feat: add MCP server for exposing compliance data to LLMs (#5)

New `compliance-mcp` crate providing a Model Context Protocol server with 7 tools: list/get/summarize findings, list SBOM packages, SBOM vulnerability report, list DAST findings, and DAST scan summary. Supports stdio (local dev) and Streamable HTTP (deployment via MCP_PORT). Includes Dockerfile, CI clippy check, and Coolify deploy job. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Sharang Parnerkar <parnerkarsharang@gmail.com> Reviewed-on: #5
2026-03-09 08:21:04 +00:00
parent d13cef94cb
commit 32e5fc21e7
28 changed files with 1847 additions and 224 deletions
--- a/compliance-mcp/src/tools/findings.rs
+++ b/compliance-mcp/src/tools/findings.rs
@@ -0,0 +1,163 @@
+use mongodb::bson::doc;
+use rmcp::{model::*, ErrorData as McpError};
+use schemars::JsonSchema;
+use serde::Deserialize;
+
+use crate::database::Database;
+
+const MAX_LIMIT: i64 = 200;
+const DEFAULT_LIMIT: i64 = 50;
+
+fn cap_limit(limit: Option<i64>) -> i64 {
+    limit.unwrap_or(DEFAULT_LIMIT).clamp(1, MAX_LIMIT)
+}
+
+#[derive(Debug, Deserialize, JsonSchema)]
+pub struct ListFindingsParams {
+    /// Filter by repository ID
+    pub repo_id: Option<String>,
+    /// Filter by severity: info, low, medium, high, critical
+    pub severity: Option<String>,
+    /// Filter by status: open, triaged, false_positive, resolved, ignored
+    pub status: Option<String>,
+    /// Filter by scan type: sast, sbom, cve, gdpr, oauth
+    pub scan_type: Option<String>,
+    /// Maximum number of results (default 50, max 200)
+    pub limit: Option<i64>,
+}
+
+pub async fn list_findings(
+    db: &Database,
+    params: ListFindingsParams,
+) -> Result<CallToolResult, McpError> {
+    let mut filter = doc! {};
+    if let Some(ref repo_id) = params.repo_id {
+        filter.insert("repo_id", repo_id);
+    }
+    if let Some(ref severity) = params.severity {
+        filter.insert("severity", severity);
+    }
+    if let Some(ref status) = params.status {
+        filter.insert("status", status);
+    }
+    if let Some(ref scan_type) = params.scan_type {
+        filter.insert("scan_type", scan_type);
+    }
+
+    let limit = cap_limit(params.limit);
+
+    let mut cursor = db
+        .findings()
+        .find(filter)
+        .sort(doc! { "created_at": -1 })
+        .limit(limit)
+        .await
+        .map_err(|e| McpError::internal_error(format!("DB error: {e}"), None))?;
+
+    let mut results = Vec::new();
+    while cursor
+        .advance()
+        .await
+        .map_err(|e| McpError::internal_error(format!("cursor error: {e}"), None))?
+    {
+        let finding = cursor
+            .deserialize_current()
+            .map_err(|e| McpError::internal_error(format!("deserialize error: {e}"), None))?;
+        results.push(finding);
+    }
+
+    let json = serde_json::to_string_pretty(&results)
+        .map_err(|e| McpError::internal_error(format!("json error: {e}"), None))?;
+
+    Ok(CallToolResult::success(vec![Content::text(json)]))
+}
+
+#[derive(Debug, Deserialize, JsonSchema)]
+pub struct GetFindingParams {
+    /// Finding ID (MongoDB ObjectId hex string)
+    pub id: String,
+}
+
+pub async fn get_finding(
+    db: &Database,
+    params: GetFindingParams,
+) -> Result<CallToolResult, McpError> {
+    let oid = bson::oid::ObjectId::parse_str(&params.id)
+        .map_err(|e| McpError::invalid_params(format!("invalid ObjectId: {e}"), None))?;
+
+    let finding = db
+        .findings()
+        .find_one(doc! { "_id": oid })
+        .await
+        .map_err(|e| McpError::internal_error(format!("DB error: {e}"), None))?
+        .ok_or_else(|| McpError::invalid_params("finding not found", None))?;
+
+    let json = serde_json::to_string_pretty(&finding)
+        .map_err(|e| McpError::internal_error(format!("json error: {e}"), None))?;
+
+    Ok(CallToolResult::success(vec![Content::text(json)]))
+}
+
+#[derive(Debug, Deserialize, JsonSchema)]
+pub struct FindingsSummaryParams {
+    /// Filter by repository ID
+    pub repo_id: Option<String>,
+}
+
+#[derive(serde::Serialize)]
+struct SeverityCount {
+    severity: String,
+    count: u64,
+}
+
+pub async fn findings_summary(
+    db: &Database,
+    params: FindingsSummaryParams,
+) -> Result<CallToolResult, McpError> {
+    let mut base_filter = doc! {};
+    if let Some(ref repo_id) = params.repo_id {
+        base_filter.insert("repo_id", repo_id);
+    }
+
+    let severities = ["critical", "high", "medium", "low", "info"];
+    let mut counts = Vec::new();
+
+    for sev in &severities {
+        let mut filter = base_filter.clone();
+        filter.insert("severity", sev);
+        let count = db
+            .findings()
+            .count_documents(filter)
+            .await
+            .map_err(|e| McpError::internal_error(format!("DB error: {e}"), None))?;
+        counts.push(SeverityCount {
+            severity: sev.to_string(),
+            count,
+        });
+    }
+
+    let total: u64 = counts.iter().map(|c| c.count).sum();
+
+    let mut status_counts = Vec::new();
+    for status in &["open", "triaged", "false_positive", "resolved", "ignored"] {
+        let mut filter = base_filter.clone();
+        filter.insert("status", status);
+        let count = db
+            .findings()
+            .count_documents(filter)
+            .await
+            .map_err(|e| McpError::internal_error(format!("DB error: {e}"), None))?;
+        status_counts.push(serde_json::json!({ "status": status, "count": count }));
+    }
+
+    let summary = serde_json::json!({
+        "total": total,
+        "by_severity": counts,
+        "by_status": status_counts,
+    });
+
+    let json = serde_json::to_string_pretty(&summary)
+        .map_err(|e| McpError::internal_error(format!("json error: {e}"), None))?;
+
+    Ok(CallToolResult::success(vec![Content::text(json)]))
+}