Enables querying of Dependabot alerts for GitHub repositories, providing visibility into dependency vulnerabilities
Provides tools for accessing GitHub Advanced Security (GHAS) features, allowing users to list Dependabot alerts, secret scanning alerts, and code scanning alerts for repositories
ghas-mcp-server
MCP server to make calls to GHAS for GitHub repositories.
Currently this has the following tools that are supported:
- list_dependabot_alerts: List all dependabot alerts for a repository
- list_secret_scanning_alerts: List all secret scanning alerts for a repository
- list_code_scanning_alerts: List all code scanning alerts for a repository
Make sure to add these three scopes (read only) to the configured PAT and for the correct organization as well!
Install in VS Code and VS Code Insiders
Use the buttons to install the server in your VS Code or VS Code Insiders environment. Make sure to read the link before you trust it! The links go to vscode.dev
and insiders.vscode.dev
and contain instructions to install the server.
VS Code will let you see the configuration before anything happens:
Example configuration
Add the configurations below to your MCP config in the editor.
Secure option: use the authenticated GitHub CLI
Instead of storing a Personal Access Token (see next section), you can also use the authenticated GitHub CLI. This will use the credentials you have configured in your GitHub CLI. This is useful when you have the GitHub CLI installed and already authenticated.
To use the GitHub CLI for authentication, follow the steps below:
- Add
"GITHUB_PERSONAL_ACCESS_TOKEN_USE_GHCLI": "true"
to your environment variables. - Ensure you have the GitHub CLI installed and authenticated by running
gh auth login
.
Configuration:
Configuration with a personal access token
For VS Code it would look like this:
Results
Contributing
Contributions are welcome! If you have ideas for new tools or improvements, please open an issue or submit a pull request.
Quick Start
Project Structure
Adding Components
The project comes with the GHAS tools in src/operations/security.ts
.
Building
- Make changes to your tools
- Run
npm run build
to compile - The server will automatically load your tools on startup
Testing the local build
You can test your local build by configuring the locally build version with the following MCP config:
Don't forget to change the path to your local build and build the project first!
Learn More
This server cannot be installed
hybrid server
The server is able to function both locally and remotely, depending on the configuration or use case.
This server integrates with GitHub Advanced Security to load security alerts and bring it into your context. Supports Dependabot Security Alerts, Secret Scanning Alerts, Code Security Alerts
Related MCP Servers
- -securityFlicense-qualityA standalone Model Context Protocol server for Snyk security scanning functionality.Last updated -21JavaScript
- -securityFlicense-qualityEnables interaction with GitHub issues via the Model Context Protocol, allowing users to list and create issues with secure authentication.Last updated -Python
- -securityFlicense-qualityA standalone server enabling Snyk security scanning through the Model Context Protocol, with support for repository and project analysis, token verification, and CLI integration.Last updated -1JavaScript
- AsecurityFlicenseAqualityA Model Context Protocol server that enables integration with GitHub Actions, allowing users to fetch available actions, get detailed information about specific actions, trigger workflow dispatch events, and fetch repository releases.Last updated -4921JavaScript
Appeared in Searches
- A platform for hosting and sharing code
- Using separate agents for schema validation, code standards, and directory structure enforcement in development workflows
- Information about Git, a version control system
- A database for looking up CVEs on the National Vulnerability Database
- Getting Help with GitHub Actions Workflow Coding