← Back to search

io.github.KevinRabun/FedRAMP20xMCP

KevinRabun NOASSERTION 4 stars Scanned 48d ago

An MCP server that provides access to FedRAMP 20x security requirements and controls.

D
58.9 / 100

Versions

1.3.0 latest
May 19, 2026
1.2.0
Feb 5, 2026
1.1.0
Feb 4, 2026
1.0.0
Jan 13, 2026
0.13.0
Dec 18, 2025
+ show 25 more show less
0.12.1
Dec 17, 2025
0.12.0
Dec 17, 2025
0.11.0
Dec 15, 2025
0.10.0
Dec 12, 2025
0.9.0
Dec 10, 2025
0.8.0
Dec 9, 2025
0.7.0
Dec 7, 2025
0.6.0
Dec 4, 2025
0.5.0
Dec 4, 2025
0.4.9
Dec 3, 2025
0.4.8
Dec 3, 2025
0.4.7
Dec 3, 2025
0.4.6
Dec 3, 2025
0.4.5
Dec 3, 2025
0.4.4
Dec 3, 2025
0.4.3
Dec 3, 2025
0.4.2
Dec 3, 2025
0.4.1
Dec 3, 2025
0.4.0
Dec 3, 2025
0.3.3
Dec 2, 2025
0.3.2
Dec 2, 2025
0.3.0
Dec 2, 2025
0.2.1
Dec 2, 2025
0.2.0
Dec 2, 2025
0.1.0
Nov 26, 2025
PermissionsTool SafetyAuthAnnotationsCode QualityStabilitySpecVuln HistoryAuthorTransparencyCommunity

Tools 48

get_frr_evidence_automation
annotations: none low

Get evidence automation recommendations for a specific FRR. Provides detailed guidance on automating evidence collection including: - Azure services needed - Collection methods and queries (KQL, REST API) - Storage requirements - Evidence artifacts to collect Args: frr_id: FRR identifier (e.g., "FRR-VDR-01") Returns: Evidence automation recommendations

frr_id str
get_frr_implementation_status
annotations: none low

Get implementation status summary across all FRR analyzers. Shows statistics by family with implementation rates. Returns: Status summary with family breakdown

search_documentation
annotations: none low

Search FedRAMP official documentation by keywords.

keywords str
get_documentation_file
annotations: none low

Get the full content of a specific FedRAMP documentation file.

file_path str
list_documentation_files
annotations: none low

List all available FedRAMP documentation files.

export_to_excel
annotations: none low

Export FedRAMP 20x data to Excel format.

export_type str output_path str
export_to_csv
annotations: none low

Export FedRAMP 20x data to CSV format.

export_type str output_path str
generate_ksi_specification
annotations: none low

Generate a detailed product specification document for a KSI.

ksi_id str output_path str evidence_collection_strategy str
compare_with_rev4
annotations: none low

Compare FedRAMP 20x requirements to Rev 4/Rev 5 to understand changes.

requirement_area str
get_implementation_examples
annotations: none low

Get practical implementation examples for a requirement.

requirement_id str
check_requirement_dependencies
annotations: none low

Show which requirements are related or dependent on a specific requirement.

requirement_id str
estimate_implementation_effort
annotations: none low

Provide rough effort estimates for implementing a specific requirement.

requirement_id str
get_cloud_native_guidance
annotations: none low

Get cloud-native specific guidance for implementing FedRAMP 20x.

technology str
validate_architecture
annotations: none low

Validate a cloud architecture against FedRAMP 20x requirements.

architecture_description str
get_control
annotations: none low

Get detailed information about a specific FedRAMP 20x requirement.

control_id str
list_family_controls
annotations: none low

List all requirements within a specific document family.

family str
search_requirements
annotations: none low

Search for FedRAMP 20x requirements containing specific keywords.

keywords str
get_definition
annotations: none low

Get the FedRAMP definition for a specific term.

term str
list_definitions
annotations: none low

List all FedRAMP definitions with their terms.

search_definitions
annotations: none low

Search FedRAMP definitions by keywords.

keywords str
get_ksi
annotations: none low

Get detailed information about a specific Key Security Indicator.

