Labsco
CallMarcus logo

SSC MCP Server

from CallMarcus

MCP server for SecurityScorecard, with hybrid semantic search over all 628 API endpoints.

๐Ÿ”ฅ๐Ÿ”ฅ๐Ÿ”ฅโœ“ VerifiedAccount requiredAdvanced setup

SSC MCP Server

npm version License: MIT

A community-built, comprehensive Model Context Protocol (MCP) server that integrates with the SecurityScorecard API. It runs over stdio, so it works with any MCP-compatible client โ€” Claude Desktop, Claude Code, Cursor, VS Code, and others.

Published on npm as @callmarcus/securityscorecard-mcp and listed in the MCP Registry as io.github.CallMarcus/securityscorecard-mcp.

Disclaimer: This is an independent, community-built open-source project. It is not affiliated with, endorsed by, sponsored by, or associated with SecurityScorecard, Inc. in any way. It is built solely against SecurityScorecard's publicly available API documentation. "SecurityScorecard" and all related names, marks, and logos are trademarks of SecurityScorecard, Inc. and are used here for identification purposes only. You must supply your own API credentials and comply with SecurityScorecard's terms of service.

Available Tools

The server (index.js) provides 9 specialized tools:

ToolPurpose
security_dashboardScore, grade, and key security metrics
analyze_security_risksIssue prioritization and risk analysis
create_improvement_planActionable remediation roadmaps
discover_assetsAsset inventory with security context
analyze_email_securitySPF/DMARC/DKIM analysis
api_discoverySearch 507 API endpoints with hybrid semantic/keyword search
analyze_issue_typesGranular issue type breakdowns
validate_data_completenessCross-tool data verification
query_security_dataDirect API access with discovery

Response Modes

Each tool supports three response modes for token efficiency:

  • minimal - Quick answers (15-50 tokens)
  • standard - Overview with context (200-300 tokens)
  • detailed - Comprehensive analysis (800+ tokens)

Environment Variables

VariableRequiredDescription
SECURITY_SCORECARD_API_TOKENYesYour API token
COMPANY_DOMAINNoDefault domain for queries
DEBUG_MODENoSet true for verbose logging

Optional rate limiting and caching:

REQUEST_CACHE_TTL_MS=300000
REQUESTS_PER_INTERVAL=5
REQUEST_INTERVAL_MS=1000

API Discovery

The server includes hybrid search (semantic + keyword) for finding SecurityScorecard API endpoints:

Use api_discovery to search for "email security"

This searches 507 indexed endpoints and returns matching paths with confidence scores, required parameters, and curl examples.

To update the API reference after changes:

npm run api:embed    # Regenerate semantic embeddings
npm run api:update   # Regenerate docs + embeddings

Development

Build Commands

npm run build:fast   # Recommended - uses esbuild (~130ms)
npm run build        # TypeScript compiler (may OOM on some systems)
npm test             # Run tests

Project Structure

src/
  index.ts               # MCP server (9 tools)
  api/client.ts          # SecurityScorecard API client
  integration/           # API discovery system
docs/api/                # Self-contained API reference
  index.jsonl            # Endpoint index (507 endpoints)
  index-embeddings.json  # Semantic search embeddings
build/                   # Compiled JavaScript

Testing

npm test             # Run test suite

Links