GRC Integration Guide

Integrate MCP Hub with your Governance, Risk, and Compliance (GRC) tools using the OCSF-based API

8 min read

MCP Hub exposes a dedicated GRC (Governance, Risk & Compliance) API that feeds security analysis data into external compliance platforms. All responses conform to the OCSF v1.3.0 standard, making MCP Hub a drop-in data source for platforms like Drata, Vanta, Splunk, and ServiceNow.

Enterprise Feature

The GRC API requires an Enterprise plan. Organizations on Free or Pro plans receive a 403 Forbidden response.

What the GRC API Provides

MCP Hub continuously analyzes MCP servers for security vulnerabilities, evaluates them against 17 security controls, and computes certification scores. The GRC API surfaces all of this data for automated ingestion:

Risk Posture – Organization-wide risk overview with KRI metrics and trend data
Vulnerability Findings – All findings with CWE, CVSS, and OWASP MCP mapping
Security Controls – 17 controls with pass/fail results per MCP
Controls Summary – Aggregated pass rates for dashboards and executive reporting
Evidence Chain – Immutable snapshots with SHA-256 integrity verification
OWASP MCP Top 10 Compliance – Compliance mapping unique to MCP Hub
Audit Events – Complete audit trail for SOC compliance

For the full API reference with response schemas and all query parameters, see the GRC API Reference.

Authentication

The GRC API uses organization service tokens with a dedicated grc:read scope.

Creating a Service Token

Navigate to your organization’s Settings in the MCP Hub dashboard.
Go to Service Tokens and click Create Token.
Select the grc:read scope.
Copy the token (it has the mcp_svc_ prefix).

Using the Token

Include the token in the Authorization header of every request:

curl -s -H "Authorization: Bearer mcp_svc_abc123def456..." \
  "https://api.mcp-hub.info/api/v1/orgs/{orgId}/grc/risk-posture"

The token determines which organization’s data is returned.

Endpoints Overview

All endpoints are scoped to an organization: /api/v1/orgs/{orgId}/grc/...

#	Endpoint	Method	Description
1	`/grc/risk-posture`	GET	Aggregated risk overview with severity breakdown and trend
2	`/grc/vulnerabilities`	GET	Paginated vulnerability findings (OCSF class_uid 2002)
3	`/grc/controls`	GET	Security controls with pass/fail per MCP (OCSF class_uid 2003)
4	`/grc/controls/summary`	GET	Aggregated control statistics for dashboards
5	`/grc/evidence`	GET	Immutable evidence chain with SHA-256 verification
6	`/grc/compliance/owasp-mcp-top10`	GET	OWASP MCP Top 10 compliance status
7	`/grc/audit-events`	GET	Audit trail for SOC compliance

1. Risk Posture

Returns the organization’s risk overview: total MCPs, average scores, certification distribution, severity totals, top risks, and 30-day trend.

curl -s -H "Authorization: Bearer $TOKEN" \
  "https://api.mcp-hub.info/api/v1/orgs/$ORG_ID/grc/risk-posture"

Optional query parameter: mcp_id (UUID) to filter by a specific MCP.

Example response:

{
  "data": {
    "summary": {
      "total_mcps": 42,
      "mcps_analyzed": 40,
      "avg_global_score": 78.5,
      "avg_security_score": 75.2
    },
    "certification_distribution": {
      "level_0_not_compliant": 3,
      "level_1_baseline": 12,
      "level_2_standard": 20,
      "level_3_advanced": 5
    },
    "severity_totals": {
      "critical": 2,
      "high": 15,
      "medium": 45,
      "low": 120
    },
    "risk_trend": {
      "period": "30d",
      "direction": "improving",
      "avg_score_start": 72.0,
      "avg_score_end": 78.5
    }
  }
}

2. Vulnerabilities

Returns paginated vulnerability findings in OCSF Vulnerability Finding format.

curl -s -H "Authorization: Bearer $TOKEN" \
  "https://api.mcp-hub.info/api/v1/orgs/$ORG_ID/grc/vulnerabilities?severity=critical,high&page=1&per_page=50"

Query parameters: page, per_page, severity (critical/high/medium/low/info), mcp_id (UUID).

3. Controls

Returns the 17 security controls with per-MCP pass/fail results.

curl -s -H "Authorization: Bearer $TOKEN" \
  "https://api.mcp-hub.info/api/v1/orgs/$ORG_ID/grc/controls?page=1&per_page=20"

Query parameters: page, per_page, status (pass/fail/other), mcp_id (UUID).

4. Controls Summary

Returns aggregated control statistics: total evaluations, pass/fail counts, pass rate, and per-category breakdown.

curl -s -H "Authorization: Bearer $TOKEN" \
  "https://api.mcp-hub.info/api/v1/orgs/$ORG_ID/grc/controls/summary"

Optional query parameter: mcp_id (UUID).

5. Evidence

Returns the immutable evidence chain. Each snapshot links to its predecessor, forming a verifiable chain of custody.

curl -s -H "Authorization: Bearer $TOKEN" \
  "https://api.mcp-hub.info/api/v1/orgs/$ORG_ID/grc/evidence?mcp_id=$MCP_ID&per_page=50"

Query parameters: page, per_page, mcp_id (UUID), finding_uid.

