Skip to content

Commit dc420d1

Browse files
committed
docs: update README with full Tier 1-3 features (24 tools, live NVD, MCP Top 10, STRIDE)
1 parent ce9cde8 commit dc420d1

1 file changed

Lines changed: 40 additions & 23 deletions

File tree

README.md

Lines changed: 40 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@
1313

1414
---
1515

16-
Search and query **1,088+ security data points** through a single MCP interface — **418+ OWASP projects**, **345 ASVS requirements**, **111 WSTG test cases**, **113+ Cheat Sheets**, **Top 10 2021**, **API Security Top 10 2023**, **LLM Top 10 2025**, **Proactive Controls 2024**, **MASVS**, and **38 CWE entries** with cross-references and compliance mapping.
16+
Search and query **1,098+ security data points** through a single MCP interface — **418+ OWASP projects**, **345 ASVS requirements**, **111 WSTG test cases**, **113+ Cheat Sheets**, **Top 10 2021**, **API Security Top 10 2023**, **LLM Top 10 2025**, **MCP Top 10 2025**, **Proactive Controls 2024**, **MASVS**, **38 CWE entries**, and **live NVD/CVE data**with cross-references, compliance mapping, threat modeling, and MCP security assessment.
1717

1818
## Why owasp-mcp?
1919

@@ -23,12 +23,14 @@ Individual OWASP resources are scattered across dozens of repositories with diff
2323
- Cross-reference a CWE with Top 10 categories, ASVS requirements, and WSTG test cases
2424
- Look up any CWE by ID and see all OWASP mappings automatically
2525
- Map ASVS requirements to PCI-DSS, ISO 27001, and NIST 800-53 for compliance
26+
- Search live NVD for CVE vulnerabilities by keyword, CWE, or severity
27+
- Generate STRIDE-based threat models with OWASP mitigations
28+
- Assess MCP server deployments against the OWASP MCP Top 10
2629
- Generate security checklists tailored to your project type and depth
27-
- Assess any tech stack and get relevant OWASP security recommendations
2830
- Use pre-built prompt templates for guided security reviews and threat analysis
2931
- Browse all 418+ OWASP projects including Lab and Incubator — not just the Flagship ones
3032

31-
No API keys required. All data is fetched from public OWASP GitHub repositories.
33+
No API keys required for local data. NVD API works without a key (rate-limited) or with an optional `NVD_API_KEY` for higher throughput.
3234

3335
## Quick Start
3436

@@ -106,14 +108,16 @@ docker run --rm -i ghcr.io/zer0-kr/owasp-mcp
106108
| **Top 10 2021** | 10 | [OWASP/Top10](https://github.com/OWASP/Top10) |
107109
| **API Security Top 10 2023** | 10 | [OWASP API Security](https://owasp.org/API-Security/) |
108110
| **LLM Top 10 2025** | 10 | [OWASP GenAI](https://genai.owasp.org/llm-top-10/) |
111+
| **MCP Top 10 2025** | 10 | [OWASP MCP Top 10](https://owasp.org/www-project-mcp-top-10/) |
109112
| **Proactive Controls 2024** | 10 | [OWASP Proactive Controls](https://owasp.org/www-project-proactive-controls/) |
110113
| **MASVS** | 23 | [OWASP/owasp-masvs](https://github.com/OWASP/owasp-masvs) |
111114
| **CWE Database** | 38 | [MITRE CWE](https://cwe.mitre.org/) |
112115
| **Cheat Sheets** | 113+ | [OWASP/CheatSheetSeries](https://github.com/OWASP/CheatSheetSeries) |
116+
| **NVD/CVE** | Live | [NVD API 2.0](https://nvd.nist.gov/developers/vulnerabilities) |
113117

114118
Project levels: **Flagship** (15) · **Production** (12+) · **Lab** (36) · **Incubator** (206+) · Retired
115119

116-
## Tools Reference (19 tools)
120+
## Tools Reference (24 tools)
117121

118122
### Project Discovery
119123

@@ -132,20 +136,30 @@ Project levels: **Flagship** (15) · **Production** (12+) · **Lab** (36) · **I
132136
| `get_top10` | Get Top 10 2021 items with descriptions and CWE mappings |
133137
| `get_api_top10` | Get API Security Top 10 2023 items with CWE mappings |
134138
| `get_llm_top10` | Get LLM Top 10 2025 items — AI/LLM-specific security risks |
139+
| `get_mcp_top10` | Get MCP Top 10 2025 — security risks specific to MCP server deployments |
135140
| `get_proactive_controls` | Get Proactive Controls 2024 — defensive measures for developers |
136141
| `get_masvs` | Query MASVS mobile security controls. Filter by `category` or `query` |
137142
| `get_cheatsheet` | Read a cheat sheet by `name` or list all 113+ available sheets |
138143

144+
### Vulnerability & CWE Lookup
145+
146+
| Tool | Description |
147+
|------|-------------|
148+
| `get_cwe` | Look up any CWE by ID — description, MITRE link, and auto OWASP cross-references across Top 10, API Top 10, and LLM Top 10 |
149+
| `search_cve` | Search the **live NVD** for CVEs by keyword, CWE ID, or CVSS severity |
150+
| `get_cve_detail` | Fetch full CVE details — CVSS score, description, weaknesses, references |
151+
139152
### Cross-Referencing & Assessment
140153

