Skip to main content
Glama

Automating GitHub Pull Request Security Checks with Glama AI Automation Feature

Written by on .

security
automation
Github
code-review
pull-requests
cybersecurity
  1. Step-by-Step Tutorial
    1. 1. Set Up Your Discord Bot
      1. 2. Finding the Right MCP Server
        1. 3. Navigating to the Automations Tab
          1. 4. Configuring Your Automation
          2. Behind the Scenes:
            1. Conclusion
              1. References

                Keeping your code safe and secure is one of the most important parts of software development. Sometimes, developers accidentally commit sensitive information, such as API keys, passwords, or private tokens, which can lead to serious security issues. Manually checking every Pull Request for these issues takes a lot of time and can be easy to overlook. In this tutorial, you’ll learn how to create an automated system that scans new code changes in your GitHub repository for potential security risks. Using the Model Context Protocol (MCP) and Glama’s Automation tool, the automation will review your code, find exposed secrets, and deliver you a clear report, making it easier to keep your projects safe and secure.

                Step-by-Step Tutorial

                Here’s how to set up your own automation:

                1. Set Up Your Discord Bot

                First, create a bot in Discord’s Developer Portal and invite it to your server with the necessary permissions to send messages.
                Follow the provided tutorial1 to create a Discord server, use the Discord webhook URL for the notify_me_mcp server, and add the URL accordingly.

                2. Finding the Right MCP Server

                a) Deploy the Notify_me_mcp Server by thesammykins2
                Notify_me_mcp Server

                b) Deploy the mcp-github by MissionSquad3
                Github MCP Server

                Click Deploy Server. A dialog box will appear; simply click Deploy.
                Your MCP Servers page should now look like this4:
                Image

                3. Navigating to the Automations Tab

                Go to the Automations tab in your Glama window5.
                Click New Automation and assign it a title.
                Image

                Your automation page will open, where you’ll need to fill in the System Prompt and Trigger Message.
                Image

                4. Configuring Your Automation

                In this step, you’ll set up the System Prompt, Trigger Message, and schedule to ensure your Discord bot delivers timely, personalized security scan reports tailored to your repository’s needs.

                Copy and paste the following System Prompt:

                You are an expert automated security reviewer named 'GitHub Vulnerability Scanner'. Your task is to analyze new Pull Requests in a GitHub repository and check for potential security risks, especially exposed secrets like API keys, passwords, or tokens. You must be thorough and follow these steps exactly. You have access to: - @mcp-github: to get information about pull requests. - @notify_me_mcp: to send the final report. Instructions: 1. The user will provide a repository in the format 'owner/repo'. 2. Use @mcp-github’s list_pull_requests tool with state set to 'open' to find all open PRs. 3. For each open PR: a. Use the "GitHub Server" to call get_pull_request_diff to retrieve the code changes. b. Scan the new lines of code for exposed secrets like API keys (e.g., sk_live_..., ghp_...), passwords, database connection strings, or tokens. c. Assign a status: "✅ Pass" if no secrets are found, or "🚨 FAIL" if any are detected. 4. After scanning all PRs, create a single, complete report in Markdown format showing the status and analysis for each PR. 5. If no open PRs are found, send the message: "No open Pull Requests to review today." 6. Use @notify_me_mcp to send the final report to the user’s configured channel. Be accurate, thorough, and concise in your analysis.

                Your setup should look like this (ensure you use the correct MCP Servers with the "@" sign):
                Image

                Copy and paste the following Trigger Message:

                Enter your repository in the format "username/repo" to start the security scan for open pull requests.

                Image

                Next, set the time you want to receive this message daily:
                Image

                Click Save, then Trigger Automation.

                And DONE! Your automation is complete. Every day at your chosen time, open Discord to view the automated security scan report for your open pull requests, powered by your MCP server automation feature. Image Image Image

                Behind the Scenes:

                Step 1 – The Request
                You start the process by triggering the automation with your GitHub repository name (e.g., Om-Shree-0709/Shinzo_Website). This informs the bot where to look and what needs to be reviewed.

                Step 2 – Finding the Work
                The AI, named GitHub Vulnerability Scanner, reads your request along with its instructions. It knows its first task is to find the relevant pull requests. It uses your GitHub Server integration to ask the real GitHub website for a list of all currently open pull requests in that repository.

                Step 3 – The Investigation Loop
                Once the list of open pull requests is received, GitHub Vulnerability Scanner starts examining each one, one at a time. For every pull request, it uses the GitHub Server integration again to retrieve the diff — the specific lines of code that were added or modified.

                Step 4 – The Security Scan
                The bot carefully scans the newly added or changed lines of code. Following the rules defined in your system prompt, it looks for potential security risks such as:

                • API keys (e.g., sk_live_..., ghp_...)
                • Passwords or connection strings
                • Hardcoded private tokens

                Based on the results of the scan, it assigns a status to each pull request:

                • Pass – No secrets or vulnerabilities found
                • 🚨 FAIL – Exposed secrets or potential risks detected

                Step 5 – The Final Report
                After checking all open pull requests, GitHub Vulnerability Scanner compiles its findings into a structured and easy-to-read summary report in Markdown format. The report includes details for each pull request and explains the findings.

                Step 6 – The Delivery
                The final report is sent to your configured Discord channel using the Webhook URL you provided. If no open pull requests are found, it sends a message stating:
                "No open Pull Requests to review today."

                Image

                In just a few moments, this automation performs the tedious and repetitive tasks of a junior security developer, helping you quickly identify potential risks and focus on more complex development challenges.

                Conclusion

                Glama’s AI Automation feature, powered by the MCP GitHub and Notify Me MCP servers, makes securing your codebase effortless. It removes the burden of manually checking Pull Requests for exposed secrets and security risks. By scanning new code changes as soon as they are committed and delivering clear reports directly to your Discord server, this solution helps you catch vulnerabilities early, save time, and maintain a safer development process. Whether you’re managing open-source projects, onboarding new developers, or ensuring compliance, this automation tool is a simple yet powerful way to keep your code secure and your team focused on building better software.

                Let Automation handle your security reviews, so you can focus on what matters most.

                References

                Footnotes

                1. Build With Discord

                2. Notify Me MCP Server

                3. Github MCP Server by MissionSquad

                4. MCP Servers Page

                5. Glama's Automation Page

                Written by Om-Shree-0709 (@Om-Shree-0709)