Merge pull request #13 from VantaInc/showzeb/controls

Adding tools to fetch controls

Author: showzeb110

README.md

@@ -20,9 +20,12 @@ A <a href="https://modelcontextprotocol.com/"> Model Context Protocol </a> serve
 - Monitor framework completion progress and compliance status
 - Get specific control details that map to automated tests and required documentation
 
-### Document and Evidence Management
+### Security Control Management
 
-- Upload compliance documentation and evidence files required for audits
+- List all security controls across all compliance frameworks in your account
+- View control names, descriptions, framework mappings, and implementation status
+- Get specific tests that validate each security control
+- Understand which automated tests monitor compliance for specific controls
 
 ### Multi-Region Support
 
@@ -38,6 +41,8 @@ A <a href="https://modelcontextprotocol.com/"> Model Context Protocol </a> serve
 | `deactivate_test_entity` | Temporarily suppress alerts for a specific failing resource during planned maintenance, system updates, or while remediation is in progress. Requires a business justification and end date. Helps manage security alerts during planned operational activities without compromising audit trails.           |
 | `get_frameworks`         | List all compliance frameworks available in your Vanta account (SOC 2, ISO 27001, HIPAA, GDPR, FedRAMP, PCI, etc.) along with completion status and progress metrics. Shows which frameworks you're actively pursuing and their current compliance state.                                                    |
 | `get_framework_controls` | Get detailed security control requirements for a specific compliance framework. Returns the specific controls, their descriptions, implementation guidance, and current compliance status. Essential for understanding what security measures are required for each compliance standard.                     |
+| `get_controls`           | List all security controls across all frameworks in your Vanta account. Returns control names, descriptions, framework mappings, and current implementation status. Use this to see all available controls or to find a specific control ID for use with other tools.                                        |
+| `get_control_tests`      | Get all automated tests that validate a specific security control. Use this when you know a control ID and want to see which specific tests monitor compliance for that control. Returns test details, current status, and any failing entities for the control's tests.                                     |
 | `upload_document`        | Upload compliance documentation and evidence files to Vanta. Used for policy documents, procedures, audit evidence, and proof of security control implementation. Supports the documentation requirements needed for compliance audits and framework certification.                                          |
 
 ## Configuration

src/eval/README.md

@@ -40,7 +40,7 @@ OPENAI_API_KEY="your_openai_api_key_here" node build/eval/eval.js
 
 ## Test Cases
 
-The evaluation includes 9 test cases covering:
+The evaluation includes 11 test cases covering:
 
 ### ✅ **Tool Selection Tests**
 
@@ -51,6 +51,8 @@ The evaluation includes 9 test cases covering:
 - **Framework Listing**: `get_frameworks` for available frameworks
 - **Control Requirements**: `get_framework_controls` for specific framework details
 - **Status Percentage**: `get_frameworks` for completion percentages
+- **Control Listing**: `get_controls` for all security controls
+- **Control Tests**: `get_control_tests` for tests validating specific controls
 
 ### ❌ **Negative Tests**
 
@@ -75,8 +77,8 @@ The evaluation includes 9 test cases covering:
 
