Secure Code Warrior · Capability

Secure Code Warrior Developer Security Training

Unified developer security training capability for the Secure Code Warrior platform. Enables security and engineering leaders to manage users, teams, and assessments, track training progress and engagement, generate security training reports, and audit platform activity across the organization.

Run with Naftiko Security TrainingApplication SecurityDevSecOpsDeveloper TrainingReporting

What You Can Do

GET
List users — List all platform users
/v1/users
POST
Create user — Create a new user
/v1/users
GET
List teams — List all teams
/v1/teams
GET
Get developer leaderboard — Get developer leaderboard with training stats
/v1/training/leaderboard
GET
Get developers progress — Get training progress per developer
/v1/training/progress
GET
List assessments — List all assessments
/v1/assessments
GET
List courses — List all courses
/v1/courses
GET
Get time spent — Get time spent on training activities
/v1/metrics/time-spent
GET
Get audit log — Get system audit log
/v1/audit-log

MCP Tools

list-users

List all developers enrolled in Secure Code Warrior security training

read-only
create-user

Enroll a new developer in the Secure Code Warrior security training platform

list-teams

List all security training teams within the organization

read-only
get-developer-leaderboard

Get developer security training leaderboard showing points, completions, and rank changes

read-only
get-training-progress

Get detailed training progress for all developers including realm, level, and quest completion

read-only
list-assessments

List security knowledge assessments with their status, language coverage, and difficulty levels

read-only
list-courses

List available secure coding courses organized by language and security topic

read-only
get-time-spent

Get total time developers have spent on security training, assessments, courses, and tournaments

read-only
get-audit-log

Retrieve platform audit log showing user actions and administrative changes

read-only

APIs Used

scw-portal

Capability Spec

developer-security-training.yaml Raw ↑ 
naftiko: "1.0.0-alpha1"

info:
  label: "Secure Code Warrior Developer Security Training"
  description: >-
    Unified developer security training capability for the Secure Code Warrior platform.
    Enables security and engineering leaders to manage users, teams, and assessments,
    track training progress and engagement, generate security training reports, and
    audit platform activity across the organization.
  tags:
    - Security Training
    - Application Security
    - DevSecOps
    - Developer Training
    - Reporting
  created: "2026-05-02"
  modified: "2026-05-02"

binds:
  - namespace: env
    keys:
      SCW_API_KEY: SCW_API_KEY

capability:
  consumes:
    - import: scw-portal
      location: ./shared/portal.yaml

  exposes:
    - type: rest
      port: 8080
      namespace: security-training-api
      description: "Unified REST API for Secure Code Warrior developer security training management."
      resources:
        - path: /v1/users
          name: users
          description: "User management"
          operations:
            - method: GET
              name: list-users
              description: "List all platform users"
              call: "scw-portal.list-users"
              outputParameters:
                - type: object
                  mapping: "$."
            - method: POST
              name: create-user
              description: "Create a new user"
              call: "scw-portal.create-user"
              outputParameters:
                - type: object
                  mapping: "$."

        - path: /v1/teams
          name: teams
          description: "Team management"
          operations:
            - method: GET
              name: list-teams
              description: "List all teams"
              call: "scw-portal.list-teams"
              outputParameters:
                - type: object
                  mapping: "$."

        - path: /v1/training/leaderboard
          name: developer-leaderboard
          description: "Developer training leaderboard"
          operations:
            - method: GET
              name: get-developer-leaderboard
              description: "Get developer leaderboard with training stats"
              call: "scw-portal.get-developer-leaderboard"
              outputParameters:
                - type: object
                  mapping: "$."

        - path: /v1/training/progress
          name: training-progress
          description: "Training progress reporting"
          operations:
            - method: GET
              name: get-developers-progress
              description: "Get training progress per developer"
              call: "scw-portal.get-developers-progress"
              outputParameters:
                - type: object
                  mapping: "$."

