This Model Context Protocol server provides read-only access to Secureframe's compliance automation platform for AI assistants like Claude and Cursor. Query security controls, monitor compliance tests, and access audit data across SOC 2, ISO 27001, CMMC, FedRAMP, and other frameworks.
- Python 3.7 or higher
- Secureframe API credentials (Get them here)
- Claude Desktop, Cursor IDE, or any MCP-compatible tool
# Clone and setup
git clone https://github.com/secureframe/secureframe-mcp-server.git
cd secureframe-mcp-server
# Create virtual environment (recommended)
python -m venv venv
source venv/bin/activate # On Windows: venv\Scripts\activate
# Install dependencies
pip install -r requirements.txt
# Configure credentials
cp env.example .env
# Edit .env with your API credentialsAdd to ~/Library/Application Support/Claude/claude_desktop_config.json:
{
"mcpServers": {
"secureframe": {
"command": "python",
"args": ["/absolute/path/to/secureframe-mcp-server/main.py"],
"env": {
"SECUREFRAME_API_KEY": "your_api_key",
"SECUREFRAME_API_SECRET": "your_api_secret",
"SECUREFRAME_API_URL": "https://api.secureframe.com"
}
}
}
}Configure in Cursor's MCP settings:
{
"mcpServers": {
"Secureframe": {
"command": "python",
"args": ["/absolute/path/to/secureframe-mcp-server/main.py"],
"env": {
"SECUREFRAME_API_KEY": "your_api_key",
"SECUREFRAME_API_SECRET": "your_api_secret",
"SECUREFRAME_API_URL": "https://api.secureframe.com"
}
}
}
}| Variable | Description | Required |
|---|---|---|
SECUREFRAME_API_KEY |
Your Secureframe API key | β |
SECUREFRAME_API_SECRET |
Your Secureframe API secret | β |
SECUREFRAME_API_URL |
API endpoint (defaults to US region) | β |
Regional Endpoints:
- πΊπΈ US:
https://api.secureframe.com(default) - π¬π§ UK:
https://api-uk.secureframe.com
| Tool | Purpose |
|---|---|
| list_controls | List security controls across frameworks with filtering |
| list_tests | List compliance tests with pass/fail status |
| list_users | List personnel and their compliance status |
| list_devices | List managed devices and security compliance |
| list_user_accounts | List user accounts from integrations |
| list_tprm_vendors | List third-party risk management vendors |
| list_vendors | List vendors (legacy API) |
| list_frameworks | List available compliance frameworks |
| list_repositories | List code repositories and audit scope |
| list_integration_connections | List integration status and connections |
| list_repository_framework_scopes | List framework scopes for specific repositories |
# Find controls that need attention for SOC 2
list_controls(
search_query="health_status:unhealthy AND frameworks:soc2_alpha",
per_page=50
)# Get top 5 failing tests
list_tests(
search_query="health_status:fail",
per_page=5
)# Find high-risk vendors
list_tprm_vendors(
search_query="risk_level:High",
per_page=20
)# Find inactive contractors
list_users(
search_query="employee_type:contractor AND active:false",
per_page=100
)The server supports powerful Lucene query syntax for filtering:
Find critical failing tests:
health_status:fail AND frameworks:soc2_alpha
Locate inactive users:
active:false AND employee_type:contractor
Search high-risk vendors:
risk_level:High AND archived:false
Controls & Tests
health_status- For controls: healthy, unhealthy, draft. For tests: pass, fail, disabledenabled- true/falsetest_type- integration, upload
Personnel
active- true/falseemail- User email addressemployee_type- employee, contractor, non_employee, auditor, externalin_audit_scope- true/false
Vendors (TPRM)
risk_level- Low, Medium, Highstatus- draft, completedarchived- true/false
Repositories
private- true/falsein_audit_scope- true/false
npx @modelcontextprotocol/inspector python main.py- Log into Secureframe
- Navigate to Profile Picture β Company Settings β API Keys
- Click Create API Key
- Save your credentials securely (secret shown only once)
This project is licensed under the MIT License. See LICENSE for details.