6. OWASP MCP Top 10 Compliance

Returns compliance status against the OWASP MCP Top 10 framework. This data is unique to MCP Hub – no other security tool covers this framework.

curl -s -H "Authorization: Bearer $TOKEN" \
  "https://api.mcp-hub.info/api/v1/orgs/$ORG_ID/grc/compliance/owasp-mcp-top10"

Optional query parameter: mcp_id (UUID).

7. Audit Events

Returns timestamped audit events for SOC compliance and security monitoring.

curl -s -H "Authorization: Bearer $TOKEN" \
  "https://api.mcp-hub.info/api/v1/orgs/$ORG_ID/grc/audit-events?since=2026-01-01T00:00:00Z&until=2026-03-01T00:00:00Z"

Query parameters: page, per_page, since (ISO 8601), until (ISO 8601), action (e.g., compliance.evaluated).

OCSF Event Mapping

All GRC API responses conform to OCSF v1.3.0. The API uses two primary event classes:

OCSF Class	class_uid	Used By	Description
Vulnerability Finding	2002	`/grc/vulnerabilities`	Individual security findings with CWE, CVSS, severity
Compliance Finding	2003	`/grc/controls`, `/grc/compliance/owasp-mcp-top10`	Control evaluations with pass/fail status and framework references

Field Mapping

OCSF Field	GRC API Location	Description
`class_uid`	Root of each finding	2002 (vulnerability) or 2003 (compliance)
`metadata.product.name`	All responses	Always `"MCP-Hub"`
`metadata.version`	All responses	OCSF schema version `"1.3.0"`
`metadata.tenant_uid`	All responses	Organization UUID
`metadata.logged_time`	All responses	Unix epoch ms when event was logged
`finding_info.uid`	Vulnerability/Compliance findings	Unique finding identifier
`finding_info.title`	Vulnerability/Compliance findings	Short finding title
`severity_id`	Vulnerability/Compliance findings	1=Info, 2=Low, 3=Medium, 4=High, 5=Critical
`status_id` (vulnerability)	Vulnerability findings	1=New, 2=In Progress, 3=Suppressed, 4=Resolved
`status_id` (compliance)	Compliance findings	1=Pass, 2=Fail, 99=Other
`compliance.standards`	Compliance findings	e.g., `["OWASP MCP Top 10"]`
`compliance.control`	Compliance findings	Control identifier (e.g., `"MCP-01"`)
`vulnerabilities[].cve.uid`	Vulnerability findings	CWE identifier (e.g., `"CWE-78"`)

Integration Examples

Drata

Drata supports custom API integrations for importing evidence and control test results.

In Drata, navigate to Connections and create a Custom Integration.
Set the base URL to https://api.mcp-hub.info/api/v1/orgs/{orgId}/grc/.
Add the Bearer token header with your mcp_svc_ token.
Map GRC controls to Drata’s control framework:
- /grc/controls feeds control test results (pass/fail per MCP).
- /grc/evidence provides immutable evidence for auditors.
- /grc/compliance/owasp-mcp-top10 maps to Drata’s compliance frameworks.
Set polling frequency to every 24 hours.

Vanta

Vanta can ingest vulnerability data and evidence from custom API sources.

In Vanta, create a Custom Integration under Integrations.
Configure the API connector with the MCP Hub GRC base URL and Bearer token.
Map the following endpoints:
- /grc/vulnerabilities feeds Vanta’s vulnerability management module (CWE and CVSS fields map directly).
- /grc/controls/summary provides aggregated pass rates for Vanta’s compliance dashboard.
- /grc/audit-events feeds the audit log for access monitoring.
Set sync frequency to every 12 hours.

Splunk

Use Splunk’s HTTP Event Collector (HEC) to forward GRC data for SIEM correlation.

# Fetch vulnerabilities from MCP Hub and forward to Splunk HEC
curl -s -H "Authorization: Bearer $MCP_TOKEN" \
  "https://api.mcp-hub.info/api/v1/orgs/$ORG_ID/grc/vulnerabilities?severity=critical,high" \
| curl -s -X POST \
  -H "Authorization: Splunk $SPLUNK_HEC_TOKEN" \
  -H "Content-Type: application/json" \
  -d @- \
  "https://splunk.example.com:8088/services/collector/event"

Since GRC responses use OCSF v1.3.0 format, Splunk can parse them natively with the OCSF Add-on for Splunk. The class_uid fields (2002, 2003) map directly to Splunk’s security event categories.

ServiceNow

ServiceNow’s Vulnerability Response (VR) module can ingest findings from the GRC API.

In ServiceNow, create a Scheduled Import or use IntegrationHub to poll the MCP Hub GRC API.
Configure a REST data source pointing to /grc/vulnerabilities.
Map fields:
GRC API Field ServiceNow VR Field
severity Severity
cwe CWE
cvss CVSS Score
remediation Remediation
mcp_name Affected CI
status State
For compliance data, import /grc/controls into ServiceNow’s GRC module to track control effectiveness.
Set import frequency to every 24 hours.

