ClosedSSPM

Open Source SaaS Security Posture Management (SSPM) tool. Audits SaaS platforms for security misconfigurations across ServiceNow, Snowflake, Google Workspace, and Microsoft Entra ID.

• Multi-platform architecture — pluggable connector registry; add new SaaS platforms without touching core code (ServiceNow, Snowflake, Google Workspace, Entra ID)
• 166 security checks across four platforms covering identity, access control, configuration, network, scripts, integrations, secret scanning, OAuth grants, and credential hygiene
• Policy-as-code — audit checks defined in YAML, easily extensible with custom policies
• Embedded policies — all checks are baked into the binary; no external files needed at runtime
• HTML reports — self-contained, dark-themed HTML reports with posture scoring
• JSON output — machine-readable output for pipeline integration
• CSV export — spreadsheet-friendly output for compliance workflows
• MCP server — AI-assisted audit analysis via Model Context Protocol (works with Claude, OpenCode, etc.)
• Offline analysis — collect data once, analyze many times with snapshot persistence
• Parallel collection — concurrent API requests with configurable rate limiting
• SARIF output — SARIF 2.1.0 format for GitHub Code Scanning integration
• GitHub Action — run audits directly in CI/CD pipelines with PiotrMackowski/ClosedSSPM
• --fail-on threshold — exit with code 2 when findings meet or exceed a severity level

brew tap PiotrMackowski/closedsspm
brew install closedsspm

Download the latest release for your platform from the Releases page.

# Linux amd64
curl -Lo closedsspm.tar.gz https://github.com/PiotrMackowski/ClosedSSPM/releases/latest/download/closedsspm_Linux_amd64.tar.gz
tar xzf closedsspm.tar.gz
sudo mv closedsspm closedsspm-mcp /usr/local/bin/

# Download the .deb from the latest release
sudo dpkg -i closedsspm_*.deb

# Download the .rpm from the latest release
sudo rpm -i closedsspm_*.rpm

docker pull ghcr.io/piotrmackowski/closedsspm:latest

# Run an audit
docker run --rm \
  -e SNOW_INSTANCE=https://mycompany.service-now.com \
  -e SNOW_USERNAME=audit_user \
  -e SNOW_PASSWORD=secret \
  -v "$(pwd):/out" \
  ghcr.io/piotrmackowski/closedsspm:latest audit --output /out/report.html

git clone https://github.com/PiotrMackowski/ClosedSSPM.git
cd ClosedSSPM
make all

# --- Option 1: Basic auth ---
export SNOW_INSTANCE=https://mycompany.service-now.com
export SNOW_USERNAME=audit_user
export SNOW_PASSWORD=secret

# --- Option 2: OAuth (client credentials) ---
export SNOW_INSTANCE=https://mycompany.service-now.com
export SNOW_CLIENT_ID=your_client_id
export SNOW_CLIENT_SECRET=your_client_secret

# --- Option 3: Key pair (JWT bearer) ---
export SNOW_INSTANCE=https://mycompany.service-now.com
export SNOW_CLIENT_ID=your_client_id
export SNOW_CLIENT_SECRET=your_client_secret
export SNOW_PRIVATE_KEY_PATH=/path/to/private-key.pem
export SNOW_KEY_ID=your_key_id
export SNOW_JWT_USER=svc_audit_user

# --- Option 4: API Key ---
export SNOW_INSTANCE=https://mycompany.service-now.com
export SNOW_API_KEY=your_api_key

# Full audit: collect + evaluate + report (ServiceNow is the default platform)
closedsspm audit --output report.html

# Explicitly specify a platform
closedsspm audit --platform servicenow --output report.html

# Or step by step:
closedsspm collect --output snapshot.json
closedsspm evaluate --snapshot snapshot.json --output report.html

# --- Option 1: Basic auth ---
export SNOWFLAKE_ACCOUNT=xy12345.us-east-1
export SNOWFLAKE_USER=audit_user
export SNOWFLAKE_PASSWORD=secret

# --- Option 2: Key pair (JWT) ---
export SNOWFLAKE_ACCOUNT=xy12345.us-east-1
export SNOWFLAKE_USER=audit_user
export SNOWFLAKE_PRIVATE_KEY_PATH=/path/to/rsa_key.p8

# --- Option 3: OAuth ---
export SNOWFLAKE_ACCOUNT=xy12345.us-east-1
export SNOWFLAKE_TOKEN=your_oauth_access_token

# --- Option 4: Programmatic Access Token (PAT) ---
export SNOWFLAKE_ACCOUNT=xy12345.us-east-1
export SNOWFLAKE_USER=audit_user
export SNOWFLAKE_PAT=your_programmatic_access_token
# Optional: override defaults
export SNOWFLAKE_ROLE=SECURITYADMIN       # default: SECURITYADMIN
export SNOWFLAKE_WAREHOUSE=COMPUTE_WH     # default: COMPUTE_WH

