Using GESF with Code Assistants¶
Practical guide for using GESF's MCP integration with each supported AI assistant. Each section includes setup instructions, example prompts, and hands-on exercises.
Claude Desktop¶
Setup¶
Then quit and reopen Claude Desktop.
How to Use¶
- Start a new conversation
- Ask compliance questions in natural language
- Claude will automatically call GESF tools when it detects a compliance question
- You do not need to mention "GESF" or "MCP" — just ask naturally
Example Session¶
You: I'm building a SaaS app called "DataVault". Are we GDPR compliant?
Claude: Let me check your compliance status.
[Calls check_compliance with project_type: "saas"]
Your GDPR compliance is at 72%. Here's the breakdown:
- 16/22 controls are passing
- 4 controls are failing
- 2 controls have warnings
Would you like me to show the missing controls?
You: Yes, show me what's missing.
Claude: [Calls list_missing_controls with framework: "GDPR"]
Here are the GDPR controls that need attention:
1. [CRITICAL] Encryption at Rest — Your data is not encrypted at rest
2. [CRITICAL] Audit Logging — Missing audit trail implementation
3. [HIGH] Session Timeout — No automatic session expiration
4. [HIGH] Storage Limitation — No data retention policy in place
You: Generate a retention policy for DataVault.
Claude: [Calls generate_retention_policy with project_name: "DataVault"]
Here's your retention policy:
...
Exercise: Full Compliance Audit with Claude
Open Claude Desktop and complete this conversation sequence. Copy each prompt one at a time:
Step 1 — Check status:
Step 2 — Identify gaps:
Step 3 — Understand OWASP gaps too:
Step 4 — Generate documents:
Step 5 — Full remediation package:
Record: - Did Claude call the correct tool for each prompt? - How many tool calls were made in total? - Did Claude maintain context across the conversation?
Tips¶
- Be specific about your project type for accurate compliance checks
- Ask follow-up questions to drill into specific controls
- Request generated documents by name
- Claude maintains conversation context — build on previous answers
VS Code (Copilot)¶
Setup¶
GESF can be configured at two levels in VS Code:
Option 1 — Global (recommended, all projects)¶
Open Command Palette (Cmd+Shift+P on macOS, Ctrl+Shift+P on Windows/Linux) → type "MCP: Open User Configuration" → press Enter. Add:
macOS / Linux:
{
"servers": {
"gesf": {
"command": "npx",
"args": ["-y", "@greenarmor/ges-mcp-server"],
"type": "stdio"
}
}
}
Windows:
On Windows, VS Code may not find npx in its PATH. Use the absolute path:
{
"servers": {
"gesf": {
"command": "C:\\Program Files\\nodejs\\npx.cmd",
"args": ["-y", "@greenarmor/ges-mcp-server"],
"type": "stdio"
}
}
}
Or just run ges mcp setup vscode — it detects the absolute path automatically.
Or edit the global config file directly:
| OS | Path |
|---|---|
| macOS | ~/Library/Application Support/Code/User/mcp.json |
| Linux | ~/.config/Code/User/mcp.json |
| Windows | %APPDATA%\Code\User\mcp.json |
Option 2 — Project-level (single project)¶
This creates .vscode/mcp.json in your project. GESF will only be available when that project is open.
After setup¶
Reload the VS Code window: Cmd+Shift+P / Ctrl+Shift+P → "Developer: Reload Window".
Invalid config causes startup errors
Do not add cwd, envFile, sandboxEnabled, dev, or inputs to mcp.json. These fields are not supported in MCP configs and will cause CodeExpectedError: Variable 'cwd' must be defined on startup. If you see this error, re-run ges mcp setup vscode to regenerate a clean config.
Not a VS Code extension
GESF is an MCP server, not a VS Code extension. You will not find it on the VS Code Marketplace. Do not use VS Code's built-in NPM package installer — it will ask confusing questions about "name" and "working directory". Follow the setup steps above instead.
How to Use¶
- Open Copilot Chat (
Cmd+Ior click the chat icon) - Switch to Agent mode (required for MCP tool use)
- Click the tools icon (hammer/wrench) to verify
gesfappears - Ask compliance questions while working in your code
Example: Inline Compliance Check¶
While reviewing code in VS Code, highlight a file and ask:
Copilot calls check_compliance and list_missing_controls to give you a report right in the editor.
Example: Pre-Commit Review¶
Before committing changes:
I've updated src/auth.ts to use argon2 hashing. Check if our
OWASP compliance improved and show any remaining issues.
Exercise: Compliance-Guided Development in VS Code
Complete this workflow inside VS Code Copilot Chat (Agent mode):
Step 1 — Open a project in VS Code and check compliance:
Step 2 — Ask about specific code:
@workspace Look at the authentication code. Are we following
GDPR Article 32 security of processing requirements?
Step 3 — Get actionable recommendations:
Step 4 — Generate missing documents:
Step 5 — Verify after fixes: After making suggested changes:
Questions
- Did Copilot use the GESF tools or try to answer without them?
- Were the code suggestions aligned with the missing controls?
- Did
@workspacecontext help Copilot give better answers?
Exercise: Compare Chat vs Agent Mode
Try the same prompt in both modes:
In Chat mode (no tools):
In Agent mode (with tools):
Compare: - Which mode gave a project-specific answer? - Which mode cited actual control IDs? - Why does Agent mode produce better results for compliance questions?
