Skip to main content
Glama
vuongdat67

MCP SSDLC Security Toolkit

by vuongdat67

MCP SSDLC Security Toolkit

Automate 85-95% of SSDLC planning phase through multi-role AI orchestration.

๐ŸŽฏ Achievement: 90.75% coverage | 99.9% time savings | 45% token efficiency

๐Ÿš€ Quick Start

Installation

# Clone repository
git clone https://github.com/vuongdat67/mcp-ssdlc-security-toolkit
cd mcp-ssdlc-security-toolkit

# Install dependencies
pnpm install

# Build packages
cd packages/security-kb && pnpm build
cd ../ssdlc-planner && pnpm build

Configure Claude Desktop

# Windows - Edit configuration file
notepad %APPDATA%\Claude\claude_desktop_config.json

Add:

{
  "mcpServers": {
    "ssdlc-planner": {
      "command": "node",
      "args": ["C:\\path\\to\\packages\\ssdlc-planner\\dist\\index.js"]
    }
  }
}

Restart Claude Desktop โ†’ Ready to use!

Test Installation

# Run demo
cd packages/ssdlc-planner
pnpm tsx scripts/demo-simple.ts

See: CLAUDE-DESKTOP-SETUP.md for detailed instructions

Related MCP server: DevSecOps MCP Server

Project Structure

packages/
โ”œโ”€โ”€ core/              # Shared types, utilities, validators
โ”œโ”€โ”€ ssdlc-planner/    # Main MCP server with role-based tools
โ”œโ”€โ”€ security-kb/      # CVE/CWE/OWASP knowledge base
โ”œโ”€โ”€ test-strategy/    # Test planning tools
โ””โ”€โ”€ git-workflow/     # Git workflow design tools

๐Ÿ“š Documentation

Getting Started

Technical Reference

๐Ÿ› ๏ธ Features

Phase 9-11: SSDLC Planning Orchestration โœ…

Multi-Role Intelligence:

  • Business Analyst (Phase 9A): Requirements โ†’ user stories, abuse cases, NFRs, data classification

  • Tech Lead (Phase 9B): Architecture โ†’ components, trust boundaries, data flows, Mermaid diagrams

  • Security Engineer (Phase 10): STRIDE threats โ†’ CWE/OWASP/CVE mapping, mitigations

  • QA Engineer (Phase 11): Test strategy โ†’ 18+ security test cases, penetration test plan

Phase 8: Production SAST Engine โœ…

  • Code review with CWE/CVE/OWASP intelligence

  • Risk scoring (0-10) with exploited-in-wild flags

  • AI-powered explanations and remediation guidance

Workflow Example

User: "Plan security for e-commerce with payment processing"
  โ†“
BA Tool โ†’ User stories + Abuse cases (AB-1: Card theft)
  โ†“
Tech Lead Tool โ†’ Architecture + Trust boundaries
  โ†“
Security Tool โ†’ STRIDE: 12 threats (3 critical, 5 high)
  โ†“
QA Tool โ†’ 18 test cases (83% automated)
  โ†“
Result: Complete SSDLC artifacts in 60 seconds

๐ŸŽฏ Coverage Metrics

Phase

Component

Target

Achieved

Status

9A

BA Requirements

90-95%

95%

โœ…

9B

Tech Lead Architecture

85-90%

90%

โœ…

10

Security Threat Model

85-95%

90%

โœ…

11

QA Test Strategy

85-90%

88%

โœ…

Overall

SSDLC Planning

85-95%

90.75%

โœ…

Performance:

  • โšก 99.9% time savings (11-16 hours โ†’ 60 seconds)

  • ๐ŸŽฏ 45% token efficiency vs. prompt chains

  • ๐Ÿ—๏ธ 120.56 KB build output in 27ms

๐Ÿ”ง MCP Tools

Phase 9-11 (Complete)

  1. ba_analyze_requirements_security - Business Analyst

    • Input: project description, users, goals, compliance

    • Output: User stories, abuse cases, NFRs, data classification

  2. techlead_design_architecture - Tech Lead

    • Input: user stories, tech constraints, scale expectations

    • Output: Components, trust boundaries, data flows, Mermaid diagrams

  3. security_threat_model - Security Engineer

    • Input: components, data flows, trust boundaries

    • Output: STRIDE threats with CWE/OWASP/CVE mapping

  4. qa_design_test_strategy - QA Engineer

    • Input: threats, abuse cases, compliance requirements

    • Output: Security test cases, penetration test plan

  5. security_review_code - Security (Phase 8)

