Create a feature branch (`git checkout -b feature/amazing-feature`)
|
|
235
|
+
3. Commit your changes (`git commit -m 'Add amazing feature'`)
|
|
236
|
+
4. Push to the branch (`git push origin feature/amazing-feature`)
|
|
237
|
+
5. Open a Pull Request
|
|
238
|
+
|
|
239
|
+
### Guidelines
|
|
240
|
+
- Follow the existing code style
|
|
241
|
+
- Add tests for new features
|
|
242
|
+
- Update documentation
|
|
243
|
+
- Ensure all tests pass
|
|
244
|
+
|
|
245
|
+
## 📖 Documentation
|
|
246
|
+
|
|
247
|
+
- [Installation Guide](docs/installation.md)
|
|
248
|
+
- [API Reference](docs/api-reference.md)
|
|
249
|
+
- [CIS Safeguards Reference](docs/safeguards-reference.md)
|
|
250
|
+
- [Example Usage](examples/example-usage.md)
|
|
251
|
+
|
|
252
|
+
## 🐛 Troubleshooting
|
|
253
|
+
|
|
254
|
+
### Common Issues
|
|
255
|
+
|
|
256
|
+
**Permission denied:**
|
|
257
|
+
```bash
|
|
258
|
+
chmod +x dist/index.js
|
|
259
|
+
```
|
|
260
|
+
|
|
261
|
+
**Module not found:**
|
|
262
|
+
```bash
|
|
263
|
+
npm install
|
|
264
|
+
npm run build
|
|
265
|
+
```
|
|
266
|
+
|
|
267
|
+
**MCP server not connecting:**
|
|
268
|
+
- Check Claude Code MCP configuration
|
|
269
|
+
- Verify file paths are absolute
|
|
270
|
+
- Ensure Node.js version compatibility
|
|
271
|
+
|
|
272
|
+
## 📄 License
|
|
273
|
+
|
|
274
|
+
This project is licensed under the Creative Commons Attribution 4.0 International License by Cyber RISE, Inc - see the [LICENSE](LICENSE) file for details.
|
|
275
|
+
|
|
276
|
+
You are free to:
|
|
277
|
+
- **Share** — copy and redistribute the material in any medium or format
|
|
278
|
+
- **Adapt** — remix, transform, and build upon the material for any purpose, even commercially
|
|
279
|
+
|
|
280
|
+
Under the following terms:
|
|
281
|
+
- **Attribution** — You must give appropriate credit to Cyber RISE, Inc, provide a link to the license, and indicate if changes were made
|
|
282
|
+
|
|
283
|
+
## 🙏 Acknowledgments
|
|
284
|
+
|
|
285
|
+
- **Center for Internet Security (CIS)** for the CIS Controls Framework
|
|
286
|
+
- **Pax8** and community contributors for the CIS Controls visualizations
|
|
287
|
+
- **Anthropic** for the Model Context Protocol and Claude Code
|
|
288
|
+
|
|
289
|
+
## 📞 Support
|
|
290
|
+
|
|
291
|
+
- 📧 **Issues**: [GitHub Issues](https://github.com/therealcybermattlee/FrameworkMCP/issues)
|
|
292
|
+
- 📖 **Documentation**: [Project Wiki](https://github.com/therealcybermattlee/FrameworkMCP/wiki)
|
|
293
|
+
- 💬 **Discussions**: [GitHub Discussions](https://github.com/therealcybermattlee/FrameworkMCP/discussions)
|
|
294
|
+
- 🐦 **Updates**: Follow [@cybermattlee](https://twitter.com/cybermattlee) for project updates
|
|
295
|
+
|
|
296
|
+
---
|
|
297
|
+
|
|
298
|
+
**Built with ❤️ for the cybersecurity community by [Matt Lee](https://github.com/therealcybermattlee)**
|
package/dist/index.d.ts
ADDED
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":""}
|