- Introduction
- Glossary
- Architecture
- MCP Servers
- Getting Started
- MCP Host Setup
- Running Locally
- Tools Reference
- FAQ
MCP (Model Context Protocol) servers are designed to process structured requests from AI agents, perform domain-specific operations, and return context-aware responses. The ComplianceCow MCP servers enable seamless integration with MCP-compatible hosts like Claude Desktop and Goose Desktop/CLI for secure, modular, and intelligent compliance automation.
| Keyword | Description | Example |
|---|---|---|
| Control | A compliance or security control that needs to be implemented to ensure adherence to regulations, standards, and policies | Ensure MFA is enabled for all users |
| Assessment | A collection of controls organized hierarchically, representing an industry standard or cybersecurity framework | PCI DSS 4.0 |
| Assessment Run | The verification of controls in an assessment for a given time period, including evidence collection | - |
| Check | A rule or verification for compliance or conformance | Check if MFA is enabled for all AWS users |
| Resource Type | Category or class of resources | AWS EC2, AWS S3 |
| Resource | Instance of a resource type for which checks are performed | Specific EC2 instances, GitHub repositories |
| Asset | A group of resources of various types | AWS services, Kubernetes, GitHub |
| Evidence | Data aggregated through checks against resources for a given control | CSV file with AWS users and their MFA status |
| Action | Activity (automated or manual) to respond or remediate based on conditions | Create a JIRA ticket for non-compliant EC2 instance |
| Rule | A reusable automation unit that executes tasks and generates evidence | AWS MFA Compliance Check Rule |
| Workflow | An event-driven automation sequence with conditions and activities | Alert workflow on critical finding |
The ComplianceCow MCP servers support the STDIO transport mechanism for seamless local integration with your MCP host. At the core is the Compliance Graph, which continuously ingests data such as assessment runs, evidence, and compliance status. The server actively pulls information from:
- Vector stores for semantic search
- Relational databases for structured data
- Graph databases for relationship queries
- File storage systems for evidence artifacts
We have organized ComplianceCow’s MCP tools into 4 distinct servers.
Why multiple MCP servers? In the MCP ecosystem, using fewer tools per server yields better results and better performance.
Each server can be enabled independently via theMCP_TOOLS_TO_BE_INCLUDEDenvironment variable.
Important: Enable only one server at a time in the MCP Host to avoid tool name conflicts. Some tools share the same name across servers but have different implementations based on the use case.
The Rules server enables creating, managing, and executing compliance rules. It provides a comprehensive toolkit for rule creation with guided input collection, task orchestration, and ComplianceCow integration.
Use Cases:
- Create custom compliance rules with multiple tasks
- Execute rules against cloud infrastructure
- Publish rules to ComplianceCow and attach to controls
- Generate rule documentation (design notes, README)
The Insights server provides comprehensive access to compliance data, dashboards, assessments, and evidence through the Compliance Graph. Ideal for querying and analyzing compliance posture.
Use Cases:
- Query dashboard data for compliance overview
- Explore assessments and their runs
- Retrieve evidence and compliance status
- Execute Cypher queries on the Compliance Graph
- Perform actions on controls and evidence
The Workflow server enables building and executing automated compliance workflows with event-driven triggers, conditions, and activities.
Use Cases:
- Create automated compliance workflows
- Define event triggers and conditions
- Execute multi-step workflow sequences
- Manage workflow states and transitions
The Assistant server specializes in assessment configuration, control setup, and SQL-based evidence collection. It provides tools for configuring compliance assessments and managing control evidence.
Use Cases:
- Create and configure assessments
- Set up control configurations with context entities
- Create SQL-based evidence collection
- Manage control citations and documentation
-
MCP Host: You need an MCP-compatible host:
-
Python: Version 3.11 or higher
-
uv Package Manager: Required to run the MCP server
The ComplianceCow MCP servers use OAuth 2.0 with client_credentials grant type.
To obtain credentials:
- Sign up at ComplianceCow (or your dedicated instance)
- Click "Manage Client Credentials" in the top-right user profile menu
- Fill out the form to obtain your Client ID and Client Secret
-
Clone the repository:
git clone https://github.com/ComplianceCow/cow-mcp.git cd cow-mcp -
Create virtual environment and install dependencies:
uv venv .venv source .venv/bin/activate # On Windows: .venv\Scripts\activate uv pip install .