    • Input: language, code snippet

    • Output: Vulnerabilities with remediation guidance

Roadmap

  • Phase 12: PM sprint planning tool

  • Phase 12: DevOps CI/CD pipeline design

  • Orchestration: Auto-sequence all phases in one call

๐Ÿ“ฆ Project Structure

mcp-ssdlc-security-toolkit/
โ”œโ”€โ”€ packages/
โ”‚   โ”œโ”€โ”€ core/                      # Shared types, utilities, validators
โ”‚   โ”œโ”€โ”€ ssdlc-planner/            # Main MCP server
โ”‚   โ”‚   โ”œโ”€โ”€ src/
โ”‚   โ”‚   โ”‚   โ”œโ”€โ”€ tools/
โ”‚   โ”‚   โ”‚   โ”‚   โ”œโ”€โ”€ business-analyst/
โ”‚   โ”‚   โ”‚   โ”‚   โ”‚   โ””โ”€โ”€ analyze-requirements.ts    (240 lines)
โ”‚   โ”‚   โ”‚   โ”‚   โ”œโ”€โ”€ tech-lead/
โ”‚   โ”‚   โ”‚   โ”‚   โ”‚   โ””โ”€โ”€ design-architecture.ts     (280 lines)
โ”‚   โ”‚   โ”‚   โ”‚   โ”œโ”€โ”€ security/
โ”‚   โ”‚   โ”‚   โ”‚   โ”‚   โ”œโ”€โ”€ threat-model.ts            (320 lines)
โ”‚   โ”‚   โ”‚   โ”‚   โ”‚   โ””โ”€โ”€ security-review-tool.ts    (Phase 8)
โ”‚   โ”‚   โ”‚   โ”‚   โ””โ”€โ”€ qa/
โ”‚   โ”‚   โ”‚   โ”‚       โ””โ”€โ”€ design-test-strategy.ts    (360 lines)
โ”‚   โ”‚   โ”‚   โ””โ”€โ”€ index.ts          # MCP server entry point
โ”‚   โ”‚   โ”œโ”€โ”€ scripts/
โ”‚   โ”‚   โ”‚   โ””โ”€โ”€ demo-simple.ts    # E-commerce demo
โ”‚   โ”‚   โ””โ”€โ”€ dist/                 # Build output (120.56 KB)
โ”‚   โ””โ”€โ”€ security-kb/              # CVE/CWE/OWASP knowledge base
โ”‚       โ”œโ”€โ”€ src/
โ”‚       โ”‚   โ”œโ”€โ”€ db/               # SQLite database (969 CWEs, OWASP mappings)
โ”‚       โ”‚   โ”œโ”€โ”€ intelligence/     # Security intelligence engine
โ”‚       โ”‚   โ””โ”€โ”€ report-generator.ts
โ”‚       โ””โ”€โ”€ dist/                 # Build output (118.51 KB)
โ”œโ”€โ”€ docs/                         # Planning documents (Vietnamese)
โ”œโ”€โ”€ QUICKSTART.md                 # Installation & usage guide
โ”œโ”€โ”€ CLAUDE-DESKTOP-SETUP.md       # MCP configuration guide
โ””โ”€โ”€ PHASE-9-11-COMPLETE.md        # Implementation report
  • Security Engineer: Threat modeling (STRIDE), automated security code review

  • QA Engineer: Comprehensive test strategy design, test case generation

  • DevOps Engineer: CI/CD pipeline design with security scanning (GitHub Actions, Kubernetes)

  • Project Manager: Sprint planning with task breakdown and timeline (Gantt charts)

Phase 2 Features โœ…

Security Knowledge Base (@mcp-ssdlc/security-kb):

  • CVE vulnerability database with severity scores

  • CWE common weakness enumeration

  • OWASP Top 10 (2021 edition)

  • Secure coding patterns for Python, JavaScript, Go, C#

Enhanced Pseudocode Generation:

  • Language-specific templates (Python, JS, TS, Go, C#)

  • Security annotations and best practices

  • Integration with security KB for pattern recommendations

  • Related function dependencies and test requirements

CI/CD Pipeline Design:

  • Platform support: GitHub Actions, GitLab CI, Azure DevOps

  • Deployment targets: Kubernetes, Docker, VM, Serverless

  • Security stages: SAST, SCA, DAST, container scanning

  • Automated deployment strategies (blue-green, canary)

Sprint Planning:

  • Velocity-based backlog selection

  • Task breakdown (design, development, testing, security)

  • Timeline generation with Gantt charts

  • Risk analysis and capacity planning

Phase 3 Features โœ… (NEW!)

๐Ÿš€ Full Pipeline Orchestration (orchestrate_ssdlc_pipeline):

  • Complete SSDLC automation: BA โ†’ Tech Lead โ†’ Security โ†’ QA โ†’ PM โ†’ DevOps

  • Single-command planning: Generate all artifacts in one invocation

  • Coverage validation: Automatic 85-95% target verification

  • 7-tool workflow: Chains all role-based tools with context preservation

  • Comprehensive reports: JSON artifacts + Markdown documentation

๐Ÿงช Test Strategy Design (qa_design_test_strategy):

  • 6 test levels: Unit, integration, system, acceptance, performance, security

  • Framework selection: Automatic based on tech stack (Jest, pytest, JUnit, etc.)

  • Risk-based coverage: Critical (90%), High (85%), Medium (80%), Low (75%)

  • Automation strategy: CI/CD integration, priority areas, tools matrix

  • 5-phase timeline: Strategy, environment, development, execution, validation

๐Ÿ”’ Security Code Review (security_review_code):

  • 10+ security rules: SQL injection, XSS, hardcoded secrets, weak crypto

  • CWE/OWASP mapping: Links findings to industry standards

  • Risk scoring: 0-100 scale based on severity (Critical: 40, High: 20, Medium: 5, Low: 1)

  • Secure patterns: KB-backed recommendations for remediation

  • Compliance notes: OWASP Top 10, penetration testing, logging

Coverage Metrics (Automated)

Metric

Target

Calculation

Requirements

90-95%

Complete user stories with acceptance criteria

Security

85-95%

Threats with defined mitigations

Testing

85-90%

Test cases vs expected (3 per story)

Architecture

85-90%

Components with defined interfaces

Overall

85-95%

Weighted average (Req: 25%, Sec: 30%, Test: 25%, Arch: 20%)

Sprint Planning:

  • Velocity-based backlog selection

  • Task breakdown (design, development, testing, security)

  • Timeline generation with Gantt charts

  • Risk analysis and capacity planning

See PHASE2-SUMMARY.md for complete documentation.

License

MIT

A
license - permissive license
-
quality - not tested
C
maintenance

Maintenance

โ€“Maintainers
โ€“Response time
โ€“Release cycle
1Releases (12mo)
Commit activity

Resources

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/vuongdat67/mcp-ssdlc-security-toolkit'

If you have feedback or need assistance with the MCP directory API, please join our Discord server