ksi_id str
list_ksi
annotations: none low

List all Key Security Indicators with their implementation status. Returns a comprehensive list showing: - Implementation status (Implemented/Not Implemented/Retired) - Code detectability (Code-Detectable vs Process-Based) - Organized by family - Summary statistics

get_ksi_implementation_summary
annotations: none low

Get a summary of KSI implementation status across all families. Returns statistics showing: - Overall implementation coverage - Breakdown by family - Code-detectable vs process-based KSIs - Retired KSIs

get_ksi_evidence_automation
annotations: none low

Get evidence automation recommendations for a specific KSI. Provides detailed guidance on automating evidence collection including: - Azure services needed - Collection methods and schedules - Storage requirements and retention - FRR-ADS API integration - Code examples and infrastructure templates - Implementation effort and prerequisites Args: ksi_id: The KSI identifier (e.g., "KSI-IAM-01", "KSI-CNA-01") Returns: Comprehensive evidence automation recommendations

ksi_id str
get_ksi_evidence_queries
annotations: none low

Get evidence collection queries for a specific KSI. Returns ready-to-use queries for collecting evidence from Azure: - KQL queries for Log Analytics - Azure Resource Graph queries - REST API calls for Microsoft Graph Args: ksi_id: The KSI identifier (e.g., "KSI-IAM-01", "KSI-CNA-01") Returns: Collection queries with descriptions and usage guidance

ksi_id str
get_ksi_evidence_artifacts
annotations: none low

Get list of evidence artifacts to collect for a specific KSI. Returns detailed information about what artifacts to collect: - Artifact names and types (logs, configs, reports) - Collection methods and frequency - File formats and retention requirements Args: ksi_id: The KSI identifier (e.g., "KSI-IAM-01", "KSI-CNA-01") Returns: Evidence artifacts list with collection details

ksi_id str
analyze_frr_code
annotations: none low

Analyze code against a specific FedRAMP requirement (FRR). Detects compliance issues in application code, infrastructure as code, or CI/CD pipelines for the specified FRR. Args: frr_id: FRR identifier (e.g., "FRR-VDR-01", "FRR-RSC-01") code: Code to analyze language: Language/platform (python, csharp, java, typescript, bicep, terraform, github-actions, azure-pipelines, gitlab-ci) file_path: Optional file path for context Returns: Analysis results with findings and recommendations

code str frr_id str language str file_path string
analyze_all_frrs
annotations: none low

Analyze code against all FedRAMP requirements. Performs comprehensive analysis across all 199 FRR requirements. Args: code: Code to analyze language: Language/platform file_path: Optional file path for context Returns: Complete analysis results grouped by family

code str language str file_path string
analyze_frr_family
annotations: none low

Analyze code against all requirements in a specific FRR family. Args: family: Family code (VDR, RSC, UCM, SCN, ADS, CCM, MAS, ICP, FSI, PVA, KSI) code: Code to analyze language: Language/platform file_path: Optional file path for context Returns: Analysis results for the specified family

code str family str language str file_path string
list_frrs_by_family
annotations: none low

List all FRR requirements in a specific family. Shows implementation status and code detectability for each FRR. Args: family: Family code (VDR, RSC, UCM, SCN, ADS, CCM, MAS, ICP, FSI, PVA, KSI) Returns: List of FRRs with status indicators

family str
get_frr_metadata
annotations: none low

Get detailed metadata for a specific FRR. Returns NIST controls, related KSIs, impact levels, and detection strategy. Args: frr_id: FRR identifier (e.g., "FRR-VDR-01") Returns: Detailed FRR metadata

frr_id str
generate_implementation_questions
annotations: none low

Generate strategic questions for PMs and engineers about implementing a requirement.

requirement_id str
get_ksi_implementation_matrix
annotations: none low

Get implementation matrix showing all KSIs in a family with Azure services, effort, and priority.

ksi_family str
generate_implementation_checklist
annotations: none low

Generate actionable step-by-step implementation checklist for a specific KSI.

ksi_id str
get_infrastructure_code_for_ksi
annotations: none low

Generate infrastructure code templates for automating KSI evidence collection.

ksi_id str infrastructure_type str
get_evidence_collection_code
annotations: none low

Provide code examples for collecting KSI evidence programmatically.

ksi_id str language str
get_evidence_automation_architecture
annotations: none low

Provide comprehensive architecture guidance for automated evidence collection.

ksi_category str
analyze_infrastructure_code
annotations: none low

Analyze Infrastructure as Code (Bicep/Terraform) for FedRAMP 20x compliance issues. Args: code: The IaC code content to analyze file_type: Type of IaC file ("bicep" or "terraform") file_path: Optional path to the file being analyzed context: Optional context about the changes (e.g., PR description) application_profile: Optional application profile to reduce false positives. Supported profiles: "cli-tool", "mcp-server", "web-app", "api-service", "iac-only", "library", "batch-job", "full" (default). Example: Use "cli-tool" for a local CLI tool that reads YAML files to suppress irrelevant MFA, RBAC, HSTS, and database findings.