        - path: /v1/assessments
          name: assessments
          description: "Security assessments"
          operations:
            - method: GET
              name: list-assessments
              description: "List all assessments"
              call: "scw-portal.list-assessments"
              outputParameters:
                - type: object
                  mapping: "$."

        - path: /v1/courses
          name: courses
          description: "Security training courses"
          operations:
            - method: GET
              name: list-courses
              description: "List all courses"
              call: "scw-portal.list-courses"
              outputParameters:
                - type: object
                  mapping: "$."

        - path: /v1/metrics/time-spent
          name: time-spent
          description: "Training time metrics"
          operations:
            - method: GET
              name: get-time-spent
              description: "Get time spent on training activities"
              call: "scw-portal.get-time-spent"
              outputParameters:
                - type: object
                  mapping: "$."

        - path: /v1/audit-log
          name: audit-log
          description: "System audit log"
          operations:
            - method: GET
              name: get-audit-log
              description: "Get system audit log"
              call: "scw-portal.get-audit-log"
              outputParameters:
                - type: object
                  mapping: "$."

    - type: mcp
      port: 9090
      namespace: security-training-mcp
      transport: http
      description: "MCP server for AI-assisted developer security training management."
      tools:
        - name: list-users
          description: "List all developers enrolled in Secure Code Warrior security training"
          hints:
            readOnly: true
            openWorld: false
          call: "scw-portal.list-users"
          outputParameters:
            - type: object
              mapping: "$."

        - name: create-user
          description: "Enroll a new developer in the Secure Code Warrior security training platform"
          hints:
            readOnly: false
            destructive: false
            idempotent: false
          call: "scw-portal.create-user"
          with:
            email: "tools.email"
            firstName: "tools.firstName"
            lastName: "tools.lastName"
            role: "tools.role"
          outputParameters:
            - type: object
              mapping: "$."

        - name: list-teams
          description: "List all security training teams within the organization"
          hints:
            readOnly: true
            openWorld: false
          call: "scw-portal.list-teams"
          outputParameters:
            - type: object
              mapping: "$."

        - name: get-developer-leaderboard
          description: "Get developer security training leaderboard showing points, completions, and rank changes"
          hints:
            readOnly: true
            openWorld: false
          call: "scw-portal.get-developer-leaderboard"
          with:
            report_period: "tools.report_period"
          outputParameters:
            - type: object
              mapping: "$."

        - name: get-training-progress
          description: "Get detailed training progress for all developers including realm, level, and quest completion"
          hints:
            readOnly: true
            openWorld: false
          call: "scw-portal.get-developers-progress"
          outputParameters:
            - type: object
              mapping: "$."

        - name: list-assessments
          description: "List security knowledge assessments with their status, language coverage, and difficulty levels"
          hints:
            readOnly: true
            openWorld: false
          call: "scw-portal.list-assessments"
          with:
            startdate: "tools.startdate"
            enddate: "tools.enddate"
          outputParameters:
            - type: object
              mapping: "$."

        - name: list-courses
          description: "List available secure coding courses organized by language and security topic"
          hints:
            readOnly: true
            openWorld: false
          call: "scw-portal.list-courses"
          outputParameters:
            - type: object
              mapping: "$."

        - name: get-time-spent
          description: "Get total time developers have spent on security training, assessments, courses, and tournaments"
          hints:
            readOnly: true
            openWorld: false
          call: "scw-portal.get-time-spent"
          with:
            team: "tools.team"
            startdate: "tools.startdate"
            enddate: "tools.enddate"
          outputParameters:
            - type: object
              mapping: "$."

        - name: get-audit-log
          description: "Retrieve platform audit log showing user actions and administrative changes"
          hints:
            readOnly: true
            openWorld: false
          call: "scw-portal.get-audit-log"
          with:
            from_date: "tools.from_date"
            to_date: "tools.to_date"
          outputParameters:
            - type: object
              mapping: "$."