 📊 Final Results
 ================
-✅ Passed: 9/9 tests
-❌ Failed: 0/9 tests
+✅ Passed: 11/11 tests
+❌ Failed: 0/11 tests
 📈 Success Rate: 100%
 🎉 All tests passed! Tool calling behavior is working correctly.
 ```

src/eval/eval.ts

@@ -9,7 +9,10 @@ import {
   GetFrameworksTool,
   GetFrameworkControlsTool,
 } from "../operations/frameworks.js";
-import { UploadDocumentTool } from "../operations/documents.js";
+import {
+  GetControlsTool,
+  GetControlTestsTool,
+} from "../operations/controls.js";
 
 // Format all tools for OpenAI
 const tools = [
@@ -56,9 +59,17 @@ const tools = [
   {
     type: "function" as const,
     function: {
-      name: UploadDocumentTool.name,
-      description: UploadDocumentTool.description,
-      parameters: zodToJsonSchema(UploadDocumentTool.parameters),
+      name: GetControlsTool.name,
+      description: GetControlsTool.description,
+      parameters: zodToJsonSchema(GetControlsTool.parameters),
+    },
+  },
+  {
+    type: "function" as const,
+    function: {
+      name: GetControlTestsTool.name,
+      description: GetControlTestsTool.description,
+      parameters: zodToJsonSchema(GetControlTestsTool.parameters),
     },
   },
 ];
@@ -128,6 +139,18 @@ const testCases: TestCase[] = [
     expectedParams: {},
     description: "Should call get_frameworks to get SOC2 completion percentage",
   },
+  {
+    prompt: "List all security controls in my Vanta account",
+    expectedTool: "get_controls",
+    expectedParams: {},
+    description: "Should call get_controls to list all available controls",
+  },
+  {
+    prompt: "Show me the tests for control ID access-control-1",
+    expectedTool: "get_control_tests",
+    expectedParams: { controlId: "access-control-1" },
+    description: "Should call get_control_tests for specific control",
+  },
   {
     prompt: "What programming tests should I write for my API?",
     expectedTool: "none",

src/index.ts

@@ -15,6 +15,12 @@ import {
   getFrameworks,
 } from "./operations/frameworks.js";
 import { UploadDocumentTool, uploadDocument } from "./operations/documents.js";
+import {
+  GetControlsTool,
+  GetControlTestsTool,
+  getControls,
+  getControlTests,
+} from "./operations/controls.js";
 import { initializeToken } from "./auth.js";
 
 const server = new McpServer({
@@ -59,6 +65,20 @@ server.tool(
   getFrameworkControls,
 );
 
+server.tool(
+  GetControlsTool.name,
+  GetControlsTool.description,
+  GetControlsTool.parameters.shape,
+  getControls,
+);
+
+server.tool(
+  GetControlTestsTool.name,
+  GetControlTestsTool.description,
+  GetControlTestsTool.parameters.shape,
+  getControlTests,
+);
+
 server.tool(
   UploadDocumentTool.name,
   UploadDocumentTool.description,

src/operations/controls.ts

@@ -0,0 +1,115 @@
+import { CallToolResult } from "@modelcontextprotocol/sdk/types.js";
+import { baseApiUrl } from "../api.js";
+import { Tool } from "../types.js";
+import { z } from "zod";
+import { makeAuthenticatedRequest } from "./utils.js";
+
+const GetControlsInput = z.object({
+  pageSize: z
+    .number()
+    .describe("Number of controls to return (1-100, default 10)")
+    .optional(),
+  pageCursor: z.string().describe("Pagination cursor for next page").optional(),
+  frameworkMatchesAny: z
+    .array(z.string())
+    .describe(
+      "Filter controls by framework IDs. Returns controls that belong to any of the specified frameworks, e.g. ['soc2', 'iso27001', 'hipaa']",
+    )
+    .optional(),
+});
+
+export const GetControlsTool: Tool<typeof GetControlsInput> = {
+  name: "get_controls",
+  description:
+    "List all security controls across all frameworks in your Vanta account. Returns control names, descriptions, framework mappings, and current implementation status. Use this to see all available controls or to find a specific control ID for use with other tools. Optionally filter by specific frameworks using frameworkMatchesAny.",
+  parameters: GetControlsInput,
+};
+
+const GetControlTestsInput = z.object({
+  controlId: z
+    .string()
+    .describe(
+      "Control ID to get tests for, e.g. 'access-control-1' or 'data-protection-2'",
+    ),
+  pageSize: z
+    .number()
+    .describe("Number of tests to return (1-100, default 10)")
+    .optional(),
+  pageCursor: z.string().describe("Pagination cursor for next page").optional(),
+});
+
+export const GetControlTestsTool: Tool<typeof GetControlTestsInput> = {
+  name: "get_control_tests",
+  description:
+    "Get all automated tests that validate a specific security control. Use this when you know a control ID and want to see which specific tests monitor compliance for that control. Returns test details, current status, and any failing entities for the control's tests.",
+  parameters: GetControlTestsInput,
+};
+
+export async function getControls(
+  args: z.infer<typeof GetControlsInput>,
+): Promise<CallToolResult> {
+  const url = new URL("/v1/controls", baseApiUrl());
+
+  if (args.pageSize !== undefined) {
+    url.searchParams.append("pageSize", args.pageSize.toString());
+  }
+  if (args.pageCursor !== undefined) {
+    url.searchParams.append("pageCursor", args.pageCursor);
+  }
+  if (args.frameworkMatchesAny !== undefined) {
+    args.frameworkMatchesAny.forEach(framework => {
+      url.searchParams.append("frameworkMatchesAny", framework);
+    });
+  }
+
+  const response = await makeAuthenticatedRequest(url.toString());
+
+  if (!response.ok) {
+    return {
+      content: [
+        {
+          type: "text" as const,
+          text: `Error: ${response.statusText}`,
+        },
+      ],
+    };
+  }
+
+  return {
+    content: [
+      { type: "text" as const, text: JSON.stringify(await response.json()) },
+    ],
+  };
+}
+
+export async function getControlTests(
+  args: z.infer<typeof GetControlTestsInput>,
+): Promise<CallToolResult> {
+  const url = new URL(`/v1/controls/${args.controlId}/tests`, baseApiUrl());
+
+  if (args.pageSize !== undefined) {
+    url.searchParams.append("pageSize", args.pageSize.toString());
+  }
+  if (args.pageCursor !== undefined) {
+    url.searchParams.append("pageCursor", args.pageCursor);
+  }
+
+  const response = await makeAuthenticatedRequest(url.toString());
+
+  if (!response.ok) {
+    return {
+      content: [
+        {
+          type: "text" as const,
+          text: `Error: ${response.statusText}`,
+        },
+      ],
+    };
+  }
+
+  return {
+    content: [
+      { type: "text" as const, text: JSON.stringify(await response.json()) },
+    ],
+  };
+}