code str context string file_path string file_type str application_profile string
validate_fedramp_config
annotations: none low

Validate Infrastructure as Code against FedRAMP 20x MANDATORY requirements BEFORE generating/deploying. 🚨 USE THIS TOOL BEFORE FINALIZING ANY TEMPLATE/CODE 🚨 This tool checks for CRITICAL violations that will cause compliance failures: - Log Analytics retention < 730 days (CRITICAL) - Platform-managed keys instead of Customer-Managed Keys (CRITICAL) - Key Vault Standard SKU instead of Premium (CRITICAL) - Public access enabled instead of disabled (CRITICAL) - Missing diagnostic settings (HIGH) Returns: - passed: bool - Whether ALL validations passed - violations: list - CRITICAL issues that MUST be fixed - warnings: list - Non-critical issues that SHOULD be fixed - compliant_values: list - Requirements that passed validation Example usage: 1. Generate Bicep/Terraform code 2. Call validate_fedramp_config with the code 3. If violations exist, FIX THEM before deploying 4. If passed=true, code meets FedRAMP 20x requirements

code str file_type str strict_mode bool
analyze_application_code
annotations: none low

Analyze application code for FedRAMP 20x security compliance issues. Args: code: The application code content to analyze language: Programming language ("python", "csharp", "java", "typescript", "javascript") file_path: Optional path to the file being analyzed dependencies: Optional list of dependencies/imports to check application_profile: Optional application profile to reduce false positives. Supported profiles: "cli-tool", "mcp-server", "web-app", "api-service", "iac-only", "library", "batch-job", "full" (default). Example: Use "cli-tool" for a local CLI tool that reads YAML files to suppress irrelevant MFA, RBAC, HSTS, and database findings.

code str language str file_path string dependencies string application_profile string
analyze_cicd_pipeline
annotations: none low

Analyze CI/CD pipeline configuration for FedRAMP 20x DevSecOps compliance. Args: code: The pipeline configuration content (YAML/JSON) pipeline_type: Type of pipeline ("github-actions", "azure-pipelines", "gitlab-ci", or "generic") file_path: Optional path to the pipeline file application_profile: Optional application profile to reduce false positives. Supported profiles: "cli-tool", "mcp-server", "web-app", "api-service", "iac-only", "library", "batch-job", "full" (default).

code str file_path string pipeline_type str application_profile string
get_ksi_coverage_summary
annotations: none low

Get a summary of KSI analyzer coverage and recommendation quality assessment. Shows which KSIs have analyzer coverage, what limitations exist, and important disclaimers about recommendation validation. Use this to understand the scope and limitations of automated compliance checking.

get_ksi_coverage_status
annotations: none low

Check if a specific KSI has analyzer coverage and what the limitations are. Args: ksi_id: The KSI identifier (e.g., "KSI-MLA-05") Returns detailed coverage information including which analyzers support this KSI, whether it's process-based or technical, and important limitations of the coverage.

ksi_id str
check_package_vulnerabilities
annotations: none low

Check a package for known CVE vulnerabilities against authoritative databases. Queries GitHub Advisory Database (and optionally NVD) for security vulnerabilities in the specified package. Returns detailed CVE information, affected versions, patched versions, severity ratings, and FedRAMP compliance recommendations. Args: package_name: Package name (e.g., "Newtonsoft.Json", "lodash", "requests", "log4j") ecosystem: Package ecosystem - "nuget" (.NET), "npm" (JavaScript/TypeScript), "pypi" (Python), "maven" (Java) version: Specific version to check (optional, checks all versions if omitted) github_token: GitHub Personal Access Token for higher API rate limits (optional) Returns: JSON with vulnerability details including CVE IDs, severity, CVSS scores, affected/patched versions, descriptions, and FedRAMP compliance status. Example: check_package_vulnerabilities("Newtonsoft.Json", "nuget", "12.0.1") check_package_vulnerabilities("lodash", "npm") Maps to FedRAMP 20x requirements: - KSI-SVC-08: Secure Dependencies - vulnerability management - KSI-TPR-03: Supply Chain Security - third-party risk assessment

version string ecosystem str github_token string package_name str
scan_dependency_file
annotations: none low