-
Find your uv binary path (needed for configuration):
which uv # On macOS/Linux where uv # On Windows
| Variable | Description | Required |
|---|---|---|
CCOW_HOST |
ComplianceCow API host URL (Ex: https://partner.compliancecow.live) | Yes |
CCOW_CLIENT_ID |
Your Client ID (see Authentication section above) | Yes |
CCOW_CLIENT_SECRET |
Your Client Secret (see Authentication section above) | Yes |
Configuration file location:
- macOS:
~/Library/Application Support/Claude/claude_desktop_config.json - Windows:
%APPDATA%\Claude\claude_desktop_config.json
For detailed setup instructions, see Claude Desktop MCP Setup.
Configuration template for all 4 servers:
{
"mcpServers": {
"ComplianceCow-Rules": {
"command": "<UV_BIN_PATH>",
"args": [
"--directory",
"<PATH_TO_COW_MCP_REPO>",
"run",
"main.py"
],
"env": {
"CCOW_HOST": "<YOUR_CCOW_HOST>",
"CCOW_CLIENT_ID": "<YOUR_CLIENT_ID>",
"CCOW_CLIENT_SECRET": "<YOUR_CLIENT_SECRET>",
"MCP_TOOLS_TO_BE_INCLUDED": "rules"
}
},
"ComplianceCow-Insights": {
"command": "<UV_BIN_PATH>",
"args": [
"--directory",
"<PATH_TO_COW_MCP_REPO>",
"run",
"main.py"
],
"env": {
"CCOW_HOST": "<YOUR_CCOW_HOST>",
"CCOW_CLIENT_ID": "<YOUR_CLIENT_ID>",
"CCOW_CLIENT_SECRET": "<YOUR_CLIENT_SECRET>",
"MCP_TOOLS_TO_BE_INCLUDED": "insights"
}
},
"ComplianceCow-Workflow": {
"command": "<UV_BIN_PATH>",
"args": [
"--directory",
"<PATH_TO_COW_MCP_REPO>",
"run",
"main.py"
],
"env": {
"CCOW_HOST": "<YOUR_CCOW_HOST>",
"CCOW_CLIENT_ID": "<YOUR_CLIENT_ID>",
"CCOW_CLIENT_SECRET": "<YOUR_CLIENT_SECRET>",
"MCP_TOOLS_TO_BE_INCLUDED": "workflow"
}
},
"ComplianceCow-Assistant": {
"command": "<UV_BIN_PATH>",
"args": [
"--directory",
"<PATH_TO_COW_MCP_REPO>",
"run",
"main.py"
],
"env": {
"CCOW_HOST": "<YOUR_CCOW_HOST>",
"CCOW_CLIENT_ID": "<YOUR_CLIENT_ID>",
"CCOW_CLIENT_SECRET": "<YOUR_CLIENT_SECRET>",
"MCP_TOOLS_TO_BE_INCLUDED": "assistant"
}
}
}
}Replace the following placeholders:
UV_BIN_PATH: Path to your uv binary (e.g.,/Users/username/.local/bin/uv). You can find this by runningwhich uv(macOS/Linux) orwhere uv(Windows).PATH_TO_COW_MCP_REPO: The absolute path to your cloned cow-mcp repository. After cloning and runningcd cow-mcp, usepwd(macOS/Linux) orcd(Windows) to get this path.YOUR_CCOW_HOST: https://partner.compliancecow.live (or <your_dedicated_instance_hosturl>)YOUR_CLIENT_ID: Your ComplianceCow Client ID (see Authentication)YOUR_CLIENT_SECRET: Your ComplianceCow Client Secret (see Authentication)
For detailed setup instructions, see Goose Extensions Documentation.
