README.md
AI-powered compliance intelligence for your software supply chain.
Fianu Compliance Intelligence MCP Server
AI-powered compliance intelligence for your software supply chain. This Model Context Protocol (MCP) server enables AI assistants like Claude Desktop to query Fianu's compliance data in natural language.
Features
MCP Tools
| Tool | Description | Example Question |
|---|---|---|
get_asset_compliance_status |
Get compliance status for a specific asset with all passing/failing controls | "What is the compliance status of my-repo?" |
list_controls |
List all compliance controls with filtering by severity or framework | "What controls do we have?" |
get_compliance_summary |
Executive-level organization-wide compliance overview with risk categorization | "How healthy is my compliance posture right now?" |
get_attestation_details |
Get attestation details - supports org-wide (control only) or asset-specific queries | "Show me pass/fail status for cycode.secret.detection across all repos" |
get_deployment_attestations |
Show all attestations from a specific deployment record | "Show me attestations from the last deployment of my-app" |
get_pipeline_vulnerabilities |
Get security vulnerabilities from pipeline scans (SAST, SCA, secrets, container) | "What vulnerabilities were found in my-repo?" |
get_evidence_chain |
Trace evidence lineage from origin through occurrences to attestations | "Show me the evidence chain for the secret detection failure in my-repo" |
get_policy_violations |
Get failing controls as "policy violations" across the org or for a specific asset | "What are all the policy violations?" or "Which assets are failing secret detection?" |
get_compliance_trends |
Analyze compliance trends over time using smart sampling | "How has compliance changed over the last 30 days?" or "Is my compliance improving?" |
get_deployment_blockers |
Find what's blocking an application from deploying to a specific gate/environment | "What's blocking DBX from deploying to production?" or "Can my-app deploy to staging?" |
get_policy_exceptions |
List and analyze policy exceptions (waivers/exemptions from controls) | "What policy exceptions are active?" or "Which controls have exceptions?" |
resolve_external_artifact |
Resolve artifact URI from Artifactory/container registries to Fianu dashboard | "Take me to Fianu for sha256:abc123..." or "Find Fianu dashboard for this container image" |
analyze_control_failure |
Analyze OPA Rego policy for a control to understand what it checks and why it fails | "Why is cycode.secret.detection failing?" or "Show me the OPA Rego for dependabot.alerts" |
list_releases |
List upcoming (pending) or past (released) releases for an application | "What are the upcoming releases for DBX?" or "Show me the last 5 releases for Digital Banking Experience" |
Security
- OAuth 2.0 authentication via Auth0
- Tenant isolation - Users can only access their own organization's data
- Audit logging - All API calls and tool invocations logged to Cloudflare Analytics Engine
- JWT validation - Cryptographically verifies all tokens
Technology Stack
- Cloudflare Workers - Serverless runtime
- Durable Objects - Stateful MCP sessions
- KV Namespace - Response caching
- Analytics Engine - Audit trail and monitoring
- TypeScript - Type-safe development
Prerequisites
- Node.js 18+ and npm
- Cloudflare account (Account ID:
6841d88809021dab1138d0451d92f94e) - Auth0 credentials (Client ID & Secret from fianu.io application)
- Access to Fianu Dev environment
Setup
1. Clone and Install
cd /Users/petezimmerman/Documents/dev/mcp-compliance-intelligence
npm install
2. Configure Cloudflare
The wrangler.toml file is already configured with:
- Account ID
- Worker name
- Durable Object bindings
- KV namespace binding (needs creation)
- Analytics Engine binding
3. Create KV Namespace
npx wrangler kv:namespace create CACHE_KV
Copy the namespace ID and update wrangler.toml:
[[kv_namespaces]]
binding = "CACHE_KV"
id = ""
4. Set Secrets
Set Auth0 credentials (get these from the fianu.io Auth0 application):
npx wrangler secret put AUTH0_CLIENT_ID
# Paste client ID when prompted
npx wrangler secret put AUTH0_CLIENT_SECRET
# Paste client secret when prompted
# Optional: Set audience if Consulta requires it
npx wrangler secret put AUTH0_AUDIENCE
# Enter: https://fianu.io/api
5. Configure Auth0 Application
In the Auth0 dashboard for the fianu.io application, add these callback URLs:
https://noah-684.workers.dev/mcp-compliance-intelligence/callbackhttps://noah-684.workers.dev/mcp-compliance-intelligence/tokenhttp://localhost:8788/callback(for local testing)http://localhost:8788/token(for local testing)
Tools (14)
get_asset_compliance_statusGet compliance status for a specific asset with all passing/failing controlslist_controlsList all compliance controls with filtering by severity or frameworkget_compliance_summaryExecutive-level organization-wide compliance overview with risk categorizationget_attestation_detailsGet attestation details - supports org-wide or asset-specific queriesget_deployment_attestationsShow all attestations from a specific deployment recordget_pipeline_vulnerabilitiesGet security vulnerabilities from pipeline scansget_evidence_chainTrace evidence lineage from origin through occurrences to attestationsget_policy_violationsGet failing controls as policy violations across the org or for a specific assetget_compliance_trendsAnalyze compliance trends over time using smart samplingget_deployment_blockersFind what's blocking an application from deploying to a specific gate/environmentget_policy_exceptionsList and analyze policy exceptionsresolve_external_artifactResolve artifact URI from Artifactory/container registries to Fianu dashboardanalyze_control_failureAnalyze OPA Rego policy for a control to understand what it checks and why it failslist_releasesList upcoming or past releases for an applicationEnvironment Variables
AUTH0_CLIENT_IDrequiredClient ID from the fianu.io Auth0 applicationAUTH0_CLIENT_SECRETrequiredClient secret from the fianu.io Auth0 applicationAUTH0_AUDIENCEAPI audience for Auth0 token validationConfiguration
claude_desktop_config.json
{"mcpServers": {"fianu": {"command": "npx", "args": ["-y", "@fianulabs/mcp"]}}}Try it
→What is the compliance status of my-repo?
→How healthy is my compliance posture right now?
→What vulnerabilities were found in my-repo?
→What's blocking DBX from deploying to production?
→Why is cycode.secret.detection failing?