com.ayurak/aribot-mcp
Official14 toolsThreat modeling, code, API & cloud security, shadow-AI & compliance governance.
Analyzes security threats in code, APIs, and cloud infrastructure with compliance governance.
Captured live from the server via tools/list.
generate_threat_model
Create a threat model from a normalized architecture (ReactFlow nodes + edges). Ingests components via the shared Stage-0 service; the pipeline then auto-generates threats. Returns the diagram id.
Parameters (3)
- namestring
Threat model name
- nodesarrayrequired
ReactFlow nodes (each: id, position, data.label)
- edgesarray
ReactFlow edges
verify_threats_in_code
Verify whether threats are mitigated in a scan's uploaded code. With `threat_id`, verifies one threat synchronously and returns the verdict; without it, verifies every diagram threat in the background. Wraps code_review ThreatVerificationService.
Parameters (5)
- scan_idstringrequired
CodeReviewScan id (uuid)
- threat_idstring
Optional: a single threat id or code
- repository_idstring
Optional connected repo to fetch code from
- code_contentstring
Optional inline code context
- async_boolean
get_traceability
Return the diagram→threat→finding→control→requirement→remediation traceability matrix for a scan in your scope, with coverage metrics.
Parameters (1)
- scan_idstringrequired
Code-review scan id
get_framework_coverage
Compliance-framework coverage for a diagram (real, ControlCodeMap-backed), optionally for one framework, plus an optional crossmap relationship graph. Wraps derive_framework_coverage + crossmap_cypher.build_graph.
Parameters (3)
- diagram_idstringrequired
Diagram pk or uuid
- frameworkstring
Optional framework filter (e.g. 'NIST-800-53', 'SOC2')
- include_graphboolean
Also return the crossmap node/edge graph
get_remediation
Compute a remediation plan for a threat/finding WITHOUT applying it (mode=dry_run). Runs the same governed engine as apply_remediation, including the patent gates, and returns the proposed steps.
Parameters (3)
- threat_idstringrequired
Threat id/code to remediate
- rule_idstringrequired
Policy/rule id (e.g. AWS_S3_PUBLIC_ACCESS)
- resource_contextobject
provider/resource_id/region/account_id/metadata
compliance_status
Company-level compliance posture rollup (pass rate, control compliance, mitigated counts, per-framework coverage). Suitable for a CI gate. Wraps the traceability company rollup.
Parameters (2)
- scan_idstring
Optional anchor scan; latest is used if omitted
- diagram_idstring
Optional diagram to add framework coverage for
discover_shadow_ai
Shadow-AI posture (part of Code Security): unsanctioned / unknown AI-service usage discovered in code — totals, risk score, provider/type breakdown, hardcoded-key count, and top discoveries. Company latest, or one scan with `scan_id`. Reads code_review ShadowAIReport/ShadowAIDiscovery.
Parameters (2)
- scan_idstring
Optional CodeReviewScan id; company-wide latest if omitted
- limitinteger
Max discoveries to return
get_api_security
API security inventory (part of Code Security): discovered API endpoints with authentication status, risk level and risk factors, plus method/risk breakdowns. Company-wide or one scan with `scan_id`. Reads code_review ApiEndpointDiscovery.
Parameters (2)
- scan_idstring
Optional CodeReviewScan id; company-wide if omitted
- limitinteger
Max endpoints to return
get_cloud_compliance
Cloud security & compliance posture (Cloud Compliance): per connected cloud account, the latest CIS/NIST cloud-policy scan — compliance %, failing policies/records, status — plus a company rollup. Reads customers.Account.latest_scan -> compliances.ScanResults.
Parameters (1)
- account_idstring
Optional single cloud Account id; all company accounts if omitted
code_review_scan
Start (or re-run) a code-security scan for an existing scan/repository in your scope. Returns a poll pointer; results include SAST, secrets, deps, pipeline review and the traceability matrix.
Parameters (1)
- scan_idstringrequired
Id of an existing code-review scan to (re)run
compliance_scan
Run a cloud/platform or compliance scan against an account or diagram in your scope (async). scan_type ∈ platform|compliance|pipeline|sbom. Returns a task id to poll.
Parameters (7)
- scan_typestringrequired
platform | compliance | pipeline | sbom
- account_idstring
Cloud account id (account-scoped scans)
- diagram_idstring
Diagram id/uuid (diagram-scoped scans)
- frameworksarray
Optional standard/framework ids to scope the scan
- severity_filterarray
Optional severity levels to include
- simulation_modeboolean
Dry-run the scan without side effects
- sourcestring
Scan source (default: hybrid)
apply_remediation
Apply a remediation for real (mode=live). Routed through the full governance funnel — patent reachability/kill-chain gates, autonomy policy and the approval flow. If your policy requires approval it returns 'requires_approval' rather than acting.
Parameters (3)
- threat_idstringrequired
Threat id/code to remediate
- rule_idstringrequired
Policy/rule id (e.g. AWS_S3_PUBLIC_ACCESS)
- resource_contextobject
provider/resource_id/region/account_id/metadata
get_diagram_summary
The canonical diagram summary every badge/card/header reads: threat counts by severity, risk value, compliance and framework coverage.
Parameters (1)
- diagram_idstringrequired
Diagram id/uuid
get_insights
Threat/control matrix metrics + framework coverage for a diagram, joined with its latest code-security scan when one exists.
Parameters (1)
- diagram_idstringrequired
Diagram id/uuid
README not available yet.
Install
claude_desktop_config.json
{
"mcpServers": {
"aribot-mcp": {
"command": "npx",
"args": [
"-y",
"mcp-remote",
"https://mcp.aribot.ayurak.com/"
]
}
}
}Desktop config is stdio-only; this bridges via mcp-remote. Native remote: Settings > Connectors.