Configuration file location:
- macOS/Linux:
~/.config/goose/config.yaml - Windows:
%APPDATA%\goose\config.yaml
Configuration template for all 4 servers:
extensions:
ComplianceCow-Rules:
enabled: true
type: stdio
name: Compliancecow-Rules
description: 'ComplianceCow Rules - Create and manage compliance rules'
cmd: <UV_BIN_PATH>
args:
- --directory
- <PATH_TO_COW_MCP_REPO>
- run
- main.py
envs:
CCOW_HOST: <YOUR_CCOW_HOST>
CCOW_CLIENT_ID: <YOUR_CLIENT_ID>
CCOW_CLIENT_SECRET: <YOUR_CLIENT_SECRET>
MCP_TOOLS_TO_BE_INCLUDED: rules
timeout: 300
ComplianceCow-Insights:
enabled: true
type: stdio
name: Compliancecow-Insights
description: 'ComplianceCow Insights - Query compliance data and dashboards'
cmd: <UV_BIN_PATH>
args:
- --directory
- <PATH_TO_COW_MCP_REPO>
- run
- main.py
envs:
CCOW_HOST: <YOUR_CCOW_HOST>
CCOW_CLIENT_ID: <YOUR_CLIENT_ID>
CCOW_CLIENT_SECRET: <YOUR_CLIENT_SECRET>
MCP_TOOLS_TO_BE_INCLUDED: insights
timeout: 300
ComplianceCow-Workflow:
enabled: true
type: stdio
name: Compliancecow-Workflow
description: 'ComplianceCow Workflow - Build and execute compliance workflows'
cmd: <UV_BIN_PATH>
args:
- --directory
- <PATH_TO_COW_MCP_REPO>
- run
- main.py
envs:
CCOW_HOST: <YOUR_CCOW_HOST>
CCOW_CLIENT_ID: <YOUR_CLIENT_ID>
CCOW_CLIENT_SECRET: <YOUR_CLIENT_SECRET>
MCP_TOOLS_TO_BE_INCLUDED: workflow
timeout: 300
ComplianceCow-Assistant:
enabled: true
type: stdio
name: Compliancecow-Assistant
description: 'ComplianceCow Assistant - Configure assessments and controls'
cmd: <UV_BIN_PATH>
args:
- --directory
- <PATH_TO_COW_MCP_REPO>
- run
- main.py
envs:
CCOW_HOST: <YOUR_CCOW_HOST>
CCOW_CLIENT_ID: <YOUR_CLIENT_ID>
CCOW_CLIENT_SECRET: <YOUR_CLIENT_SECRET>
MCP_TOOLS_TO_BE_INCLUDED: assistant
timeout: 300Replace the following placeholders:
UV_BIN_PATH: Path to your uv binary (e.g.,/Users/username/.local/bin/uv). You can find this by runningwhich uv(macOS/Linux) orwhere uv(Windows).PATH_TO_COW_MCP_REPO: The absolute path to your cloned cow-mcp repository. After cloning and runningcd cow-mcp, usepwd(macOS/Linux) orcd(Windows) to get this path.YOUR_CCOW_HOST: https://partner.compliancecow.live (or <your_dedicated_instance_hosturl>)YOUR_CLIENT_ID: Your ComplianceCow Client ID (see Authentication)YOUR_CLIENT_SECRET: Your ComplianceCow Client Secret (see Authentication)
To verify the MCP server is properly set up before configuring your MCP host:
# Navigate to the cow-mcp directory
cd /path/to/cow-mcp
# Set required environment variables
export CCOW_HOST="https://partner.compliancecow.live"
export CCOW_CLIENT_ID="<your_client_id>"
export CCOW_CLIENT_SECRET="<your_client_secret>"
export MCP_TOOLS_TO_BE_INCLUDED="rules" # or insights, workflow, assistant
# Run the server
uv run main.pyIf the server starts without errors, you're ready to configure your MCP host.
