GESF Compliance Score: 100% (A)
Framework Score Grade Controls GDPR 100% A 22/22 passed OWASP 100% A 6/6 passed CIS 100% A 5/5 passed NIST 100% A 6/6 passed (Last evaluated: 2026-06-02)
Compliance-as-Code framework that automatically enforces GDPR, OWASP, NIST, and CIS engineering standards.
npm install -g @greenarmor/gesRequires Node.js >= 20.
Windows troubleshooting
If ges is not recognized after install, the npm global bin directory is not in your PATH:
# Check where npm installs globals
npm config get prefix
# Use npx as a quick alternative (no PATH needed)
npx @greenarmor/ges --version
# Or add npm's prefix to PATH permanently
$currentPath = [Environment]::GetEnvironmentVariable("PATH", "User")
$npmPrefix = "$(npm config get prefix)"
[Environment]::SetEnvironmentVariable("PATH", "$currentPath;$npmPrefix", "User")
# Restart PowerShell, then:
ges --versionIf you use nvm-windows, global packages don't carry over between Node versions — re-run npm install -g @greenarmor/ges after nvm use.
cd any-project
ges init
ges audit
ges scoreGESF includes an MCP server that lets AI assistants (Claude, VS Code Copilot, Cursor, Crush, OpenCode, Windsurf) check compliance, list missing controls, and generate policies.
| Client | Install |
|---|---|
| VS Code | Install in VS Code |
| Smithery | npx smithery add @greenarmor/ges-mcp-server |
ges mcp setup # Interactive — pick your client
ges mcp setup claude # Claude Desktop
ges mcp setup vscode # VS Code Copilot
ges mcp setup cursor # Cursor
ges mcp setup opencode # OpenCode
ges mcp setup crush # Crush
ges mcp setup windsurf # Windsurf
ges mcp setup all # Configure all clientsAdd this to your MCP client config:
{
"mcpServers": {
"gesf": {
"command": "npx",
"args": ["-y", "@greenarmor/ges-mcp-server"]
}
}
}VS Code: Use "servers" instead of "mcpServers" and add "type": "stdio". You can configure globally (all projects) via Command Palette → "MCP: Open User Configuration", or per-project in .vscode/mcp.json.
OpenCode/Crush: Use "mcp" instead of "mcpServers" and add "type": "stdio".
Note: GESF is an MCP server, not a VS Code extension. You won't find it on the VS Code Marketplace. Use the one-click install link above or the manual config steps.
| Tool | Description |
|---|---|
check_compliance |
Check GDPR compliance status for a project type |
check_project_status |
Read actual .ges/ directory for real-time project status |
list_missing_controls |
Show compliance controls that are not passing |
list_framework_controls |
List all controls for a framework with status |
run_audit |
Run a full 6-scanner source code audit |
generate_compliance_report |
Generate a full compliance report with scoring |
generate_audit_report |
Combine real audit findings with compliance scoring |
| Tool | Description |
|---|---|
auto_fix |
Automatically fix security findings in source code |
implement_control |
Generate implementation files for a specific control |
apply_control_override |
Mark a control as not-applicable or pass |
fix_recommendation |
Get step-by-step remediation guidance for a control |
| Tool | Description |
|---|---|
generate_retention_policy |
Generate a data retention policy |
generate_incident_response |
Generate an incident response plan |
generate_risk_assessment |
Generate a risk assessment |
generate_dpa |
Generate a Data Processing Agreement |
generate_data_inventory |
Generate a data inventory with classifications |
generate_processing_records |
Generate Article 30 Records of Processing Activities |
JavaScript/TypeScript, Python, Go, Java, Ruby, PHP, Rust — with framework-specific detection for Express, Django, Gin, Spring, Rails, Laravel, Actix-web, and more.
- "Are we GDPR compliant?"
- "Show missing controls for GDPR"
- "List all CIS controls and their status"
- "Check the real-time project status from .ges/"
- "Scan my project at /path/to/project and auto-fix all security issues"
- "Run a dry-run auto-fix first — show me what would change"
- "Implement encryption at rest for GDPR-ART32-002"
- "Generate an audit logging module for my project"
- "Add rate limiting to my Express app automatically"
- "Fix all findings you can and tell me what needs manual review"
- "How do I fix CONFIG-001?"
- "Run a security audit on my project and generate a report"
- "Generate a full compliance report for my SaaS application"
- "Audit my codebase and show me all findings with severity levels"
- "Generate a retention policy for MyApp"
- "Generate an incident response plan"
- "Generate a risk assessment"
- "Generate a DPA for our vendor relationship"
- "Generate a data inventory for our AI application"
- "Generate Article 30 processing records"
- "Mark GDPR-ART32-001 as not-applicable — we don't process EU data"
- "Mark OWASP-ASVS-003 as pass — we verified it manually"
- "Audit my project, auto-fix what you can, then generate a compliance report"
- "Check compliance, show missing GDPR controls, fix them, and generate a risk assessment"
- "Scan /path/to/project, apply auto-fix, and tell me what still needs manual review"
packages/
├── cli/ # CLI (@greenarmor/ges)
├── core/ # Types, schemas, constants
├── audit-engine/ # Real source code scanning (6 scanners)
├── compliance-engine/ # GDPR Article 5/25/30/32/33/34 controls
├── policy-engine/ # 7 policy packs (GDPR, OWASP, AI, Blockchain, Gov, CIS, NIST)
├── rules-engine/ # Auth, encryption, secrets, logging standards
├── doc-generator/ # 14 compliance/security document templates
├── cicd-generator/ # GitHub Actions workflow generation
├── scoring-engine/ # Multi-framework compliance scoring
├── scanner-integration/ # External tool integration (Trivy, Gitleaks, Semgrep)
├── report-generator/ # Markdown/HTML report generation
└── mcp-server/ # MCP AI compliance assistant
MIT