jake/mcpengine
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
mcpengine/servers/compliance-grc/README.md

303 lines
12 KiB
Markdown
Raw Blame History

# 🛡️ Compliance GRC MCP Server — 2026 Complete Version
## 💡 What This Unlocks
**This MCP server gives AI direct access to your entire compliance and GRC infrastructure through Vanta and Drata.** Stop clicking through dashboards—just *tell* the AI what you need to know about your compliance posture.
This server integrates with two leading compliance automation platforms:
- **Vanta**: Automated compliance for SOC2, HIPAA, GDPR, ISO 27001
- **Drata**: Continuous compliance monitoring and audit readiness
Perfect for security teams, compliance officers, and organizations managing multiple compliance frameworks.
### 🎯 Compliance Automation Power Moves
Stop context-switching between Claude and compliance dashboards. The AI can directly monitor and report on your compliance status:
1. **Real-time compliance monitoring** — "What's our current SOC2 readiness score? Show me any failing controls."
2. **Vulnerability management** — "List all critical vulnerabilities from the last 7 days across both Vanta and Drata, group by source"
3. **Audit preparation** — "Generate a summary of all evidence collected this month for HIPAA controls"
4. **Risk assessment** — "Show me all high-severity open risks and their assigned owners"
5. **Vendor risk management** — "List all high-risk vendors that haven't been reviewed in 90 days"
6. **Personnel compliance** — "Which employees haven't completed security training? Cross-reference with both platforms"
7. **Multi-framework overview** — "Compare our readiness across SOC2, HIPAA, and GDPR frameworks"
### 🔗 The Real Power: Cross-Platform Intelligence
AI can analyze data from both Vanta and Drata simultaneously:
- Compare control implementations across platforms → Identify gaps → Generate remediation plan
- Aggregate vulnerabilities from both systems → Prioritize by risk → Create action items
- Cross-reference evidence collection → Find redundancies → Optimize compliance workflows
- Monitor compliance trends → Predict audit readiness → Alert on degradation
## 📦 What's Inside
**17 powerful API tools** covering both Vanta and Drata compliance platforms:
### Vanta Tools (8 tools)
1. **list_vanta_controls** — List all compliance controls (SOC2, HIPAA, GDPR, ISO 27001)
2. **get_vanta_control** — Get detailed control information and status
3. **list_vanta_tests** — List compliance tests and their results
4. **list_vanta_vulnerabilities** — List security vulnerabilities by severity
5. **list_vanta_evidence** — List collected compliance evidence
6. **list_vanta_users** — List users and access levels
7. **list_vanta_integrations** — List active integrations (AWS, GitHub, etc.)
8. **get_vanta_compliance_status** — Get overall compliance readiness summary
### Drata Tools (9 tools)
1. **list_drata_controls** — List all compliance controls
2. **get_drata_control** — Get detailed control information
3. **list_drata_personnel** — List personnel and their compliance status
4. **list_drata_vendors** — List third-party vendors and risk levels
5. **list_drata_risks** — List identified risks by severity
6. **list_drata_assets** — List IT assets (servers, databases, applications)
7. **list_drata_frameworks** — List configured compliance frameworks
8. **list_drata_evidence** — List collected compliance evidence
9. **get_drata_compliance_summary** — Get overall compliance summary
All with proper error handling, automatic authentication, and TypeScript types.
