@cloudcraftwithfranck/govcloud-mcp
Provides tools for auditing and securing GitHub Actions pipelines for DoD DevSecOps compliance, including artifact signing with Cosign.
Provides tools for auditing GitLab CI pipelines for DoD DevSecOps compliance, including compliance scoring and hardened YAML generation.
Generates production-ready Big Bang addon configurations for Keycloak within Platform One, including hardened values and Iron Bank image references.
Designs compliant Kubernetes landing zones (e.g., AKS) with Hub-Spoke topology, Bicep templates, and NIST control mapping for government workloads.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@@cloudcraftwithfranck/govcloud-mcpAnalyze this Bicep template for FedRAMP High compliance"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
@cloudcraftwithfranck/govcloud-mcp
An MCP (Model Context Protocol) server providing 22 AI-powered tools for DoD/FedRAMP cloud engineering. Built for Claude Desktop, Cursor, VS Code, and any MCP-compatible AI client.
What It Does
Stop googling NIST controls and Iron Bank image paths. This server puts government cloud engineering knowledge directly into your AI assistant — compliance analysis, architecture design, Platform One Big Bang configuration, DevSecOps pipelines, and ATO documentation.
Grounded in Official Microsoft Sources
Unlike generic AI tools, this MCP server fetches content directly from Microsoft's official repositories at runtime:
Azure/Enterprise-Scale — The canonical ALZ reference implementation maintained by Microsoft's Azure engineering team. Policy definitions, architecture patterns, and landing zone templates are fetched live and injected as grounding context into every relevant tool call.
Policy Definitions — Real Azure Policy definition names and IDs from the official Enterprise Scale repository, not from training data. Always current.
Architecture Patterns — CAF-aligned design principles from the source of truth. Management Group hierarchies, subscription topologies, and hub-spoke network designs reference the same patterns Azure engineers use internally.
When you ask for a landing zone design or control narrative, the response is grounded in the same repository that powers the Azure Landing Zone Accelerator — not in static training data. Responses include an attribution footer linking to the source.
Quick Start
Prerequisites
Node.js 18+
Anthropic API key (get one here)
Install
npm install -g @cloudcraftwithfranck/govcloud-mcpOr run without installing:
npx @cloudcraftwithfranck/govcloud-mcpConfigure Claude Desktop
Add to ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows):
{
"mcpServers": {
"govcloud": {
"command": "npx",
"args": ["-y", "@cloudcraftwithfranck/govcloud-mcp"],
"env": {
"ANTHROPIC_API_KEY": "sk-ant-your-key-here"
}
}
}
}Configure Cursor / VS Code
Add to your MCP settings:
{
"govcloud": {
"command": "npx",
"args": ["-y", "@cloudcraftwithfranck/govcloud-mcp"],
"env": {
"ANTHROPIC_API_KEY": "sk-ant-your-key-here"
}
}
}Tools Reference
Compliance (7 tools)
Tool | Description |
| Analyze Bicep templates for FedRAMP/IL compliance — compliance score, control gaps, security findings |
| Auto-remediate Bicep compliance violations — returns fixed template with annotations |
| Full NIST 800-53 Rev 5 control details with FedRAMP baselines, Azure inheritance, eMASS starters |
| Generate eMASS-ready third-person control implementation narratives (400-800 words) |
| Build POA&M entries from compliance gaps — eMASS-formatted with milestones and severity |
| Score ATO readiness 0-100 with 30/60/90 day remediation roadmap |
| Generate OSCAL 1.1.2 JSON/XML SSP fragments for eMASS machine-readable import |
Architecture (4 tools)
Tool | Description |
| Design complete Azure government landing zones with Hub-Spoke topology, Bicep, and compliance mapping |
| Select the right Azure service for government workloads with GCC High availability confirmation |
| GCC High-specific configuration requirements, undocumented limitations, and production workarounds |
| Generate complete private endpoint architecture with Bicep and private DNS zone configuration |
Platform One (4 tools)
Tool | Description |
| Validate Big Bang values.yaml against DoD IL requirements — scored with violations and hardened output |
| Generate fully hardened Big Bang values.yaml with Iron Bank digest-pinned images |
| Look up Iron Bank hardened images — registry path, digest, Cosign verification, pull secret config |
| Generate production-ready Big Bang addon configuration for any Platform One addon |
Pipeline (3 tools)
Tool | Description |
| Audit CI/CD pipelines for DoD DevSecOps compliance — scored with violations and hardened YAML |
| Configure artifact signing with Cosign/Sigstore/DoD PKI plus Kubernetes admission enforcement |
| DoD DevSecOps maturity scorecard against the Reference Design with prioritized improvement roadmap |
Documents (2 tools)
Tool | Description |
| Generate eMASS-ready SSP sections (system description, boundary, user types, interconnections, etc.) |
| Generate NIST 800-34 compliant Contingency Plans with Azure-specific recovery procedures |
Example Prompts
Compliance:
"Analyze this Bicep template for FedRAMP High compliance" (paste template)
"Write an eMASS control narrative for IA-2(12) for our AKS-based system in Azure Government"
"Generate a POA&M for these compliance findings: missing MFA enforcement, no audit logging on Key Vault, public storage endpoint"
Architecture:
"Design an IL4 landing zone for a containerized mission app with AKS, Key Vault, and Azure SQL"
"What's different about configuring AKS in GCC High vs Azure Government?"
"Generate private endpoint configuration for Key Vault, Storage, and ACR at FedRAMP High"
Platform One:
"Validate this Big Bang values.yaml for IL4 compliance" (paste values)
"Look up the Iron Bank image for nginx and give me the Cosign verification command"
"Generate hardened Big Bang addon config for Keycloak at IL4"
Pipeline:
"Audit this GitLab CI pipeline for IL4 DevSecOps compliance" (paste .gitlab-ci.yml)
"Configure Cosign keyless signing for our GitHub Actions pipeline targeting registry1.dso.mil"
Documents:
"Write the system description section of our SSP for a FedRAMP High AKS system"
"Generate a Contingency Plan for our system with RTO 4 hours, RPO 1 hour, using AKS, Key Vault, and Azure SQL"
Resources
The server also exposes these resources via the govcloud:// URI scheme:
govcloud://nist-800-53-rev5— NIST 800-53 Rev 5 control cataloggovcloud://azure-compliance-map— Azure service → NIST control mapping with IL availabilitygovcloud://ironbank-registry— Iron Bank image catalog with registry pathsgovcloud://fedramp-baselines— FedRAMP Low/Moderate/High and DoD IL control lists
Environment Variables
Variable | Required | Default | Description |
| Yes | — | Anthropic API key |
| No |
| Override site API base URL |
Development
git clone https://github.com/cloudcwfranck/govcloud-mcp
cd govcloud-mcp
npm install
cp .env.example .env
# Add your ANTHROPIC_API_KEY to .env
npm run build
npm startLicense
MIT — see LICENSE
Built by CloudCraft with Franck — Azure government cloud engineering for the DoD community.
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/cloudcwfranck/govcloud-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server