ComplianceCow MCP Server

Table of Contents

ComplianceCow MCP Server

MCP servers are designed to process structured requests from AI agents, perform domain-specific operations (such as querying databases, applying business rules, or generating summaries), and return context-aware responses. Our implementation allows seamless integration with MCP-compatible hosts like Claude Desktop and Goose Desktop, enabling secure, modular, and intelligent interactions tailored to the needs of modern enterprises.

The tools and resources within the ComplianceCow MCP server are specifically designed to accomplish the following:

Get Dashboard and Insights data
Get Auditable responses through Compliance Graph
Perform actions such as creating tickets, fixing policies, pushing data to external tools, etc

Keyword	Description	Example(s)
Control	Refers to compliance or security control that needs to be implemented by an organization to ensure adherence to relevant laws, regulations, industry standards, and internal policies.	Ensure that MFA is enabled for all users
Assessment	Assessment is a collection of controls, organized hierarchically. This can be an industry standard or a cybersecurity framework.	PCI DSS 4.0
Assessment Run	An assessment run is the verification of the controls in an assessment for a given time period and for a set of inputs. This verification may include evidence either manually collecting from users or by automatically fetching data from resources such as applications and servers.
Check	A rule or a verification for compliance or conformance.	Check if MFA is enabled for all AWS users in a given AWS account.
Resource Type	Category or class of resources.	AWS EC2, AWS S3
Resource	Instance of resource type for which we have checks performed.	Specific EC2 instances, Github repositories
Asset	A group of resources of various types.	AWS services (spanning multiple accounts), Kubernetes, Github
Evidence	Data aggregated through checks against one or more resources, for a given control.	A CSV file containing the list of AWS users, their details including their MFA status and compliance details (such as score).
Action	Any activity (automated or manual) that can be run to respond or to remediate based on conditions. These actions are bound to some specific resources such as assessment, control, evidence or resource in ComplianceCow.	Create a JIRA ticket for a non compliant EC2 instance with SLA not met for remediating a critical vulnerability.

We support the STDIO transport mechanism to allow seamless local integration of our server with your MCP host. At the core of our backend is the Compliance Graph, which continuously ingests data such as assessment runs, evidence, and more. Additionally, our server actively pulls information from diverse sources including vector stores, relational databases, and file storage systems.

Dependencies

Python and UV (package manager) are required to run the MCP server.

Visit this page to download and install python for your operation system. Recommended version: 3.11 or higher.
Visit this page to download and install UV.

Authentication

The MCP tools and resources of ComplianceCow can be accessed through the OAuth 2.0 mechanism with client_credentials grant type. Follow the instructions below to get yourself a client id and a secret.

1. Sign up for an account (if you don’t have one) by visiting this URL: https://partner.compliancecow.live/ui/signup. Replace the hostname with your own if you have a dedicated ComplianceCow instance deployed.

2. Click on the ‘Manage Client Credentials’ option in the top-right user profile menu.

3. Fill out the form to obtain a client ID and secret.

Configuration

1. Clone the git repo

git clone https://github.com/ComplianceCow/cow-mcp.git

2. Run the following commands to install the dependencies. Only then, the MCP Host will be able to start the MCP server successfully.

uv venv .venv

source .venv/bin/activate

uv pip install .

3. Use the following configuration JSON as a reference to update your MCP host. Before saving the configuration, make sure to update the highlighted fields and adjust the folder path syntax to match your operating system.

MCP_SERVER_CODE_PATH:- Replace with the repository path (cloned in a step above).

UV_BIN_PATH:- Replace with uv bin path (something like uv(Homebrew) or /Users/UserXYZ/.local/bin/uv(script) in MacOS)

CCOW_CLIENT_ID & CCOW_CLIENT_SECRET: As explained in the “Authentication” section above.

CCOW_HOST: You can replace the default hostname with the hostname of the dedicated ComplianceCow instance deployed for you.