**API Foundations:**
- [Vanta API](https://api.vanta.com) (OAuth2 client_credentials)
- [Drata API](https://public-api.drata.com) (Bearer token)
## 🚀 Quick Start
### Prerequisites
**Vanta Setup:**
1. Log into your [Vanta dashboard](https://app.vanta.com)
2. Go to **Settings → Integrations → API**
3. Create a new OAuth2 application
4. Note your **Client ID** and **Client Secret**
5. Grant appropriate permissions (read access to controls, tests, vulnerabilities, evidence)
**Drata Setup:**
1. Log into your [Drata dashboard](https://app.drata.com)
2. Go to **Settings → API Keys**
3. Create a new API key with read permissions
4. Copy the API key (shown only once)
### Option 1: Claude Desktop (Local)
1. **Clone and build:**
```bash
git clone https://github.com/BusyBee3333/mcpengine.git
cd mcpengine/servers/compliance-grc
npm install
npm run build
```
2. **Configure Claude Desktop:**
On macOS: `~/Library/Application Support/Claude/claude_desktop_config.json`
On Windows: `%APPDATA%\Claude\claude_desktop_config.json`
```json
{
"mcpServers": {
"compliance-grc": {
"command": "node",
"args": ["/ABSOLUTE/PATH/TO/mcpengine/servers/compliance-grc/dist/index.js"],
"env": {
"VANTA_CLIENT_ID": "your_vanta_client_id",
"VANTA_CLIENT_SECRET": "your_vanta_client_secret",
"DRATA_API_KEY": "your_drata_api_key"
}
}
}
}
```
**Note:** You can configure just Vanta, just Drata, or both. At least one must be configured.
3. **Restart Claude Desktop**
### Option 2: Docker
```bash
docker build -t compliance-grc-mcp .
docker run -p 3000:3000 \
-e VANTA_CLIENT_ID=your_client_id \
-e VANTA_CLIENT_SECRET=your_client_secret \
-e DRATA_API_KEY=your_api_key \
compliance-grc-mcp
```
## 🔐 Authentication
### Vanta Authentication
- **Method:** OAuth2 (client_credentials flow)
- **Environment Variables:**
- `VANTA_CLIENT_ID` — Your OAuth2 client ID
- `VANTA_CLIENT_SECRET` — Your OAuth2 client secret
- **Token Management:** Automatic refresh handled by the MCP server
- **Permissions Required:** Read access to controls, tests, vulnerabilities, evidence, users, integrations
### Drata Authentication
- **Method:** Bearer token (API key)
- **Environment Variable:** `DRATA_API_KEY`
- **Format:** `drata_api_xxx...`
- **Permissions Required:** Read access to controls, personnel, vendors, risks, assets, frameworks, evidence
The MCP server handles all authentication automatically—just set the environment variables.
## 🎯 Example Prompts for Compliance Teams
Once connected to Claude, use natural language. Here are real compliance workflows:
### Compliance Monitoring
- *"What's our current SOC2 compliance status in Vanta? Show me any failing controls."*
- *"List all HIPAA controls in Drata that are unsatisfied, sorted by priority"*
- *"Compare our compliance readiness across SOC2, HIPAA, and GDPR frameworks"*
### Vulnerability Management
- *"Show me all critical and high-severity vulnerabilities from Vanta in the last 30 days"*
- *"List open vulnerabilities grouped by source (AWS, GitHub, GCP)"*
- *"Which vulnerabilities have been open for more than 90 days?"*
### Audit Preparation
- *"Generate a report of all evidence collected this month for SOC2 controls"*
- *"List all compliance tests that failed in the last quarter"*
- *"Show me the status of all controls required for our upcoming HIPAA audit"*
### Risk & Vendor Management
- *"List all high-risk vendors that haven't been reviewed in 6 months"*
- *"Show me all open risks with critical severity and their assigned owners"*
- *"Which vendors have access to production systems? Cross-check with Drata assets."*
### Personnel & Access
- *"List all new employees added in the last 30 days and their training status"*
- *"Show me users with admin access in Vanta"*
- *"Which personnel haven't completed required security training?"*
### Cross-Platform Analysis
- *"Compare control coverage between Vanta and Drata for SOC2"*
- *"Aggregate all evidence collected across both platforms for ISO 27001"*
- *"Show me overlapping integrations between Vanta and Drata"*
### Integration Health
- *"List all Vanta integrations and their status—flag any errors"*
- *"Show me which AWS accounts are being monitored in Vanta"*
- *"Check if GitHub integration is active and pulling vulnerability data"*
## 🛠️ Development
### Prerequisites
- Node.js 18+
- npm or yarn
- Vanta and/or Drata account with API access
### Setup
```bash
git clone https://github.com/BusyBee3333/mcpengine.git
cd mcpengine/servers/compliance-grc
npm install
cp .env.example .env
# Edit .env with your API credentials
npm run build
npm start
```
### Project Structure
```
compliance-grc/
├── src/
│ └── index.ts # Main server with VantaClient and DrataClient
├── dist/ # Compiled JavaScript
├── package.json
├── tsconfig.json
└── README.md
```
### Environment Variables
Create a `.env` file or set these in your environment:
```bash
# Vanta (OAuth2)
VANTA_CLIENT_ID=your_vanta_client_id
VANTA_CLIENT_SECRET=your_vanta_client_secret
# Drata (API Key)
DRATA_API_KEY=your_drata_api_key
```
**Note:** At least one service must be configured (Vanta or Drata or both).
## 🐛 Troubleshooting
### "At least one service must be configured"
- You need to set either Vanta credentials (CLIENT_ID + CLIENT_SECRET) or Drata credentials (API_KEY)
- Check that environment variables are set correctly in `claude_desktop_config.json`
### "Vanta OAuth error: 401"
- Verify your `VANTA_CLIENT_ID` and `VANTA_CLIENT_SECRET` are correct
- Check that your OAuth2 app has the required permissions in Vanta dashboard
- Ensure the OAuth2 app is enabled and not expired
### "Drata API error: 401"
- Verify your `DRATA_API_KEY` is correct and starts with `drata_api_`
- Check that the API key hasn't been revoked or expired
- Ensure the API key has read permissions for all required endpoints
### "Tools not appearing in Claude"
- Restart Claude Desktop after updating config
- Check that the path in `claude_desktop_config.json` is absolute (not relative)
- Verify the build completed: `ls dist/index.js`
- Check Claude Desktop logs: `tail -f ~/Library/Logs/Claude/mcp*.log`
### "Unknown tool: <tool_name>"
- If you only configured Vanta, Drata tools won't be available (and vice versa)
- The server automatically filters tools based on available credentials
- Configure both services to get all 17 tools
### Rate Limits
- **Vanta:** Standard rate limits apply (typically 100 requests/minute)
- **Drata:** API rate limits depend on your plan
- The server handles token refresh automatically for Vanta OAuth2
## 📖 Resources
- **[Vanta API Documentation](https://developer.vanta.com)** — Official Vanta API reference
- **[Drata API Documentation](https://docs.drata.com/api)** — Official Drata API reference
- **[MCP Protocol Spec](https://modelcontextprotocol.io/)** — How MCP servers work
- **[Claude Desktop Docs](https://claude.ai/desktop)** — Installing and configuring Claude
- **[MCPEngage Platform](https://mcpengine.pages.dev)** — Browse 30+ business MCP servers
## 🔒 Security Best Practices
1. **Never commit API keys** — Use environment variables or secure vaults
2. **Least privilege** — Grant only the read permissions needed for compliance monitoring
3. **Rotate keys regularly** — Follow your organization's key rotation policy
4. **Monitor API usage** — Check Vanta/Drata dashboards for unusual activity
5. **Audit access** — Review who has access to compliance data regularly
## 🤝 Contributing
Contributions are welcome! Please:
1. Fork the repo
2. Create a feature branch (`git checkout -b feature/control-remediation`)
3. Commit your changes (`git commit -m 'Add control remediation tool'`)
4. Push to the branch (`git push origin feature/control-remediation`)
5. Open a Pull Request
## 📄 License
MIT License - see [LICENSE](LICENSE) for details
## 🙏 Credits
Built by [MCPEngage](https://mcpengine.pages.dev) — AI infrastructure for business software.
Part of the **MCPEngine** collection covering 30+ business platforms for AI-native compliance, security, and operations.
---
**Questions?** Open an issue or join our [Discord community](https://discord.gg/mcpengage).
Reference in New Issue View Git Blame Copy Permalink