141154
| Tool | Description |
142155
|------|-------------|
143-
| `search_owasp` | Search across **all 10 data sources** at once |
156+
| `search_owasp` | Search across **all 11 local data sources** at once |
144157
| `cross_reference` | Map a `cwe` ID to Top 10 categories, ASVS requirements, and WSTG tests |
145-
| `get_cwe` | Look up any CWE by ID — description, MITRE link, and auto OWASP cross-references across Top 10, API Top 10, and LLM Top 10 |
146158
| `compliance_map` | Map ASVS chapters to **PCI-DSS 4.0**, **ISO 27001:2022**, and **NIST SP 800-53 Rev. 5** |
147159
| `assess_stack` | Input a tech stack (e.g., "React, Node.js, PostgreSQL") and get tailored security recommendations |
148160
| `generate_checklist` | Generate security testing checklists by project type (web/api/mobile/llm/full) and depth (basic/standard/comprehensive) |
161+
| `assess_mcp_security` | Assess an MCP server deployment against the OWASP MCP Top 10 security risks |
162+
| `threat_model` | Generate a **STRIDE-based threat model** for any system with OWASP mitigations |
149163

150164
### Database Management
151165

@@ -191,24 +205,26 @@ Structured data endpoints that MCP clients can read for context:
191205
192206
> Look up CWE-79 and show me all OWASP references
193207
208+
> Search NVD for critical log4j CVEs
209+
194210
> Map ASVS chapter V4 to PCI-DSS and ISO 27001
195211
196212
> Cross-reference CWE-918 with OWASP standards
197213
198-
> Get the OWASP Top 10 item for A03:2021
214+
> Generate a STRIDE threat model for my e-commerce API
215+
216+
> Assess my MCP server security: it uses shell exec, no auth, community plugins
217+
218+
> What are the MCP Top 10 security risks?
199219
200220
> What are the API Security Top 10 risks?
201221
202222
> Show me the LLM Top 10 for prompt injection
203223
204-
> What MASVS controls apply to cryptography?
205-
206224
> Assess the security of my stack: React, Node.js, PostgreSQL, REST API
207225
208226
> Generate a comprehensive security checklist for a web API project
209227
210-
> What Proactive Controls should I implement for access control?
211-
212228
> Show me the Input Validation cheat sheet
213229
```
214230

@@ -218,6 +234,7 @@ Structured data endpoints that MCP clients can read for context:
218234
|---------------------|---------|-------------|
219235
| `OWASP_MCP_DATA_DIR` | `~/.owasp-mcp` | Local database and cache directory |
220236
| `OWASP_MCP_UPDATE_INTERVAL` | `604800` (7 days) | Auto-refresh interval in seconds |
237+
| `NVD_API_KEY` | _(none)_ | Optional NVD API key for higher rate limits (50 req/30s vs 5 req/30s) |
221238

222239
## Architecture
223240

@@ -229,19 +246,17 @@ Structured data endpoints that MCP clients can read for context:
229246
│ stdio
230247
┌──────────────▼──────────────────┐
231248
│ owasp-mcp server │
232-
19 tools · 4 prompts · 6 rsrc │
249+
24 tools · 4 prompts · 6 rsrc │
233250
├─────────────────────────────────┤
234251
│ SQLite + FTS5 │
235-
│ Full-text search index (~885KB)│
236-
├─────────────────────────────────┤
237-
│ Collectors (10) │
238-
│ projects · asvs · wstg · top10│
239-
│ api_top10 · llm_top10 · masvs │
240-
│ proactive · cheatsheets · cwes│
241-
└──────────────┬──────────────────┘
242-
│ httpx (on build)
252+
│ Full-text search index (~930KB)│
253+
├──────────────┬──────────────────┤
254+
│ Collectors │ Live APIs │
255+
│ (11 local) │ NVD CVE 2.0 │
256+
└──────────────┴──────────────────┘
257+
│ httpx
243258
┌──────────────▼──────────────────┐
244-
OWASP GitHub Repos
259+
│ OWASP GitHub · MITRE NVD
245260
│ Raw JSON/Markdown (public) │
246261
└─────────────────────────────────┘
247262
```
@@ -253,7 +268,7 @@ git clone https://github.com/zer0-kr/owasp-mcp.git
253268
cd owasp-mcp
254269
pip install -e ".[dev]"
255270

256-
# Run tests (186 test cases)
271+
# Run tests (224 test cases across 38 groups)
257272
python tests/test_comprehensive.py
258273

259274
# Run server locally
@@ -268,19 +283,21 @@ src/owasp_mcp/
268283
├── config.py # Environment-based configuration
269284
├── db.py # SQLite FTS5 query helpers
270285
├── index.py # IndexManager — builds DB from collectors
286+
├── nvd.py # NVD API client (live CVE search)
271287
├── collectors/
272288
│ ├── projects.py # 418+ project metadata
273289
│ ├── asvs.py # ASVS 5.0 flat JSON
274290
│ ├── wstg.py # WSTG checklist JSON
275291
│ ├── top10.py # Top 10 2021 + CWE mappings
276292
│ ├── api_top10.py # API Security Top 10 2023
277293
│ ├── llm_top10.py # LLM Top 10 2025
294+
│ ├── mcp_top10.py # MCP Top 10 2025
278295
│ ├── proactive_controls.py # Proactive Controls 2024
279296
│ ├── masvs.py # MASVS mobile security
280297
│ ├── cwe_data.py # CWE database (38 entries)
281298
│ └── cheatsheets.py # Cheat Sheet index + on-demand content
282299
└── tools/
283-
└── owasp_tools.py # All 19 MCP tool definitions
300+
└── owasp_tools.py # All 24 MCP tool definitions
284301
```
285302

286303
## Contributing

0 commit comments

Comments
 (0)