{
        "mcpServers": {
                "ComplianceCow": {
                        "args": [
                                "--directory",
                                "<>",
                                "run",
                                "main.py"
                        ],
                        "command": "<>",
                        "env": {
                                "CCOW_HOST": "https://partner.compliancecow.live/api",
                                "CCOW_CLIENT_ID": "<>",
                                "CCOW_CLIENT_SECRET": "<>"
                        }
                }
        }
}

Usage in MCP Host

The usage of the MCP server may vary across different hosts. You can use the configuration data provided above by following the host-specific instructions. Instructions for two such hosts—Claude and Goose desktops—are provided below.

Claude Desktop: Update the config ( <Claude desktop installation path>/claude_desktop_config.json) of Claude desktop by following the instruction given above in the “Configuration” Section.

Goose Desktop: Follow the steps given in this link.

Running Locally

To verify that the MCP server is properly set up with all dependencies and can be started by the MCP host without issues, you can run the command to check if the server runs correctly in a local environment.

uv run main.py

API Endpoints

Name	Purpose	Input(s)	Output(s)
fetch_unique_node_data_and_schema	Fetch unique node data and schema	Question* (`string`)-user question	node_names (`List`)-graph node names unique_property_values (`List`)-unique value of each property of nodes neo4j_schema (`string`)-graph node schema details
execute_cypher_query	Given a question and query, execute a cypher query and transform result to human readable format. Args: query: query to execute in graph DB	Query* (`string`)-query to execute in graph DB	result (`dict or str`)
list_all_assessment_categories	Get all assessment categories		result (`list or str`)
list_assessments	Get all assessments Function accepts category id as ‘categoryId’ and category name as ‘categoryName’	Payload* (`object`)	result (`list or str`)
fetch_recent_assessment_runs	Get recent assessment run for given assessment id Args: id: assessment id	Id* (`string`)-assessment id	result (`list or str`)
fetch_assessment_runs	Get all assessment run for given assessment id Function accepts page number (page) and page size (pageSize) for pagination. If MCP client host unable to handle large response use page and pageSize, default page is 1 If the request times out retry with pagination, increasing pageSize from 5 to 10. use this tool when expected run is got in fetch recent assessment runs tool Args: id: assessment id	Id* (`string`)-assessment id Page (`integer`) Pagesize (`integer`)	result (`list or str`)
fetch_assessment_run_details	Get assessment run details for given assessment run id. This api will return many contorls, use page to get details pagewise. If output is large store it in a file. Args: id: assessment run id	Id* (`string`)-assessment run id	result (`list`)
fetch_assessment_available_actions	Get actions available on assessment for given assessment name. Args: name: assessment name	Name* (`string`)-assessment name	result (`list or str`)
execute_action	Execute or trigger a specific action on an assessment run. use assessment id, assessment run id and action binding id. use fetch assessment available actions to get action binding id. Args: assessmentId assessmentRunId actionBindingId	Assessmentid* (`string`) Assessmentrunid* (`string`) Actionbindingid* (`string`)	result (`dict or str`)
list_integrations	Get all integrations		result (`list`)
fetch_integration_summary	Get integration summary for given assessment id Args: id: assessment id	Id* (`string`)-assessment id	result (`dict`)
fetch_resource_types	Get resource types for given integration run id. Use ‘fetch_integration_summary’ tool to get integration run id Function accepts page number (page) and page size (pageSize) for pagination. If MCP client host unable to handle large response use page and pageSize. If the request times out retry with pagination, increasing pageSize from 50 to 100. 1. Call fetch_resource_types with page=1, pageSize=50 2. Note the totalPages from the response 3. Continue calling each page until complete 4. Summarize all results together Args: id: integration run id	Id* (`string`)-integration run id Page (`integer`) Pagesize (`integer`)	result (`dict`)
fetch_checks	Get checks for given integration run id and resource type. Use this function to get all checks for given integration run id and resource type Use ‘fetch_integration_summary’ tool to get integration run id Use ‘fetch_resource_types’ tool to get all resource types Function accepts page number (page) and page size (pageSize) for pagination. If MCP client host unable to handle large response use page and pageSize. If the request times out retry with pagination, increasing pageSize from 5 to 10. If the check data set is large to fetch efficiently or results in timeouts, it is recommended to use the ‘summary tool’ instead to get a summarized view of the checks. 1. Call fetch_checks with page=1, pageSize=10 2. Note the totalPages from the response 3. Continue calling each page until complete 4. Summarize all results together Args: id: integration run id resourceType: resource type	Id* (`string`)-integration run id Resourcetype* (`string`) Page (`integer`) Pagesize (`integer`)	result (`dict or str`)
