ghas-mcp-server
MCP server to make calls to GHAS for GitHub repositories.
Currently this has the following tools that are supported:
- list_dependabot_alerts: List all dependabot alerts for a repository
- list_secret_scanning_alerts: List all secret scanning alerts for a repository
- list_code_scanning_alerts: List all code scanning alerts for a repository
Make sure to add these three scopes (read only) to the configured PAT and for the correct organization as well!
Install in VS Code and VS Code Insiders
Use the buttons to install the server in your VS Code or VS Code Insiders environment. Make sure to read the link before you trust it! The links go to vscode.dev
and insiders.vscode.dev
and contain instructions to install the server.
VS Code will let you see the configuration before anything happens:
Example configuration
Add the configurations below to your MCP config in the editor.
Secure option: use the authenticated GitHub CLI
Instead of storing a Personal Access Token (see next section), you can also use the authenticated GitHub CLI. This will use the credentials you have configured in your GitHub CLI. This is useful when you have the GitHub CLI installed and already authenticated.
To use the GitHub CLI for authentication, follow the steps below:
- Add
"GITHUB_PERSONAL_ACCESS_TOKEN_USE_GHCLI": "true"
to your environment variables. - Ensure you have the GitHub CLI installed and authenticated by running
gh auth login
.
Configuration:
Configuration with a personal access token
For VS Code it would look like this:
Results
Contributing
Contributions are welcome! If you have ideas for new tools or improvements, please open an issue or submit a pull request.
Quick Start
Project Structure
Adding Components
The project comes with the GHAS tools in src/operations/security.ts
.
Building
- Make changes to your tools
- Run
npm run build
to compile - The server will automatically load your tools on startup
Testing the local build
You can test your local build by configuring the locally build version with the following MCP config:
Don't forget to change the path to your local build and build the project first!
Learn More
This server cannot be installed
hybrid server
The server is able to function both locally and remotely, depending on the configuration or use case.
This server integrates with GitHub Advanced Security to load security alerts and bring it into your context. Supports Dependabot Security Alerts, Secret Scanning Alerts, Code Security Alerts
Related MCP Servers
- -securityFlicense-qualityA standalone Model Context Protocol server for Snyk security scanning functionality.Last updated -21JavaScript
- AsecurityAlicenseAqualityThis server integrates AI assistants with ClickUp workspaces, enabling task, team, list, and board management through a secure OAuth2 authentication process.Last updated -55TypeScriptMIT License
- -securityFlicense-qualityEnables interaction with GitHub issues via the Model Context Protocol, allowing users to list and create issues with secure authentication.Last updated -Python
- -securityFlicense-qualityA standalone server enabling Snyk security scanning through the Model Context Protocol, with support for repository and project analysis, token verification, and CLI integration.Last updated -1JavaScript
Appeared in Searches
- A platform for hosting and sharing code
- Using separate agents for schema validation, code standards, and directory structure enforcement in development workflows
- Information about Git, a version control system
- A database for looking up CVEs on the National Vulnerability Database
- Getting Help with GitHub Actions Workflow Coding