| Tool | Description |
|---|---|
get_tasks_summary |
Retrieve available tasks for rule creation |
get_task_details |
Get detailed task information including inputs/outputs |
fetch_tasks_suggestions |
Intelligent task suggestions based on requirements |
get_rules_summary |
List all available rules in the catalog |
fetch_rules_suggestions |
Suggest matching rules to avoid duplicates |
create_rule |
Create a new rule with tasks and I/O mapping |
fetch_rule |
Retrieve complete rule structure by name |
check_rule_status |
Check rule completion level |
prepare_input_collection_overview |
Overview of required inputs before collection |
get_template_guidance |
Guidance for template-based inputs |
collect_template_input |
Collect file/template inputs with validation |
confirm_template_input |
Confirm and process template input |
collect_parameter_input |
Collect primitive parameter values |
confirm_parameter_input |
Confirm and store parameter values |
upload_file |
Upload files with format validation |
verify_collected_inputs |
Verify all inputs before execution |
execute_task |
Execute a specific task with collected inputs |
execute_rule |
Execute complete rule with credentials |
fetch_execution_progress |
Monitor live execution progress |
fetch_output_file |
Fetch output files from execution |
fetch_cc_rule_by_id |
Fetch rule from ComplianceCow by ID |
fetch_cc_rule_by_name |
Fetch rule from ComplianceCow by name |
fetch_cc_rules_list |
List published ComplianceCow rules |
publish_rule |
Publish rule to ComplianceCow |
fetch_assessments |
Retrieve available assessments |
fetch_leaf_controls_of_an_assessment |
Fetch attachable controls from assessment |
verify_control_in_assessment |
Verify control is attachable |
attach_rule_to_control |
Attach published rule to control |
get_applications_for_tag |
Get applications for specific tag |
get_application_info |
Get application details and credential types |
fetch_applications |
Fetch all available applications |
prepare_applications_for_execution |
Prepare application configuration |
check_applications_publish_status |
Check application publication status |
publish_application |
Publish applications for rule execution |
add_unique_identifier_to_task |
Add unique identifier to task |
configure_rule_output_schema |
Configure standard/extended output schema |
generate_design_notes_preview |
Generate Jupyter notebook design notes |
create_design_notes |
Save design notes |
fetch_rule_design_notes |
Fetch existing design notes |
generate_rule_readme_preview |
Generate comprehensive README |
create_rule_readme |
Save README |
update_rule_readme |
Update existing README |
list_assets |
List integration plans/assets |
list_checks |
List checks for an asset |
get_asset_control_hierarchy |
Get control hierarchy for asset |
create_asset_and_check |
Create asset with initial check |
add_check_to_asset |
Add check to existing asset |
schedule_asset_execution |
Schedule automated asset execution |
list_asset_schedules |
List schedules for an asset |
delete_asset_schedule |
Delete asset schedule |
suggest_control_config_citations |
Suggest control citations |
add_citation_to_asset_control |
Attach citation to control |
verify_control_automation |
Verify control automation status |
create_control_note |
Create documentation note on control |
list_control_notes |
List control notes |
update_control_config_note |
Update control note |
create_support_ticket |
Create support tickets |
check_rule_publish_status |
Check rule publication status |
read_file |
Read local file content |
read_resource |
Read resource URI content |
create_downloadable_file |
Create downloadable file URL |
| Tool | Description |
|---|---|
list_all_assessment_categories |
List all assessment categories |
list_assessments |
List assessments by category/name |
fetch_recent_assessment_runs |
Fetch recent assessment runs |
fetch_assessment_runs |
Fetch runs with pagination |
fetch_assessment_run_details |
Get control details from run |
fetch_assessment_run_leaf_controls |
Get leaf controls from run |
fetch_run_controls |
Get controls by name |
fetch_run_control_meta_data |
Get control metadata |
fetch_assessment_run_leaf_control_evidence |
Get evidence for controls |
fetch_controls |
Fetch control information |
fetch_evidence_records |
Get evidence records with filtering |
fetch_evidence_record_schema |
Get evidence schema |
fetch_available_control_actions |
Fetch available control actions |
fetch_assessment_available_actions |
Fetch assessment actions |
fetch_evidence_available_actions |
Fetch evidence actions |
fetch_general_available_actions |
Fetch general actions |
fetch_automated_controls_of_an_assessment |
Fetch automated controls |
execute_action |
Execute action on control/evidence |
list_assets |
List all assets |
fetch_assets_summary |