# Run the audit
closedsspm audit --platform snowflake --output report.html

# Service Account with domain-wide delegation
export GW_CREDENTIALS_FILE=/path/to/service-account.json
export GW_DELEGATED_USER=admin@yourdomain.com

# Run the audit
closedsspm audit --platform googleworkspace --output report.html

# App registration with Microsoft Graph API permissions
export ENTRA_TENANT_ID=your-tenant-id
export ENTRA_CLIENT_ID=your-client-id
export ENTRA_CLIENT_SECRET=your-client-secret

# Run the audit
closedsspm audit --platform entra --output report.html

closedsspm checks list

# Start MCP server with a snapshot
closedsspm mcp --snapshot snapshot.json

Add to your MCP client configuration:

{
  "mcpServers": {
    "closedsspm": {
      "command": "/path/to/closedsspm",
      "args": ["mcp", "--snapshot", "/path/to/snapshot.json"]
    }
  }
}

By default the binary uses its embedded policies. To override with external policies:

closedsspm audit --policies /path/to/my/policies --output report.html

Run a full security audit: connect to a SaaS platform, collect data, evaluate policies, and generate a report.

Flags:
  --platform string       SaaS platform to audit (default "servicenow")
  --instance string       Platform instance URL (or set via env var)
  --output string         Output file path (default "report.html")
  --format string         Report format: html, json, csv, or sarif (default "html")
  --policies string       Path to custom policies directory (default: embedded)
  --save-snapshot string  Also save the raw snapshot to this file
  --concurrency int       Max parallel API requests (default 5)
  --rate-limit float      Max API requests per second (default 10)
  --fail-on string        Exit with code 2 if findings at or above this severity (CRITICAL, HIGH, MEDIUM, LOW, INFO)

Collect data from a SaaS platform and save a snapshot for offline analysis.

Flags:
  --platform string    SaaS platform to collect from (default "servicenow")
  --instance string    Platform instance URL (or set via env var)
  --output string      Output snapshot file path (default "snapshot.json")
  --concurrency int    Max parallel API requests (default 5)
  --rate-limit float   Max API requests per second (default 10)

Evaluate policies against a previously saved snapshot.

Flags:
  --snapshot string   Path to snapshot file (default "snapshot.json")
  --output string     Output file path (default "report.html")
  --format string   Report format: html, json, csv, or sarif (default "html")
  --policies string   Path to custom policies directory (default: embedded)
  --fail-on string  Exit with code 2 if findings at or above this severity (CRITICAL, HIGH, MEDIUM, LOW, INFO)

Start a Model Context Protocol server over stdio for AI-assisted audit analysis.

Flags:
  --snapshot string   Path to snapshot file (default "snapshot.json")
  --policies string   Path to custom policies directory (default: embedded)

List all available security checks.

Flags:
  --policies string   Path to custom policies directory (default: embedded)

All credentials are read from environment variables.

Each platform uses its own set of environment variables. The --platform flag (default: servicenow) determines which variables are read.

Authentication method is auto-detected based on which variables are set:

New to API key auth in Servicenow? See docs/setup_apikey_auth.py

Authentication method is auto-detected based on which variables are set:

Prerequisites:

1. Create a GCP service account with domain-wide delegation enabled
2. Grant the service account the following OAuth scopes in Google Workspace Admin Console → Security → API Controls → Domain-wide Delegation:
   • https://www.googleapis.com/auth/admin.directory.user.readonly
   • https://www.googleapis.com/auth/admin.directory.user.security
   • https://www.googleapis.com/auth/admin.reports.audit.readonly

Prerequisites:

1. Create an app registration in Entra ID (Azure AD)
2. Grant the following Microsoft Graph Application permissions:
   • Application.Read.All
   • Directory.Read.All
   • AuditLog.Read.All
3. Grant admin consent for the permissions

closedsspm/
├── cmd/
│   ├── closedsspm/
│   │   ├── main.go          # CLI commands (platform-agnostic)
│   │   ├── main_test.go     # CLI helper tests
│   │   └── platforms.go     # Blank imports to register platform connectors
│   └── mcp/                 # Standalone MCP server
├── internal/
│   ├── collector/            # Collector interface & snapshot model
│   ├── connector/
│   │   ├── registry.go       # Platform connector registry
│   │   ├── entra/            # Microsoft Entra ID (Azure AD) client & collector
│   │   ├── googleworkspace/  # Google Workspace Admin SDK client & collector
│   │   ├── servicenow/       # ServiceNow API client & collector
│   │   └── snowflake/        # Snowflake SQL client & collector
│   ├── finding/              # Finding model & severity
│   ├── mcpserver/            # MCP server implementation
│   ├── policy/               # Policy engine (YAML loading & evaluation)
│   └── report/
│       ├── csv/             # CSV report generator
│       ├── html/            # HTML report generator
│       └── json/            # JSON report generator
│       ├── sarif/           # SARIF 2.1.0 report generator
└── policies/
    ├── entra/                # Entra ID policy definitions (YAML, embedded at build)
    ├── googleworkspace/      # Google Workspace policy definitions (YAML, embedded at build)
    ├── servicenow/           # ServiceNow policy definitions (YAML, embedded at build)
    └── snowflake/            # Snowflake policy definitions (YAML, embedded at build)

Run closedsspm checks list to see all individual rules.