Scan an entire dependency file for vulnerable packages. Analyzes dependency manifests and checks all packages against CVE databases. Provides comprehensive vulnerability report with prioritized remediation guidance. Args: file_content: Full content of the dependency file file_type: Type of file - "csproj", "packages.config", "package.json", "requirements.txt", "pom.xml" github_token: GitHub Personal Access Token for higher API rate limits (optional) Returns: JSON with scan results including total vulnerabilities, severity breakdown, vulnerable packages list, and prioritized remediation recommendations. Supported file formats: - NuGet: *.csproj (PackageReference), packages.config, Directory.Packages.props - npm: package.json, package-lock.json - Python: requirements.txt, Pipfile, pyproject.toml - Maven: pom.xml Example: scan_dependency_file(csproj_content, "csproj") scan_dependency_file(requirements_txt, "requirements.txt") Maps to FedRAMP 20x requirements: - KSI-SVC-08: Secure Dependencies - KSI-TPR-03: Supply Chain Security - KSI-CMT-01: Continuous Monitoring (automated vulnerability scanning)

file_type str file_content str github_token string
get_ksi_implementation_status
annotations: none low

Get comprehensive implementation status of all KSI analyzers. Dynamically queries each KSI analyzer to report: - Total KSIs, active vs retired - Implementation status (IMPLEMENTED, PARTIAL, NOT_IMPLEMENTED) - Code detectability (CODE_DETECTABLE vs PROCESS_BASED) - Status organized by family - Implementation percentages Returns: JSON with complete KSI status including: - Overall statistics (total, active, implemented, code_detectable) - Family-level breakdown - Individual KSI details with metadata - Implementation and code detectability percentages This tool eliminates the need to maintain separate tracking documents by querying each KSI analyzer's CODE_DETECTABLE and IMPLEMENTATION_STATUS properties. Example output: { "total_ksis": 72, "active_ksis": 65, "retired_ksis": 7, "implemented_ksis": 38, "code_detectable_ksis": 38, "process_based_ksis": 27, "implementation_percentage": 58.5, "families": {...} }

get_ksi_family_status
annotations: none low

Get implementation status for a specific KSI family. Args: family: Family code (e.g., "IAM", "SVC", "CNA", "AFR", "MLA") Returns: JSON with family-specific status: - Total KSIs in family - Active vs retired count - Implementation status - Code detectability breakdown - List of all KSIs with their properties Supported families: - IAM: Identity and Access Management - SVC: Service Configuration - MLA: Monitoring, Logging, and Alerting - CNA: Cloud and Network Architecture - AFR: Authorization by FedRAMP - TPR: Third-Party Risk - CMT: Change Management and Testing - RPL: Resiliency and Performance Limits - INR: Incident Response - PIY: Privacy - CED: Cybersecurity Education Example: get_ksi_family_status("IAM")

family str
add_requirement_comments
annotations: none low

Add FedRAMP requirement comments to code or IaC templates. Enriches generated code with detailed KSI and FRR requirement information in comments, ensuring traceability to specific compliance requirements. Args: code: The code or template to enrich ksi_ids: Comma-separated KSI IDs (e.g., "KSI-IAM-01,KSI-MLA-01") frr_ids: Comma-separated FRR IDs (e.g., "FRR-VDR-01,FRR-ADS-01") language: Programming language for comment syntax Options: bicep, terraform, python, csharp, java, typescript, powershell Returns: Enriched code with requirement header comments and inline annotations Example: ```bicep // Original code: resource kv 'Microsoft.KeyVault/vaults@2023-07-01' = { name: 'mykeyvault' } // After enrichment with add_requirement_comments(code, "KSI-SVC-06", "FRR-RSC-01", "bicep"): // ========================================== // FedRAMP 20x Compliance Requirements // ========================================== // // Key Security Indicators (KSI): // // KSI-SVC-06: Secret Management // Automate management, protection, and regular rotation of // digital keys, certificates, and other secrets. // // FedRAMP Requirements (FRR): // // FRR-RSC-01: Recommended Secure Configuration // Apply security baselines and hardening standards. // ========================================== resource kv 'Microsoft.KeyVault/vaults@2023-07-01' = { name: 'mykeyvault' tags: { Compliance: 'FedRAMP 20x' Requirements: 'KSI-SVC-06, FRR-RSC-01' } } ``` Use this tool when: - Generating Bicep/Terraform infrastructure code - Writing C#/Python/Java application code for FedRAMP compliance - Need to document which requirements a code block addresses - Creating templates or examples for teams

code str frr_ids string ksi_ids string language str

Permissions 4

network medium
Server uses network capabilities via: httpx, urllib
filesystem low
Server uses filesystem capabilities via: open(), os, pathlib
shell high
Server uses shell capabilities via: subprocess
env_vars low
Server uses env_vars capabilities via: os.environ