Tips¶
- Agent mode is required — tools won't work in standard chat mode
- Use global config (
ges mcp setup vscode→ choose Global) for all-project availability, or project-level (.vscode/mcp.json) for single projects - Use
@workspaceto give Copilot context about your full codebase - Combine tool results with Copilot's code analysis for best results
- Windows:
ges mcp setup vscodewrites absolute paths tonpx.cmd/node.exeautomatically — no manual path lookup needed
Cursor¶
Setup¶
This creates .cursor/mcp.json. Then restart Cursor.
How to Use¶
- Open Cursor's AI chat panel
- GESF tools are available automatically
- Ask compliance questions in natural language
Example: Compliance-Aware Code Generation¶
I need to add a new API endpoint that returns user profiles.
Check our GDPR compliance and make sure the endpoint follows
all required controls, especially around audit logging and
data minimisation.
Cursor will call check_compliance and list_missing_controls, then generate code that satisfies the relevant controls.
Exercise: Compliance-Driven Feature Development in Cursor
Step 1 — Set the compliance context:
Step 2 — Ask Cursor to write compliant code:
Write a user registration endpoint that satisfies all the
missing GDPR controls you identified. Include proper audit
logging, input validation, and encryption.
Step 3 — Verify the generated code:
Step 4 — Generate missing documents:
Questions
- Did Cursor proactively use GESF tools, or did you have to explicitly ask?
- Was the generated code compliant with the identified controls?
- Could Cursor fix its own compliance gaps when asked?
Tips¶
- Cursor's agent mode can also edit files based on GESF recommendations
- Ask "Fix the GDPR compliance issues in src/config.ts" for combined audit + fix suggestions
- Use Cursor's composer/agent mode for multi-file compliance fixes
OpenCode¶
Setup¶
Creates opencode.json in the project root or global config. Then restart OpenCode.
How to Use¶
GESF tools are available in the AI session. Ask compliance questions naturally.
Exercise: OpenCode Compliance Session
Start an OpenCode session in your project directory and try:
Step 1 — Check project compliance:
Step 2 — Find gaps:
Step 3 — Generate documents:
Step 4 — Compound request:
Crush¶
Setup¶
Modifies ~/.local/share/crush/crush.json (global). Adds the mcp.gesf entry with "type": "stdio". Then restart Crush.
How to Use¶
GESF tools appear in the available tools list. Use them in any Crush session.
Exercise: Crush Compliance Workflow
Start a Crush session and try:
Step 1 — Verify connection:
If you get a compliance score, the MCP server is working.
Step 2 — Deep dive:
Step 3 — Document generation:
Generate all compliance documents we need: retention policy,
incident response plan, risk assessment, and DPA. Project
name is "MyApp".
Record how many tools were called in total.
Tips¶
- Check
crush_infoto verify the MCP server is connected - The config is global — GESF is available in all Crush sessions
- The CLI automatically adds
"type": "stdio"required by Crush's MCP format
Windsurf¶
Setup¶
Creates .windsurf/mcp.json in your project. Then restart Windsurf.
How to Use¶
Open the AI chat and ask compliance questions. GESF tools are available automatically.
Exercise: Windsurf Cascade with GESF
Use Windsurf's Cascade feature with GESF tools:
Step 1 — Compliance check:
Step 2 — Fix with Cascade:
Based on the missing controls, fix our code to satisfy
the GDPR encryption and audit logging requirements.
Step 3 — Verify:
General Best Practices¶
Regardless of which assistant you use:
1. Be Specific About Your Project Type¶
"Check compliance for an AI application" is better than "Are we compliant?"
The project type determines which policy packs apply and what controls are evaluated.
2. Name Your Project¶
Generated documents use the project name you provide. "Generate a DPA for DataVault" produces better results than "Generate a DPA".
3. Chain Tools with Compound Prompts¶
Instead of asking one question at a time, combine them:
4. Use Alongside the CLI¶
MCP is for real-time guidance while coding. The CLI (ges audit) is for thorough scanning. Use both:
# Before starting to code
ges audit
# While coding, ask your assistant compliance questions
# After making changes
ges audit
5. Re-Audit After AI-Suggested Fixes¶
Always run ges audit to verify that fixes suggested by the AI actually resolved findings. AI assistants can make mistakes — the audit provides ground truth.
6. Iterate on Generated Documents¶
Documents generated by the MCP tools are templates. Ask your assistant to refine them:
That retention policy looks good, but we also need to cover
email marketing data with a 30-day retention period. Update it.
Exercise: Compare AI Assistants
If you have access to multiple AI assistants, try the same prompt in each:
We're building a healthcare application called "MedTrack".
Check our compliance, show missing GDPR controls, and generate
a risk assessment.
Compare: - Which assistant gave the most detailed response? - Which one suggested actionable next steps? - Did any assistant make up information instead of using the tools? - Which one chained all three tool calls correctly?
Exercise: The Full Compliance Sprint
Simulate a complete compliance sprint using only your AI assistant (no CLI commands):
Hour 1 — Assessment:
I'm building a SaaS platform called "CloudMetrics" that processes
EU user data, stores files in S3, and uses AI for analytics.
Check our compliance for saas type and show missing controls
for GDPR, OWASP, and NIST.
Hour 2 — Documentation:
Generate all compliance documents we need for our audit:
retention policy, incident response plan, risk assessment,
and DPA. All for "CloudMetrics".
Hour 3 — Code Review:
Based on the missing controls you identified, review our
codebase and list the specific files that need changes to
achieve compliance.
Hour 4 — Verification:
Re-check our compliance. Based on the documents we generated
and code changes we discussed, what should our new score be?
Reflection
- Could you complete a full compliance assessment using only the AI assistant?
- At what point did you need to fall back to the CLI?
- What additional tools would make the MCP integration more useful?