fetch_resources	Get resources for given integration run id and resource type Function accepts page number (page) and page size (pageSize) for pagination. If MCP client host unable to handle large response use page and pageSize, default page is 1 If the request times out retry with pagination, increasing pageSize from 5 to 10. If the resource data set is large to fetch efficiently or results in timeouts, it is recommended to use the ‘summary tool’ instead to get a summarized view of the resource. 1. Call fetch_resources with page=1, pageSize=10 2. Note the totalPages from the response 3. Continue calling each page until complete 4. Summarize all results together Args: id: integration run id resourceType: resource type	Id* (`string`)-integration run id Resourcetype* (`string`) Page (`integer`) Pagesize (`integer`)	result (`dict or str`)
fetch_resources_with_this_check	Get checks for given integration run id, resource type and check Function accepts page number (page) and page size (pageSize) for pagination. If MCP client host unable to handle large response use page and pageSize. If the request times out retry with pagination, increasing pageSize from 10 to 50. If the resource data set is large to fetch efficiently or results in timeouts, it is recommended to use the ‘summary tool’ instead to get a summarized view of the resource. 1. Call fetch_resources_for_check with page=1, pageSize=10 2. Note the totalPages from the response 3. Continue calling each page until complete 4. Summarize all results together Args: id: integration run id resourceType: resource type	Id* (`string`)-integration run id Resourcetype* (`string`) Check* (`string`) Page (`integer`) Pagesize (`integer`)	result (`dict or str`)
get_dashboard_data	Function accepts compliance period as ‘period’. Period donates for which quarter of year dashboard data is needed. Format: Q1 2024. Dashboard contains summary data of Common Control Framework (CCF). For any related to contorl category, framework, assignment status use this function. This contains details of control status such as ‘Completed’, ‘In Progress’, ‘Overdue’, ‘Pending’. The summarization levels are ‘overall control status’, ‘control category wise’, ‘control framework wise’, ‘overall control status’ can be fetched from ‘controlStatus’ ‘control category wise’ can be fetched from ‘controlSummary’ ‘control framework wise’ can be fetched from ‘frameworks’	Payload* (`object`)	result (`dict`)
fetch_checks_summary	Use this to get the summary on checks Use this when total items in ‘fetch_checks’ is high Get checks summary for given integration run id and resource type. Get a summarized view of resources based on – Compliance breakdown for checks – Total Checks available – Total compliant checks – Total non-compliant checks Args: id: integration run id resourceType: resource type	Id* (`string`)-integration run id Resourcetype* (`string`)	result (`dict or str`)
fetch_resources_summary	Use this to get the summary on resource Use this when total items in ‘fetch_resources’ is high Fetch a summary of resources for a given integration run id and resource type. Get a summarized view of resources include – Compliance breakdown for resource – Total Resources available – Total compliant resources – Total non-compliant resources Args: id: integration run ID resourceType: resource type	Id* (`string`)-integration run ID Resourcetype* (`string`)-resource type	result (`dict or str`)
fetch_resources_with_this_check_summary	Use this to get the summary on check resources Use this when total items in ‘fetch_resources_for_check’ is high Get check resources summary for given integration run id, resource type and check Paginated data is enough for summary Get a summarized view of check resources based on – Compliance breakdown for resources – Total Resources available – Total compliant resources – Total non-compliant resources Args: id: integration run id resourceType: resource type	Id* (`string`)-integration run id Resourcetype* (`string`) Check* (`string`)	result (`dict or str`)
get_top_over_due_controls_detail	Fetch controls with top over due (over-due) Function accepts count as ‘count’ Function accepts compliance period as ‘period’. Period donates for which quarter of year dashboard data is needed. Format: Q1 2024.	Payload* (`object`)	result (`dict or str`)
get_top_non_compliant_controls_detail	Fetch controls with low compliant score Function accepts count as ‘count’ Function accepts compliance period as ‘period’. Period donates for which quarter of year dashboard data is needed. Format: Q1 2024.	Payload* (`object`)	result (`dict or str`)