Scan Findings 115

low
Tool 'get_ksi_evidence_automation' has no annotations annotation_checker · 100%
low
Tool 'get_ksi_evidence_queries' has no annotations annotation_checker · 100%
low
Tool 'get_ksi_evidence_artifacts' has no annotations annotation_checker · 100%
low
Tool 'analyze_frr_code' has no annotations annotation_checker · 100%
low
Tool 'analyze_all_frrs' has no annotations annotation_checker · 100%
low
Tool 'analyze_frr_family' has no annotations annotation_checker · 100%
low
Tool 'list_frrs_by_family' has no annotations annotation_checker · 100%
info
Tool: check_package_vulnerabilities manifest_parser · 90%
low
Tool 'get_frr_metadata' has no annotations annotation_checker · 100%
low
Tool 'get_frr_evidence_automation' has no annotations annotation_checker · 100%
low
Tool 'get_frr_implementation_status' has no annotations annotation_checker · 100%
low
Tool 'search_documentation' has no annotations annotation_checker · 100%
low
Tool 'get_documentation_file' has no annotations annotation_checker · 100%
low
Tool 'list_documentation_files' has no annotations annotation_checker · 100%
low
Tool 'export_to_excel' has no annotations annotation_checker · 100%
low
Tool 'export_to_csv' has no annotations annotation_checker · 100%
low
Tool 'generate_ksi_specification' has no annotations annotation_checker · 100%
low
Tool 'compare_with_rev4' has no annotations annotation_checker · 100%
low
Tool 'get_implementation_examples' has no annotations annotation_checker · 100%
low
Tool 'check_requirement_dependencies' has no annotations annotation_checker · 100%
low
Tool 'estimate_implementation_effort' has no annotations annotation_checker · 100%
low
Tool 'get_cloud_native_guidance' has no annotations annotation_checker · 100%
low
Tool 'validate_architecture' has no annotations annotation_checker · 100%
low
Tool 'generate_implementation_questions' has no annotations annotation_checker · 100%
low
Tool 'get_ksi_implementation_matrix' has no annotations annotation_checker · 100%
low
Tool 'generate_implementation_checklist' has no annotations annotation_checker · 100%
low
Tool 'get_infrastructure_code_for_ksi' has no annotations annotation_checker · 100%
low
Tool 'get_evidence_collection_code' has no annotations annotation_checker · 100%
low
Tool 'get_ksi_coverage_summary' has no annotations annotation_checker · 100%
low
Tool 'get_evidence_automation_architecture' has no annotations annotation_checker · 100%
info
Could not connect to MCP server for behavioral verification behavioral_verifier · 100%
low
Tool 'analyze_infrastructure_code' has no annotations annotation_checker · 100%
low
Tool 'validate_fedramp_config' has no annotations annotation_checker · 100%
info
No dependency files found for SBOM generation sbom_generator · 100%
info
MITRE ATLAS technique coverage summary atlas_annotator · 100%
low
Tool 'analyze_application_code' has no annotations annotation_checker · 100%
low
Tool 'analyze_cicd_pipeline' has no annotations annotation_checker · 100%
info
pyproject.toml metadata manifest_parser · 100%
info
Tool: get_control manifest_parser · 90%
info
Tool: list_family_controls manifest_parser · 90%
info
Tool: search_requirements manifest_parser · 90%
info
Tool: get_definition manifest_parser · 90%
info
Tool: list_definitions manifest_parser · 90%
info
Tool: search_definitions manifest_parser · 90%
info
Tool: get_ksi manifest_parser · 90%
info
Tool: list_ksi manifest_parser · 90%
info
Tool: get_ksi_implementation_summary manifest_parser · 90%
info
Tool: get_ksi_evidence_automation manifest_parser · 90%
info
Tool: get_ksi_evidence_queries manifest_parser · 90%
low
Tool 'search_definitions' has no annotations annotation_checker · 100%
info
Tool: get_ksi_evidence_artifacts manifest_parser · 90%
info
Tool: analyze_frr_code manifest_parser · 90%
info
Tool: analyze_all_frrs manifest_parser · 90%
info
Tool: analyze_frr_family manifest_parser · 90%
info
Tool: list_frrs_by_family manifest_parser · 90%
info
