Skip to main content
Glama
cloudcwfranck

@cloudcraftwithfranck/govcloud-mcp

by cloudcwfranck
OverviewSchemaRelated ServersScoreDiscussions
TypeScript
Remote

pipeline_audit

Audit any CI/CD pipeline (GitLab CI, GitHub Actions, Tekton, Jenkins) for DoD DevSecOps compliance. Returns scored audit with violations and hardened pipeline YAML.

Instructions

Audit a CI/CD pipeline configuration (GitLab CI, GitHub Actions, Tekton, Jenkins) for DoD DevSecOps compliance. Returns a scored audit with violations and hardened pipeline YAML.

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
pipelineYamlYesPaste your pipeline YAML (.gitlab-ci.yml, GitHub Actions workflow, Tekton Pipeline, etc.)
pipelineTypeYesPipeline type
targetLevelNoDoD IL compliance target (default: il4)
scanToolsNoSecurity scan tools currently used e.g. ["twistlock","sonarqube","anchore"]

Implementation Reference

  • src/tools/pipeline/pipeline-audit.ts:44-103 (handler)
    The main handler function for the pipeline_audit tool. Takes validated args, calls the Anthropic API with the PIPELINE_SYSTEM prompt to audit CI/CD pipeline configurations (GitLab CI, GitHub Actions, Tekton, Jenkins) for DoD DevSecOps compliance. Returns a scored audit with violations and hardened pipeline YAML.
    export async function handlePipelineAudit(args: unknown): Promise<string> {
  return runTool('pipeline_audit', args, Schema, async ({ pipelineYaml, pipelineType, targetLevel, scanTools }) => {
    const response = await anthropic.messages.create({
      model: MODEL,
      max_tokens: getTokenBudget('pipeline_audit'),
      system: PIPELINE_SYSTEM,
      messages: [
        {
          role: 'user',
          content: `Audit this ${pipelineType} pipeline for ${targetLevel} DevSecOps compliance.
${(scanTools ?? []).length > 0 ? `\n**Current Scan Tools:** ${(scanTools ?? []).join(', ')}` : ''}

\`\`\`yaml
${pipelineYaml}
\`\`\`

Provide:
1. **DevSecOps Compliance Score** (0-100) — with breakdown by category:
   - SAST (Static Analysis): /20
   - Container Security: /20
   - SCA (Software Composition Analysis): /20
   - Secrets Scanning: /15
   - Artifact Signing: /15
   - DAST (Dynamic Analysis): /10

2. **Critical Violations** — gaps that would block an IL Authorization to Operate:
   - Missing required scan stages
   - Images not pulled from registry1.dso.mil / approved registry
   - No artifact signing (Sigstore/Cosign)
   - Secrets in plain text (env vars, hardcoded values)
   - No SBOM generation
   - Privileged containers in pipeline

3. **Required Stages for ${targetLevel}** — with tool recommendations:
   | Stage | Required Tool | Iron Bank Image | Purpose |
   |-------|--------------|-----------------|---------|

4. **Secrets Management Issues** — any hardcoded secrets, missing Vault integration

5. **Hardened Pipeline YAML** — complete rewrite with:
   - All required security stages added
   - Iron Bank images for all scanner tools
   - Artifact signing with Cosign
   - SBOM generation (Syft/Grype)
   - Secrets pulled from Vault/sealed-secrets
   - Fail-fast on critical findings

6. **Platform One Integration** — how to integrate with:
   - Iron Bank image scanning (Anchore Enterprise)
   - Platform One Artifact Repository
   - DoD-approved SAST tools (Fortify, Checkmarx)

7. **Line References** — specific line numbers from the original pipeline with issues`,
        },
      ],
    });

    return response.content[0].type === 'text' ? response.content[0].text : '';
  });
}
  • src/tools/pipeline/pipeline-audit.ts:37-42 (schema)
    Zod schema for pipeline_audit input validation. Validates pipelineYaml (string up to 20k chars), pipelineType (enum of gitlab-ci, github-actions, tekton, jenkins), targetLevel (il2/il4/il5, default il4), and scanTools (array of strings, max 50).
    const Schema = z.object({
  pipelineYaml: z.string().min(1).max(20000),
  pipelineType: z.enum(['gitlab-ci', 'github-actions', 'tekton', 'jenkins']),
  targetLevel: z.enum(['il2', 'il4', 'il5']).default('il4'),
  scanTools: z.array(z.string().max(500)).max(50).default([]),
});
  • src/tools/pipeline/pipeline-audit.ts:6-35 (registration)
    Tool definition object with name 'pipeline_audit', description, and inputSchema (JSON Schema format) specifying required fields pipelineYaml and pipelineType, plus optional targetLevel and scanTools.
    export const pipelineAuditTool = {
  name: 'pipeline_audit',
  description:
    'Audit a CI/CD pipeline configuration (GitLab CI, GitHub Actions, Tekton, Jenkins) for DoD DevSecOps compliance. Returns a scored audit with violations and hardened pipeline YAML.',
  inputSchema: {
    type: 'object' as const,
    properties: {
      pipelineYaml: {
        type: 'string',
        description: 'Paste your pipeline YAML (.gitlab-ci.yml, GitHub Actions workflow, Tekton Pipeline, etc.)',
      },
      pipelineType: {
        type: 'string',
        enum: ['gitlab-ci', 'github-actions', 'tekton', 'jenkins'],
        description: 'Pipeline type',
      },
      targetLevel: {
        type: 'string',
        enum: ['il2', 'il4', 'il5'],
        description: 'DoD IL compliance target (default: il4)',
      },
      scanTools: {
        type: 'array',
        items: { type: 'string' },
        description: 'Security scan tools currently used e.g. ["twistlock","sonarqube","anchore"]',
      },
    },
    required: ['pipelineYaml', 'pipelineType'],
  },
};
  • src/tools/index.ts:20-87 (registration)
    Import and registration of pipelineAuditTool in the central tool registry (allTools array) and case routing to handlePipelineAudit in the switch statement at line 78.
    import { pipelineAuditTool, handlePipelineAudit } from './pipeline/pipeline-audit.js';
import { signingConfigTool, handleSigningConfig } from './pipeline/signing-config.js';
import { devsecopsScoreCardTool, handleDevsecopsScorecard } from './pipeline/devsecops-scorecard.js';

