playbooks

home / mcp / fianu compliance intelligence mcp server

Fianu Compliance Intelligence MCP Server

Queries and analyzes compliance data from your software supply chain using OAuth 2.0 and a scalable MCP server.

Installation
Add the following to your MCP client configuration file.

Configuration

View docs
{
  "mcpServers": {
    "fianulabs-mcp": {
      "url": "https://mcp.fianu.io/sse",
      "headers": {
        "CONSULTA_URL": "https://api.fianu.io",
        "AUTH0_AUDIENCE": "https://fianu.io/api",
        "AUTH0_CLIENT_ID": "YOUR_CLIENT_ID",
        "AUTH0_CLIENT_SECRET": "YOUR_CLIENT_SECRET"
      }
    }
  }
}

You run the Fianu Compliance Intelligence MCP Server to enable AI assistants to query your software supply chain compliance data in natural language. The server provides tools to assess asset compliance, discover controls, examine attestations and deployments, review vulnerabilities, trace evidence, and monitor policy violations and trends across your organization.

How to use

You connect to the MCP server using an MCP client such as Claude Desktop or Cursor IDE. After connection, you can ask questions or invoke tools to retrieve up-to-date compliance information, investigations, and insights. Start by ensuring you are authenticated with OAuth 2.0 and that you are accessing data from your own tenant. Typical usage includes asking for asset status, listing controls, reviewing compliance trends, examining attestations, and investigating deployment blockers or policy exceptions.

How to install

Prerequisites you need before running the MCP server.

1) Install Node.js 18+ and npm.

2) Set up a Cloudflare account and prepare Cloudflare Wrangler tooling according to the included setup steps.

3) Obtain Auth0 credentials (Client ID and Client Secret) from the Fianu Auth0 application and access to the Fianu Dev environment.

4) Ensure you have access to the Fianu Dev environment for testing.

Clone the project, install dependencies, and run the development server locally.

Security and access

OAuth 2.0 authentication is used to obtain tokens automatically, with tenant isolation ensuring users can access only their organization’s data. All API calls and tool invocations are logged for auditing through the Analytics Engine, and JWT validation cryptographically confirms tokens.

Available tools and what they do

The MCP server exposes a suite of tools to query and analyze compliance data. Each tool accepts specific parameters and returns structured results to support decision making.

Using the MCP server with Claude Desktop and Cursor IDE

The server provides two connection methods: - Production or staging HTTP endpoints for real-time server access - Local stdio configuration for direct tool usage from your development environment Configuration examples show how to connect from Claude Desktop and Cursor IDE to the staging environment, then use available tools to query compliance information.

Troubleshooting

If you encounter authentication issues, verify your Auth0 credentials and ensure callback URLs are correctly configured in your Auth0 dashboard. For connectivity problems, confirm the MCP server URLs are reachable and check logs. For token validation issues, confirm you are using a valid token from the correct Auth0 tenant.

Notes on deployment and testing

You can test the MCP server health and basic authentication locally, and you can deploy to production or staging as described in the deployment steps. Use the health endpoint to verify the service status and the token exchange flow to verify authentication.

Development and testing commands

Run the MCP server locally in development mode to test changes.

Project guidance and structure

The project organizes sources for OAuth, MCP tool registration, and individual tool handlers under src, with tests and Cloudflare configuration for deployment.

Notes on environment variables and configuration

Environment variables are used to configure authentication, tenant access, and API endpoints. Ensure you set the necessary values in your deployment environment and secret store. The server relies on these values to validate tokens and to access the Consulta API.

Examples and best practices

Ask practical questions such as: What is the compliance status for a specific asset? Are there any policy violations in the last week? How has compliance changed over the last 30 days? Which deployments are blocked from advancing to production? How can I resolve an external artifact to its Fianu dashboard?

Available tools

get_asset_compliance_status

Get compliance status for a specific asset with all passing/failing controls

list_controls

List all compliance controls with filtering by severity or framework

get_compliance_summary

Executive-level organization-wide compliance overview with risk categorization

get_attestation_details

Get attestation details - supports org-wide (control only) or asset-specific queries

get_deployment_attestations

Show all attestations from a specific deployment record

get_pipeline_vulnerabilities

Get security vulnerabilities from pipeline scans (SAST, SCA, secrets, container)

get_evidence_chain

Trace evidence lineage from origin through occurrences to attestations

get_policy_violations

Get failing controls as \"policy violations\" across the org or for a specific asset

get_compliance_trends

Analyze compliance trends over time using smart sampling

get_deployment_blockers

Find what's blocking an application from deploying to a specific gate/environment

get_policy_exceptions

List and analyze policy exceptions (waivers/exemptions from controls)

resolve_external_artifact

Resolve artifact URI from Artifactory/container registries to Fianu dashboard

analyze_control_failure

Analyze OPA Rego policy for a control to understand what it checks and why it fails

list_releases

List upcoming (pending) or past (released) releases for an application