Tool: get_frr_metadata manifest_parser · 90%
info
Tool: get_frr_evidence_automation manifest_parser · 90%
info
Tool: get_frr_implementation_status manifest_parser · 90%
info
Tool: search_documentation manifest_parser · 90%
info
Tool: get_documentation_file manifest_parser · 90%
info
Tool: list_documentation_files manifest_parser · 90%
info
Tool: export_to_excel manifest_parser · 90%
info
Tool: export_to_csv manifest_parser · 90%
info
Tool: generate_ksi_specification manifest_parser · 90%
info
Tool: compare_with_rev4 manifest_parser · 90%
info
Tool: get_implementation_examples manifest_parser · 90%
info
Tool: check_requirement_dependencies manifest_parser · 90%
info
Tool: estimate_implementation_effort manifest_parser · 90%
info
Tool: get_cloud_native_guidance manifest_parser · 90%
info
Tool: validate_architecture manifest_parser · 90%
info
Tool: generate_implementation_questions manifest_parser · 90%
info
Tool: get_ksi_implementation_matrix manifest_parser · 90%
info
Tool: generate_implementation_checklist manifest_parser · 90%
info
Tool: get_infrastructure_code_for_ksi manifest_parser · 90%
info
Tool: get_evidence_collection_code manifest_parser · 90%
info
Tool: get_evidence_automation_architecture manifest_parser · 90%
low
Tool 'get_ksi' has no annotations annotation_checker · 100%
low
Tool 'list_ksi' has no annotations annotation_checker · 100%
info
Tool: analyze_infrastructure_code manifest_parser · 90%
info
Tool: validate_fedramp_config manifest_parser · 90%
info
Tool: analyze_application_code manifest_parser · 90%
info
Tool: analyze_cicd_pipeline manifest_parser · 90%
info
Tool: get_ksi_coverage_summary manifest_parser · 90%
info
Tool: get_ksi_coverage_status manifest_parser · 90%
low
Tool 'get_ksi_implementation_summary' has no annotations annotation_checker · 100%
info
Tool: scan_dependency_file manifest_parser · 90%
info
Tool: get_ksi_implementation_status manifest_parser · 90%
info
Tool: get_ksi_family_status manifest_parser · 90%
info
Tool: add_requirement_comments manifest_parser · 90%
info
Required env vars (5) manifest_parser · 80%
low
Tool 'get_control' has no annotations annotation_checker · 100%
low
Tool 'list_family_controls' has no annotations annotation_checker · 100%
low
Tool 'search_requirements' has no annotations annotation_checker · 100%
low
Tool 'get_definition' has no annotations annotation_checker · 100%
low
Tool 'list_definitions' has no annotations annotation_checker · 100%
low
Tool 'get_ksi_coverage_status' has no annotations annotation_checker · 100%
low
Tool 'check_package_vulnerabilities' has no annotations annotation_checker · 100%
low
Tool 'scan_dependency_file' has no annotations annotation_checker · 100%
low
Tool 'get_ksi_implementation_status' has no annotations annotation_checker · 100%
low
Tool 'get_ksi_family_status' has no annotations annotation_checker · 100%
low
Tool 'add_requirement_comments' has no annotations annotation_checker · 100%
medium
OAuth implementation without PKCE auth_checker · 75%
medium
Permission: network access detected permission_analyzer · 90%
low
Permission: filesystem access detected permission_analyzer · 80%
high
Permission: shell access detected permission_analyzer · 95%
low
Permission: env_vars access detected permission_analyzer · 90%
medium
Vulnerable dependency: mcp@1.2.0 (GHSA-3qhf-m339-9g5v) dependency_analyzer · 95%
medium
Vulnerable dependency: mcp@1.2.0 (GHSA-9h52-p55h-vw2f) dependency_analyzer · 95%
medium
Vulnerable dependency: mcp@1.2.0 (GHSA-j975-95f5-7wqh) dependency_analyzer · 95%
high
Generic API Key Assignment found in docs/PATTERN_AUTHORING_GUIDE.md secret_scanner · 75%
high
Hardcoded Password found in src/fedramp_20x_mcp/tools/enhancements.py secret_scanner · 65%
info
SLSA Build Level 2 detected slsa_assessor · 85%
info
Could not connect to MCP server for output poisoning scan output_poisoning · 100%
info
ATLAS: Adversarial ML Supply Chain (AML.T0043) atlas_annotator · 100%
info
ATLAS: Poison Training Data (AML.T0020) atlas_annotator · 100%