import { sspSectionTool, handleSspSection } from './documents/ssp-section.js';
import { contingencyPlanTool, handleContingencyPlan } from './documents/contingency-plan.js';

import { govcloudQuickstartTool, handleGovcloudQuickstart } from './govcloud-quickstart.js';

export const allTools = [
  // Compliance
  bicepAnalyzeTool,
  bicepRemediateTool,
  controlLookupTool,
  controlNarrativeTool,
  poamGenerateTool,
  atoReadinessTool,
  oscalFragmentTool,
  // Architecture
  landingZoneTool,
  landingZoneReferenceTool,
  serviceSelectTool,
  gccHighTool,
  privateEndpointTool,
  // Platform One
  bigbangValidateTool,
  bigbangHardenTool,
  ironbankLookupTool,
  addonConfiguratorTool,
  // Pipeline
  pipelineAuditTool,
  signingConfigTool,
  devsecopsScoreCardTool,
  // Documents
  sspSectionTool,
  contingencyPlanTool,
  // Meta
  govcloudQuickstartTool,
];

export async function handleToolCall(name: string, args: unknown): Promise<string> {
  switch (name) {
    case 'bicep_analyze':         return handleBicepAnalyze(args);
    case 'bicep_remediate':       return handleBicepRemediate(args);
    case 'control_lookup':        return handleControlLookup(args);
    case 'control_narrative':     return handleControlNarrative(args);
    case 'poam_generate':         return handlePoamGenerate(args);
    case 'ato_readiness':         return handleAtoReadiness(args);
    case 'oscal_fragment':        return handleOscalFragment(args);
    case 'landing_zone_design':   return handleLandingZone(args);
    case 'landing_zone_reference': return handleLandingZoneReference(args);
    case 'azure_service_selector': return handleServiceSelect(args);
    case 'gcc_high_guidance':     return handleGccHigh(args);
    case 'private_endpoint_map':  return handlePrivateEndpoint(args);
    case 'bigbang_validate':      return handleBigbangValidate(args);
    case 'bigbang_harden':        return handleBigbangHarden(args);
    case 'ironbank_lookup':       return handleIronbankLookup(args);
    case 'addon_configurator':    return handleAddonConfigurator(args);
    case 'pipeline_audit':        return handlePipelineAudit(args);
    case 'signing_config':        return handleSigningConfig(args);
    case 'devsecops_scorecard':   return handleDevsecopsScorecard(args);
    case 'ssp_section':           return handleSspSection(args);
    case 'contingency_plan':      return handleContingencyPlan(args);
    case 'govcloud_quickstart':   return handleGovcloudQuickstart(args);
    default:
      throw new Error(`Unknown tool: ${name}`);
  }
}
  • src/utils/tool-runner.ts:16-31 (helper)
    Token budget configuration for pipeline_audit (6144 tokens) and timeout configuration (30000ms) used by the runTool utility that wraps the handler execution.
      pipeline_audit: 6144,
  ato_readiness: 4096,
  control_lookup: 4096,
  poam_generate: 2048,
  oscal_fragment: 4096,
  addon_configurator: 4096,
  private_endpoint_map: 4096,
  devsecops_scorecard: 3072,
  bigbang_validate: 3072,
  gcc_high_guidance: 2048,
  signing_config: 2048,
  azure_service_selector: 2048,
  ironbank_lookup: 1024,
  govcloud_quickstart: 1024,
  bicep_analyze: 4096,
};

Tool Definition Quality

A3.8/5.0
Behavior3/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

No annotations provided; description states it returns scored audit and hardened YAML, implying read-only behavior, but does not address authentication, side effects, or error handling.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness5/5

Is the description appropriately sized, front-loaded, and free of redundancy?

Single sentence efficiently covers supported pipeline types, compliance purpose, and output format with no wasted words.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness4/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Description adequately covers input types, compliance level, and output summary. Lacks mention of error handling or performance, but is sufficient given no output schema and moderate complexity.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters3/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema coverage is 100% with descriptions for each parameter. The tool description adds overall context tying parameters to DoD compliance, but does not provide additional semantic detail beyond the schema.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

Description specifies a clear verb 'Audit' and resource 'CI/CD pipeline configuration', lists supported types (GitLab CI, GitHub Actions, Tekton, Jenkins) and output (scored audit with violations and hardened YAML), distinguishing it from sibling tools like ato_readiness or devsecops_scorecard.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines3/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

Description implies usage for auditing pipeline compliance but does not provide explicit when-to-use or when-not-to-use guidance, nor does it mention alternatives among sibling tools.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/cloudcwfranck/govcloud-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server