Get asset summary statistics |
fetch_resource_types |
Get resource types with pagination |
fetch_checks |
Get checks for resource type |
fetch_resources |
Get resources with pagination |
fetch_resources_by_check_name |
Get resources by check name |
fetch_checks_summary |
Get checks summary statistics |
fetch_resources_summary |
Get resources summary statistics |
fetch_resources_by_check_name_summary |
Get resources summary by check |
fetch_resource_types_summary |
Get resource types summary |
get_dashboard_review_periods |
Get available review periods |
get_dashboard_data |
Get comprehensive dashboard data |
fetch_dashboard_framework_controls |
Get framework controls |
fetch_dashboard_framework_summary |
Get framework summary |
get_dashboard_common_controls_details |
Get common control details |
get_top_over_due_controls_detail |
Get top overdue controls |
get_top_non_compliant_controls_detail |
Get top non-compliant controls |
fetch_unique_node_data_and_schema |
Fetch graph node data and schema |
execute_cypher_query |
Execute Cypher query on graph |
help |
Get help information |
read_file |
Read local file content |
read_resource |
Read resource URI content |
create_downloadable_file |
Create downloadable file URL |
| Tool | Description |
|---|---|
list_workflow_event_categories |
List workflow event categories |
list_workflow_events |
List available trigger events |
list_workflow_activity_types |
List available activity types |
list_workflow_function_categories |
List function categories |
list_workflow_functions |
List available functions |
list_workflow_tasks |
List available workflow tasks |
list_workflow_condition_categories |
List condition categories |
list_workflow_conditions |
List available conditions |
list_workflow_predefined_variables |
List predefined variables |
list_workflow_rules |
List available workflow rules |
create_workflow |
Create workflow from YAML |
list_workflows |
List all workflows |
get_workflow_by_name |
Get workflow by name |
fetch_workflow_details |
Fetch complete workflow details |
modify_workflow |
Update workflow implementation |
update_workflow_summary |
Update workflow description |
update_workflow_mermaid_diagram |
Update workflow diagram |
fetch_workflow_resource_data |
Fetch resource data for execution |
create_workflow_custom_event |
Create custom trigger event |
trigger_workflow |
Trigger workflow execution |
fetch_workflow_rule |
Fetch workflow rule by name |
fetch_task_readme |
Fetch task README |
fetch_rule_readme |
Fetch rule README |
| Tool | Description |
|---|---|
create_assessment |
Create assessment from YAML |
list_assessments |
List all assessments |
list_assessment_control_configs |
List control configurations |
create_control_config |
Create control configuration |
update_control_config_contexts |
Update control context entities |
attach_citation_to_control_config |
Attach citation to control |
suggest_control_config_citations |
Suggest relevant citations |
mark_control_ready_for_execution |
Mark control ready for execution |
create_sql_query_evidence |
Create SQL-based evidence |
list_sql_query_evidence |
List SQL evidence for control |
update_sql_query_evidence |
Update SQL evidence |
validate_sql_query |
Validate SQL query syntax |
get_evidence_sample_data |
Get sample evidence data |
fetch_control_source_summary |
Fetch evidence source summary |
create_control_config_note |
Create control config note |
list_control_config_notes |
List control config notes |
update_control_config_note |
Update control config note |
get_entity_hierarchy |
Get entity hierarchy |
get_context_tables |
Get available context tables |
fetch_rule_readme |
Fetch rule README |
1. How do I sign up for ComplianceCow?
Visit ComplianceCow Signup to create an account using various sign-up options including Google, Microsoft, and OTP.
2. What value does ComplianceCow deliver?
ComplianceCow helps with automated security compliance evidence collection, analysis, and remediation challenges. It's a security GRC controls automation studio for custom controls and workflows. Learn more at compliancecow.com.
3. Why are there 4 separate servers?
MCP works best with fewer tools per server. Splitting into 4 servers (Rules, Insights, Workflow, Assistant) ensures optimal performance and allows you to enable only the tools you need for specific use cases.
4. What if some tools have the same name across servers?
Some tools share the same name but have different implementations. Enable only one server at a time to avoid conflicts. The tool behavior is determined by the MCP_TOOLS_TO_BE_INCLUDED env.
5. How do I update the MCP server?
cd /path/to/cow-mcp
git pull origin main
uv pip install .Then restart your MCP host (Claude Desktop or Goose).
6. Where can I get help?
- Create an issue on GitHub
- Contact ComplianceCow support through the platform