GRC API Field	ServiceNow VR Field
`severity`	Severity
`cwe`	CWE
`cvss`	CVSS Score
`remediation`	Remediation
`mcp_name`	Affected CI
`status`	State

Sync Script Example

This Python script demonstrates automated syncing of GRC findings to a compliance platform. It paginates through all endpoints and outputs consolidated data.

#!/usr/bin/env python3
"""Sync MCP Hub GRC findings to your compliance platform."""
import httpx
import json
import sys
from datetime import datetime, timedelta


def fetch_all_pages(client: httpx.Client, url: str, key: str) -> list:
    """Paginate through all results for a GRC endpoint."""
    items = []
    page = 1
    while True:
        resp = client.get(url, params={"page": page, "per_page": 100})
        resp.raise_for_status()
        data = resp.json().get("data", {})
        items.extend(data.get(key, []))
        if not data.get("has_more", False):
            break
        page += 1
    return items


def sync_grc(hub_url: str, org_id: str, token: str):
    """Fetch all GRC data from MCP Hub."""
    base = f"{hub_url}/api/v1/orgs/{org_id}/grc"
    headers = {"Authorization": f"Bearer {token}"}

    with httpx.Client(headers=headers, timeout=30) as client:
        # 1. Risk posture (single object, no pagination)
        risk = client.get(f"{base}/risk-posture")
        risk.raise_for_status()
        risk_data = risk.json()["data"]
        print(f"Risk posture: avg score {risk_data['summary']['avg_global_score']}")

        # 2. Vulnerabilities (paginated)
        vulns = fetch_all_pages(client, f"{base}/vulnerabilities", "vulnerabilities")
        print(f"Vulnerabilities: {len(vulns)} total")

        # 3. Controls summary (single object)
        summary = client.get(f"{base}/controls/summary")
        summary.raise_for_status()
        summary_data = summary.json()["data"]
        print(f"Controls: {summary_data['passed']}/{summary_data['total_evaluations']} passed")

        # 4. Evidence chain (paginated)
        evidence = fetch_all_pages(client, f"{base}/evidence", "evidence_chain")
        print(f"Evidence snapshots: {len(evidence)}")

        # 5. OWASP compliance (single object)
        owasp = client.get(f"{base}/compliance/owasp-mcp-top10")
        owasp.raise_for_status()
        owasp_data = owasp.json()["data"]
        compliant = sum(1 for r in owasp_data["risks"] if r["status"] == "compliant")
        print(f"OWASP MCP Top 10: {compliant}/10 compliant")

        # 6. Audit events (paginated, last 30 days)
        since = (datetime.utcnow() - timedelta(days=30)).strftime("%Y-%m-%dT%H:%M:%SZ")
        events = fetch_all_pages(
            client, f"{base}/audit-events?since={since}", "events"
        )
        print(f"Audit events (30d): {len(events)}")

        return {
            "risk_posture": risk_data,
            "vulnerabilities": vulns,
            "controls_summary": summary_data,
            "evidence": evidence,
            "owasp_compliance": owasp_data,
            "audit_events": events,
        }


if __name__ == "__main__":
    if len(sys.argv) != 4:
        print("Usage: sync_grc.py <hub_url> <org_id> <token>")
        sys.exit(1)
    data = sync_grc(sys.argv[1], sys.argv[2], sys.argv[3])
    # Write consolidated output for your GRC platform to ingest
    with open("grc_export.json", "w") as f:
        json.dump(data, f, indent=2, default=str)
    print("Exported to grc_export.json")

Run the script:

pip install httpx
python sync_grc.py https://api.mcp-hub.info YOUR_ORG_ID mcp_svc_your_token...

Rate Limits and Best Practices

Rate Limits

Limit	Value
Requests per minute per token	100
Maximum items per page	100
Maximum evidence items per page	50

When the rate limit is exceeded, the API returns 429 Too Many Requests with a Retry-After header.

Recommended Polling Intervals

Use Case	Interval
Real-time risk monitoring	Every 6 hours
Daily compliance reporting	Every 24 hours
Weekly executive dashboards	Every 168 hours

MCP Hub re-analyzes official MCPs on configurable intervals (default: 24 hours), so polling more frequently than every 6 hours provides diminishing returns.

Best Practices

Start with risk posture. The /grc/risk-posture endpoint gives a complete overview in a single call. Use it as your primary health check.
Use pagination. Always paginate through results using page and per_page parameters. Default page sizes are intentionally small.
Filter by severity. When building alerts, filter vulnerabilities by severity=critical,high to focus on actionable findings.
Cache evidence snapshots. Evidence snapshots are immutable. Once fetched, a snapshot with a given snapshot_id will never change. Cache them locally to reduce API calls.
Use audit events for SOC. The audit events endpoint provides complete access logs for SOC 2 compliance evidence.
Store tokens securely. Service tokens with grc:read scope have read access to all security data in your organization. Treat them as sensitive credentials.