# Security Policy
## Supported Versions
| Version | Supported |
| ------- | ------------------ |
| 0.2.x | :white_check_mark: |
| 0.1.x | :white_check_mark: |
## Security Features
### Authentication & Authorization
- **Environment-based configuration**: Sensitive data stored in environment variables, never in code
- **GitHub token scoping**: Supports minimal required permissions
- **No hardcoded credentials**: All authentication configured through environment variables
### Data Protection
- **No data persistence**: MCP server doesn't store or cache sensitive data
- **API-only access**: Direct communication with GitHub API, no local data storage
- **Secure token handling**: Tokens handled through secure environment configuration
### Access Control
- **Repository permissions**: Respects GitHub repository access controls
- **Organization compliance**: Works with GitHub organization permission models
- **Read/write separation**: Different token scopes for different operation levels
## Security Configuration
### Recommended Token Scopes
For read-only operations:
- `repo` (if accessing private repositories)
- `public_repo` (for public repositories only)
- `read:user`
- `actions:read`
For full functionality including workflow management:
- `repo` (full repository access)
- `actions:read` (read workflow information)
- `actions:write` (trigger and manage workflows)
- `read:user` (read user profile)
- `read:org` (read organization data)
### Environment Configuration
#### Secure Method 1: Claude Desktop Config
```json
{
"mcpServers": {
"github": {
"command": "npx",
"args": ["tsx", "/path/to/github-mcp/src/index.ts"],
"env": {
"GITHUB_TOKEN": "your_token",
"GITHUB_OWNER": "your_username"
}
}
}
}
```
#### Secure Method 2: External Environment File
```bash
# Store outside project directory
mkdir -p ~/.config/mcp-environments
cat > ~/.config/mcp-environments/github.env << EOF
GITHUB_TOKEN=your_token
GITHUB_OWNER=your_username
EOF
```
## Best Practices
### Token Management
- **Regular rotation**: Rotate GitHub tokens regularly
- **Minimal permissions**: Use least-privilege principle for token scopes
- **Secure storage**: Never commit tokens to version control
- **Environment isolation**: Use different tokens for development/production
### Network Security
- **HTTPS only**: All GitHub API communication over HTTPS
- **Rate limiting**: Respects GitHub API rate limits
- **Error handling**: Secure error messages that don't leak sensitive information
### Development Security
- **No secrets in code**: Environment-based configuration only
- **Comprehensive .gitignore**: Prevents accidental secret commits
- **Security scanning**: Regular dependency vulnerability checks
## Reporting Vulnerabilities
If you discover a security vulnerability, please:
1. **Do not** create a public GitHub issue
2. **Do not** discuss the vulnerability publicly
3. **Email** security concerns to: [Your Email]
4. **Include** steps to reproduce the vulnerability
5. **Provide** any relevant logs or error messages
We will acknowledge receipt within 48 hours and provide a detailed response within 5 business days.
## Security Updates
Security updates will be released as patch versions and announced through:
- GitHub Releases with security advisory
- README.md security notices
- Dependency security updates
## Compliance
This MCP server is designed to comply with:
- GitHub Terms of Service
- GitHub API Usage Guidelines
- Industry security best practices
- OWASP secure coding guidelines
## Audit Information
Last security review: 2025-06-26
Next scheduled review: 2025-12-26
For questions about this security policy, please open a GitHub issue with the "security" label.
