AI-native cloud security scanner via MCP — scan Kubernetes manifests, Dockerfiles, and AWS IAM policies for misconfigurations directly from Claude.
cloud-sentinel-mcp
AI-native Cloud Security Posture analyzer via the Model Context Protocol (MCP).
Scan Kubernetes manifests, Dockerfiles, and AWS IAM policies for misconfigurations — directly from Claude or any MCP client.
What is this?
cloud-sentinel-mcp is a stateless MCP server that exposes cloud security analysis as structured AI tools. Connect it to Claude Desktop or Claude Code and ask:
"Scan this Kubernetes deployment for security issues"
"Does my Dockerfile follow OWASP Container Top 10?"
"What's the blast radius if payment-service goes down?"
The server implements real-world security checks from:
- CIS Kubernetes Benchmark v1.8 — 9 pod-spec and RBAC controls
- OWASP Container Top 10 — 10 Dockerfile checks
- AWS IAM Least Privilege / NIST AC-6 — 7 IAM policy patterns
- Google SRE Book — blast radius and error budget analysis
All checks run locally with zero credentials required — perfect for CI pipelines, security reviews, and developer feedback loops.
Architecture
┌─────────────────────────────────────────────────────────┐
│ MCP Client (Claude) │
│ "Scan this K8s manifest for CIS benchmark violations" │
└──────────────────────────┬──────────────────────────────┘
│ MCP Protocol (stdio)
▼
┌─────────────────────────────────────────────────────────┐
│ cloud-sentinel-mcp Server │
│ │
│ ┌──────────────┐ ┌───────────────┐ ┌──────────────┐ │
│ │ Tools │ │ Resources │ │ Prompts │ │
│ │ │ │ │ │ │ │
│ │ analyze_k8s │ │ cis-k8s-bench │ │ security- │ │
│ │ analyze_ │ │ owasp- │ │ review │ │
│ │ dockerfile │ │ container-10 │ │ │ │
│ │ analyze_iam │ │ iam-patterns │ │ incident- │ │
│ │ blast_radius │ │ │ │ response │ │
│ └──────┬───────┘ └───────────────┘ └──────────────┘ │
│ │ │
│ ┌──────▼────────────────────────────────────────────┐ │
│ │ Security Rule Engine │ │
│ │ kubernetes.py │ dockerfile.py │ iam.py │ │
│ │ blast_radius.py │ │
│ └───────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────┘
MCP Capabilities
Tools
| Tool | Description | Checks |
|------|-------------|--------|
| analyze_kubernetes_manifest | Scan K8s YAML for security misconfigurations | CIS K8s Benchmark v1.8 §5.x |
| analyze_dockerfile | Scan Dockerfile for best-practice violations | OWASP Container Top 10 |
| analyze_iam_policy | Analyze AWS IAM policy for least-privilege violations | NIST AC-6, CIS AWS Foundations |
| estimate_blast_radius | Estimate downstream impact of a service failure | SRE fault isolation, SLO impact |
Resources
| URI | Content |
|-----|---------|
| security://cis-k8s-benchmarks | CIS Kubernetes Benchmark v1.8 control summaries |
| security://owasp-container-top10 | OWASP Docker/Container Top 10 descriptions |
| security://iam-policy-patterns | AWS IAM dangerous pattern reference table |
Prompts
| Name | Description |
|------|-------------|
| security-review | Full posture review — accepts any artifact type |
| incident-response | SRE incident triage runbook template |
Security Rules Reference
Kubernetes (analyze_kubernetes_manifest)
| Rule ID | Severity | Check | CIS Control | |---------|----------|-------|-------------| | K8S-SEC-001 | CRITICAL | Privileged container | §5.2.1 | | K8S-SEC-002 | CRITICAL | Container running as root | §5.2.6 | | K8S-SEC-003 | HIGH | Missing CPU/memory limits | §5.2.4 | | K8S-SEC-004 | HIGH | automountServiceAccountToken not disabled | §5.1.6 | | K8S-SEC-009 | HIGH | allowPrivilegeEscalation not disabled | §5.2.5 | | K8S-SEC-005 | MEDIUM | Writable root filesystem | §5.2.3 | | K8S-SEC-006 | MEDIUM | Missing liveness/readiness probes | — | | K8S-SEC-007 | LOW | Image uses mutable tag | NIST SP 800-190 | | K8S-RBAC-001 | CRITICAL | cluster-admin role binding | §5.1.1 | | K8S-RBAC-002 | HIGH | Wildcard verb/resource in RBAC | §5.1.3 |
Dockerfile (analyze_dockerfile)
