mcpengine/servers/compliance-grc/README.md

🛡️ Compliance GRC MCP Server — 2026 Complete Version

💡 What This Unlocks

This MCP server gives AI direct access to your entire compliance and GRC infrastructure through Vanta and Drata. Stop clicking through dashboards—just tell the AI what you need to know about your compliance posture.

This server integrates with two leading compliance automation platforms:

• Vanta: Automated compliance for SOC2, HIPAA, GDPR, ISO 27001
• Drata: Continuous compliance monitoring and audit readiness

Perfect for security teams, compliance officers, and organizations managing multiple compliance frameworks.

🎯 Compliance Automation Power Moves

Stop context-switching between Claude and compliance dashboards. The AI can directly monitor and report on your compliance status:

1. Real-time compliance monitoring — "What's our current SOC2 readiness score? Show me any failing controls."
2. Vulnerability management — "List all critical vulnerabilities from the last 7 days across both Vanta and Drata, group by source"
3. Audit preparation — "Generate a summary of all evidence collected this month for HIPAA controls"
4. Risk assessment — "Show me all high-severity open risks and their assigned owners"
5. Vendor risk management — "List all high-risk vendors that haven't been reviewed in 90 days"
6. Personnel compliance — "Which employees haven't completed security training? Cross-reference with both platforms"
7. Multi-framework overview — "Compare our readiness across SOC2, HIPAA, and GDPR frameworks"

🔗 The Real Power: Cross-Platform Intelligence

AI can analyze data from both Vanta and Drata simultaneously:

• Compare control implementations across platforms → Identify gaps → Generate remediation plan
• Aggregate vulnerabilities from both systems → Prioritize by risk → Create action items
• Cross-reference evidence collection → Find redundancies → Optimize compliance workflows
• Monitor compliance trends → Predict audit readiness → Alert on degradation

📦 What's Inside

17 powerful API tools covering both Vanta and Drata compliance platforms:

Vanta Tools (8 tools)

1. list_vanta_controls — List all compliance controls (SOC2, HIPAA, GDPR, ISO 27001)
2. get_vanta_control — Get detailed control information and status
3. list_vanta_tests — List compliance tests and their results
4. list_vanta_vulnerabilities — List security vulnerabilities by severity
5. list_vanta_evidence — List collected compliance evidence
6. list_vanta_users — List users and access levels
7. list_vanta_integrations — List active integrations (AWS, GitHub, etc.)
8. get_vanta_compliance_status — Get overall compliance readiness summary

Drata Tools (9 tools)

1. list_drata_controls — List all compliance controls
2. get_drata_control — Get detailed control information
3. list_drata_personnel — List personnel and their compliance status
4. list_drata_vendors — List third-party vendors and risk levels
5. list_drata_risks — List identified risks by severity
6. list_drata_assets — List IT assets (servers, databases, applications)
7. list_drata_frameworks — List configured compliance frameworks
8. list_drata_evidence — List collected compliance evidence
9. get_drata_compliance_summary — Get overall compliance summary

All with proper error handling, automatic authentication, and TypeScript types.

API Foundations:

• Vanta API (OAuth2 client_credentials)
• Drata API (Bearer token)

🚀 Quick Start

Prerequisites

Vanta Setup:

1. Log into your Vanta dashboard
2. Go to Settings → Integrations → API
3. Create a new OAuth2 application
4. Note your Client ID and Client Secret
5. Grant appropriate permissions (read access to controls, tests, vulnerabilities, evidence)

Drata Setup:

1. Log into your Drata dashboard
2. Go to Settings → API Keys
3. Create a new API key with read permissions
4. Copy the API key (shown only once)

Option 1: Claude Desktop (Local)

1. Clone and build:

   git clone https://github.com/BusyBee3333/mcpengine.git
   cd mcpengine/servers/compliance-grc
   npm install
   npm run build
   

2. Configure Claude Desktop:

   On macOS: ~/Library/Application Support/Claude/claude_desktop_config.json

   On Windows: %APPDATA%\Claude\claude_desktop_config.json

   {
     "mcpServers": {
       "compliance-grc": {
         "command": "node",
         "args": ["/ABSOLUTE/PATH/TO/mcpengine/servers/compliance-grc/dist/index.js"],
         "env": {
           "VANTA_CLIENT_ID": "your_vanta_client_id",
           "VANTA_CLIENT_SECRET": "your_vanta_client_secret",
           "DRATA_API_KEY": "your_drata_api_key"
         }
       }
     }
   }
   

   Note: You can configure just Vanta, just Drata, or both. At least one must be configured.

3. Restart Claude Desktop

Option 2: Docker

docker build -t compliance-grc-mcp .
docker run -p 3000:3000 \
  -e VANTA_CLIENT_ID=your_client_id \
  -e VANTA_CLIENT_SECRET=your_client_secret \
  -e DRATA_API_KEY=your_api_key \
  compliance-grc-mcp

🔐 Authentication

Vanta Authentication

• Method: OAuth2 (client_credentials flow)
• Environment Variables:
  • VANTA_CLIENT_ID — Your OAuth2 client ID
  • VANTA_CLIENT_SECRET — Your OAuth2 client secret
• Token Management: Automatic refresh handled by the MCP server
• Permissions Required: Read access to controls, tests, vulnerabilities, evidence, users, integrations

Drata Authentication

• Method: Bearer token (API key)
• Environment Variable: DRATA_API_KEY
• Format: drata_api_xxx...
• Permissions Required: Read access to controls, personnel, vendors, risks, assets, frameworks, evidence

The MCP server handles all authentication automatically—just set the environment variables.