The MCP server exposes 6 tools and 2 resources over stdio transport for AI-assisted security audit analysis.

Run ClosedSSPM audits directly in your CI/CD pipeline:

- name: Run ClosedSSPM audit
  id: audit
  uses: PiotrMackowski/ClosedSSPM@v0  # or pin to a specific release tag
  with:
    instance: ${{ secrets.SNOW_INSTANCE }}
    # --- Basic auth ---
    username: ${{ secrets.SNOW_USERNAME }}
    password: ${{ secrets.SNOW_PASSWORD }}
    # --- OR OAuth (client credentials) ---
    # client-id: ${{ secrets.SNOW_CLIENT_ID }}
    # client-secret: ${{ secrets.SNOW_CLIENT_SECRET }}
    # --- OR Key pair (JWT bearer) ---
    # client-id: ${{ secrets.SNOW_CLIENT_ID }}
    # client-secret: ${{ secrets.SNOW_CLIENT_SECRET }}
    # private-key: ${{ secrets.SNOW_PRIVATE_KEY }}
    # key-id: ${{ secrets.SNOW_KEY_ID }}
    # jwt-user: ${{ secrets.SNOW_JWT_USER }}
    # --- OR API Key ---
    # api-key: ${{ secrets.SNOW_API_KEY }}
    format: sarif
    fail-on: HIGH

- name: Upload SARIF to GitHub Code Scanning
  if: always()
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: ${{ steps.audit.outputs.sarif-path }}

All credential inputs should be passed via GitHub encrypted secrets. Authentication method is auto-detected based on which inputs are provided (same priority as the CLI).

• Snapshots may contain sensitive data — treat them as confidential
• The MCP server uses stdio transport only (no network exposure)
• The tool is read-only — it never writes to your SaaS platform
• ServiceNow audit user should have read-only roles

Create a dedicated audit user with these roles:

• itil (read access to most tables)
• security_admin (read access to ACLs and security config)

ClosedSSPM's SARIF output can be imported directly into DefectDojo for centralized vulnerability management. Generate a SARIF report and upload it via the DefectDojo API:

# Generate a SARIF report
closedsspm audit --platform servicenow --format sarif --output report.sarif

# Import into DefectDojo
curl -X POST "https://your-defectdojo.example.com/api/v2/reimport-scan/" \
  -H "Authorization: Token YOUR_DEFECTDOJO_API_TOKEN" \
  -F "scan_type=SARIF" \
  -F "file=@report.sarif" \
  -F "product_name=ClosedSSPM" \
  -F "engagement_name=SSPM Audit" \
  -F "auto_create_context=True"

Use reimport-scan (rather than import-scan) to deduplicate findings across successive runs.

Policies are YAML files organized by platform in the policies/ directory (e.g. policies/servicenow/):

id: CUSTOM-001
title: "Custom check description"
description: "Detailed explanation of what this checks"
severity: HIGH    # CRITICAL, HIGH, MEDIUM, LOW, INFO
category: Custom
platform: servicenow
query:
  table: sys_security_acl
  field_conditions:
    - field: "active"
      operator: "equals"     # empty, not_empty, equals, not_equals, contains
      value: "true"
remediation: "How to fix the issue"
references:
  - "https://docs.example.com"

Run the full test suite:

make test
# or directly:
go test ./...

Run static analysis:

make vet
go vet ./...

All pull requests must pass CI (tests + go vet) before merging.

Contributions are welcome. Please follow these guidelines:

1. Open an issue first — describe the bug or feature before starting work
2. Fork and branch — create a feature branch from main
3. Follow existing patterns — match the project's code style and structure
4. Add tests — new features and bug fixes should include tests
5. All CI checks must pass — tests, go vet, CodeQL, and Trivy scans
6. One PR per change — keep pull requests focused and reviewable

See SECURITY.md for reporting vulnerabilities.

Found a bug or have a feature request? Open an issue on the GitHub Issues page.

When reporting a bug, please include:

• ClosedSSPM version (closedsspm --version)
• Operating system and architecture
• Steps to reproduce the issue
• Expected vs actual behavior
• Any relevant error output

Please use GitHub Security Advisories to report vulnerabilities privately. See SECURITY.md for full details including response timelines and scope.

This project is developed with AI-assisted coding using OpenCode.

Apache 2.0 — see LICENSE