| Rule ID | Severity | Check | OWASP Control | |---------|----------|-------|---------------| | DF-SEC-001 | CRITICAL | No non-root USER instruction | D01 | | DF-SEC-003 | CRITICAL | Secret hardcoded in ENV | D06 | | DF-SEC-002 | HIGH | Base image uses mutable tag | D02 | | DF-SEC-008 | HIGH | Secret in ARG instruction | D09 | | DF-SEC-009 | HIGH | curl-pipe-shell pattern | D07 | | DF-SEC-004 | MEDIUM | ADD used instead of COPY | D09 | | DF-SEC-005 | MEDIUM | Missing HEALTHCHECK | D10 | | DF-SEC-006 | LOW | Single-stage build | D07 |
IAM Policy (analyze_iam_policy)
| Rule ID | Severity | Check | Reference | |---------|----------|-------|-----------| | IAM-001 | CRITICAL | Action:* on Resource:* (full admin) | NIST AC-6, CIS §1.16 | | IAM-002 | HIGH | Wildcard Action | NIST AC-6 | | IAM-003 | HIGH | Sensitive write action on Resource:* | NIST AC-6(9) | | IAM-006 | HIGH | iam:PassRole without Condition | AWS Best Practices | | IAM-004 | MEDIUM | NotAction inversion | NIST AC-3 | | IAM-005 | MEDIUM | NotResource inversion | NIST AC-3 | | IAM-007 | MEDIUM | Sensitive actions without MFA condition | CIS AWS §1.14 |
Quick Start
Option 1: pip install
git clone https://github.com/sunilp303/cloud-sentinel-mcp
cd cloud-sentinel-mcp
pip install -e .
python -m cloud_sentinel.server
Option 2: Docker
docker run --rm -i ghcr.io/sunilp303/cloud-sentinel-mcp:latest
Option 3: uv (recommended)
uvx --from git+https://github.com/sunilp303/cloud-sentinel-mcp cloud-sentinel
Claude Desktop Integration
Add to ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or
%APPDATA%\Claude\claude_desktop_config.json (Windows):
{
"mcpServers": {
"cloud-sentinel": {
"command": "python",
"args": ["-m", "cloud_sentinel.server"],
"env": {}
}
}
}
Then restart Claude Desktop. You can now use all tools directly in conversation.
Claude Code Integration
claude mcp add cloud-sentinel -- python -m cloud_sentinel.server
Example Usage
Scan the example bad deployment
Ask Claude:
"Use analyze_kubernetes_manifest to scan this manifest:"
Then paste the contents of examples/bad-deployment.yaml.
Example output:
{
"target": "Deployment/vulnerable-app",
"passed": false,
"summary": {
"CRITICAL": 2,
"HIGH": 3,
"MEDIUM": 3,
"LOW": 1,
"INFO": 1
},
"findings": [
{
"rule_id": "K8S-SEC-001",
"severity": "CRITICAL",
"title": "Container 'app': privileged mode enabled",
"description": "Privileged containers have full access to the host kernel...",
"remediation": "Remove securityContext.privileged: true...",
"reference": "CIS Kubernetes Benchmark v1.8 §5.2.1"
},
...
]
}
Estimate blast radius
analyze_kubernetes_manifest: what happens if payment-service fails?
Trigger the security-review prompt
In Claude Code: /mcp__cloud-sentinel__security-review with your manifest content.
Development
# Install with dev dependencies
pip install -e ".[dev]"
# Run tests
pytest tests/ -v
# Lint
ruff check src/ tests/
# Type check
mypy src/
Project Structure
src/cloud_sentinel/
├── server.py # MCP server — registers tools, resources, prompts
├── models.py # Pydantic models: Finding, Severity, ScanResult
├── tools/
│ ├── kubernetes.py # CIS K8s Benchmark checks
│ ├── dockerfile.py # OWASP Container Top 10 checks
│ ├── iam.py # AWS IAM least-privilege checks
│ └── blast_radius.py # SRE blast radius analysis
├── resources/
│ └── benchmarks.py # CIS/OWASP/IAM reference data
└── prompts/
└── templates.py # security-review + incident-response templates
Why MCP?
The Model Context Protocol is Anthropic's open standard for giving LLMs structured access to tools, data, and prompts. Unlike ad-hoc function calling, MCP provides:
- Discoverability — clients enumerate tools/resources at runtime
- Composability — combine multiple MCP servers in one Claude session
- Standardization — one server works with Claude Desktop, Claude Code, and any MCP-compatible client
- Stateless by design — each tool call is independent, making the server horizontally scalable and trivial to containerize
License
MIT — see LICENSE.