🎯 Example Prompts for Compliance Teams

Once connected to Claude, use natural language. Here are real compliance workflows:

Compliance Monitoring

• "What's our current SOC2 compliance status in Vanta? Show me any failing controls."
• "List all HIPAA controls in Drata that are unsatisfied, sorted by priority"
• "Compare our compliance readiness across SOC2, HIPAA, and GDPR frameworks"

Vulnerability Management

• "Show me all critical and high-severity vulnerabilities from Vanta in the last 30 days"
• "List open vulnerabilities grouped by source (AWS, GitHub, GCP)"
• "Which vulnerabilities have been open for more than 90 days?"

Audit Preparation

• "Generate a report of all evidence collected this month for SOC2 controls"
• "List all compliance tests that failed in the last quarter"
• "Show me the status of all controls required for our upcoming HIPAA audit"

Risk & Vendor Management

• "List all high-risk vendors that haven't been reviewed in 6 months"
• "Show me all open risks with critical severity and their assigned owners"
• "Which vendors have access to production systems? Cross-check with Drata assets."

Personnel & Access

• "List all new employees added in the last 30 days and their training status"
• "Show me users with admin access in Vanta"
• "Which personnel haven't completed required security training?"

Cross-Platform Analysis

• "Compare control coverage between Vanta and Drata for SOC2"
• "Aggregate all evidence collected across both platforms for ISO 27001"
• "Show me overlapping integrations between Vanta and Drata"

Integration Health

• "List all Vanta integrations and their status—flag any errors"
• "Show me which AWS accounts are being monitored in Vanta"
• "Check if GitHub integration is active and pulling vulnerability data"

🛠️ Development

Prerequisites

• Node.js 18+
• npm or yarn
• Vanta and/or Drata account with API access

Setup

git clone https://github.com/BusyBee3333/mcpengine.git
cd mcpengine/servers/compliance-grc
npm install
cp .env.example .env
# Edit .env with your API credentials
npm run build
npm start

Project Structure

compliance-grc/
├── src/
│   └── index.ts          # Main server with VantaClient and DrataClient
├── dist/                 # Compiled JavaScript
├── package.json
├── tsconfig.json
└── README.md

Environment Variables

Create a .env file or set these in your environment:

# Vanta (OAuth2)
VANTA_CLIENT_ID=your_vanta_client_id
VANTA_CLIENT_SECRET=your_vanta_client_secret

# Drata (API Key)
DRATA_API_KEY=your_drata_api_key

Note: At least one service must be configured (Vanta or Drata or both).

🐛 Troubleshooting

"At least one service must be configured"

• You need to set either Vanta credentials (CLIENT_ID + CLIENT_SECRET) or Drata credentials (API_KEY)
• Check that environment variables are set correctly in claude_desktop_config.json

"Vanta OAuth error: 401"

• Verify your VANTA_CLIENT_ID and VANTA_CLIENT_SECRET are correct
• Check that your OAuth2 app has the required permissions in Vanta dashboard
• Ensure the OAuth2 app is enabled and not expired

"Drata API error: 401"

• Verify your DRATA_API_KEY is correct and starts with drata_api_
• Check that the API key hasn't been revoked or expired
• Ensure the API key has read permissions for all required endpoints

"Tools not appearing in Claude"

• Restart Claude Desktop after updating config
• Check that the path in claude_desktop_config.json is absolute (not relative)
• Verify the build completed: ls dist/index.js
• Check Claude Desktop logs: tail -f ~/Library/Logs/Claude/mcp*.log

"Unknown tool: <tool_name>"

• If you only configured Vanta, Drata tools won't be available (and vice versa)
• The server automatically filters tools based on available credentials
• Configure both services to get all 17 tools

Rate Limits

• Vanta: Standard rate limits apply (typically 100 requests/minute)
• Drata: API rate limits depend on your plan
• The server handles token refresh automatically for Vanta OAuth2

📖 Resources

• Vanta API Documentation — Official Vanta API reference
• Drata API Documentation — Official Drata API reference
• MCP Protocol Spec — How MCP servers work
• Claude Desktop Docs — Installing and configuring Claude
• MCPEngage Platform — Browse 30+ business MCP servers

🔒 Security Best Practices

1. Never commit API keys — Use environment variables or secure vaults
2. Least privilege — Grant only the read permissions needed for compliance monitoring
3. Rotate keys regularly — Follow your organization's key rotation policy
4. Monitor API usage — Check Vanta/Drata dashboards for unusual activity
5. Audit access — Review who has access to compliance data regularly

🤝 Contributing

Contributions are welcome! Please:

1. Fork the repo
2. Create a feature branch (git checkout -b feature/control-remediation)
3. Commit your changes (git commit -m 'Add control remediation tool')
4. Push to the branch (git push origin feature/control-remediation)
5. Open a Pull Request

📄 License

MIT License - see LICENSE for details

🙏 Credits

Built by MCPEngage — AI infrastructure for business software.

Part of the MCPEngine collection covering 30+ business platforms for AI-native compliance, security, and operations.

---

Questions? Open an issue or join our Discord community.