agentic-sdlc-mcp
Integrates Dependabot vulnerability alerts for security triage and risk assessment.
Provides SDLC orchestration tools for GitHub, including repository context, issue creation, PR summarization, code review, quality gates, and release readiness checks.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@agentic-sdlc-mcpGenerate a plan for adding a dark mode feature"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
agentic-sdlc-mcp
An MCP (Model Context Protocol) Server that acts as an Agentic SDLC Control Plane — helping AI coding agents plan, create, test, review, secure, and release software following GitHub Agentic AI best practices.
What Is This?
agentic-sdlc-mcp is not a simple GitHub API wrapper. It is a SDLC orchestration layer that exposes structured, agent-friendly tools aligned to the full software development lifecycle:
Plan -> Create -> Test -> Review -> Optimize -> SecureSafety first: All write operations default to dryRun: true. Destructive or irreversible operations are never silently executed.
Related MCP server: GitHub Code Review Assistant
Installation
Requirements: Node.js >= 24 (see engines in package.json; CI runs on Node 24).
# Clone the repository
git clone https://github.com/SakuraCianna/agentic-sdlc-mcp.git
cd agentic-sdlc-mcp
# Install dependencies
npm install
# Build
npm run buildEnvironment Variables
Copy .env.example to .env and fill in your values:
Copy-Item .env.example .envThen edit .env — it is loaded automatically by dotenv when the server starts.
Alternatively, set variables inline in PowerShell:
$env:GITHUB_TOKEN = "ghp_your_token_here"
$env:GITHUB_OWNER = "your-org"
$env:GITHUB_REPO = "your-repo"Variable | Required | Description |
| Yes | GitHub PAT or App token |
| Optional | Default owner (org or user) |
| Optional | Default repository name |
| Optional | Default branch (default: |
| Optional |
|
| Optional | HTTP port (default: |
Required GitHub Token Scopes
Scope | Purpose |
| Read/write issues, PRs, file contents, checks (or |
| Code Scanning and Dependabot alerts (or |
| Secret Scanning alerts |
Verified against GitHub's REST API reference (Dependabot alerts, Code Scanning alerts, Secret Scanning alerts, Checks endpoints) as of this writing. GitHub's scope requirements can change — see the REST API docs if a tool reports a permission error that doesn't match this table.
MCP Client Configuration
Claude Desktop / Kiro / Cursor
Add to your MCP client config (claude_desktop_config.json or equivalent):
{
"mcpServers": {
"agentic-sdlc": {
"command": "node",
"args": ["E:/CodeHome/agentic-sdlc-mcp/dist/index.js"],
"env": {
"GITHUB_TOKEN": "ghp_your_token",
"GITHUB_OWNER": "your-org",
"GITHUB_REPO": "your-repo"
}
}
}
}Use forward slashes or escaped backslashes for Windows paths.
Running the Server
stdio mode (default — for MCP clients)
$env:GITHUB_TOKEN = "ghp_your_token"
node dist/index.jsHTTP mode (for remote / multi-client use)
$env:TRANSPORT = "http"
$env:PORT = "3000"
$env:GITHUB_TOKEN = "ghp_your_token"
node dist/index.js
# Server listens at http://localhost:3000/mcpSmoke test (no real token required)
Verifies the module loads cleanly and all tools register without error:
npm run smoke
# Output: [agentic-sdlc-mcp] SMOKE OK — all tools and resources registered successfully.npm Scripts
Script | Description |
| Compile TypeScript to |
| Type-check without emitting |
| Run the Vitest test suite |
| Watch mode for TDD |
| Coverage report (lcov + text) |
| Smoke-test: load + register, no real token needed |
| Watch mode with tsx (development) |
| Run the compiled server |
MCP Inspector (smoke test / exploration)
$env:GITHUB_TOKEN = "ghp_your_token"
npx @modelcontextprotocol/inspector node dist/index.jsTools Reference
repo_context
Read repository metadata, README, package.json, open issues, and open PRs. Use at the start of every workflow.
issueLimit/prLimit(number, default:20, max:100): cap how many open issues/PRs are fetched, to avoid token-heavy responses on large repos.
plan_from_context
Generate a phase-by-phase SDLC plan (Plan→Create→Test→Review→Optimize→Secure). Template-based — no LLM call needed.
create_issue_set
Batch-create GitHub issues from a plan.
⚠️ dryRun defaults to true — pass dryRun: false to write to GitHub.
prepare_work_item
Generate an agent-ready brief for a specific issue: goals, non-goals, acceptance criteria, risks, and a handoff prompt.
includeRelatedFiles(boolean, default:false): heuristically extract file paths mentioned in the issue body.includeRecentPRs(boolean, default:false): scan up to 20 recently-updated closed PRs and return up to 5 merged ones that touched the related file hints (requiresincludeRelatedFilesto have found hints — returns an empty list otherwise). Output field:recentPRs.
quality_gate_status
Read check-run results for a PR or git ref. Use to verify CI before merging or releasing.
create_pr_summary
Generate a structured PR summary: change overview, file categories, test coverage signals, risks, review checklist, and release notes draft.
review_pr_against_standard
Review a PR against SDLC standards (basic / strict / security-focused).
security-focused mode scans actual patch lines for secret patterns, .env files, lockfile changes, and dist files.
checkOwnership(boolean, default:true): match changed files against.github/CODEOWNERS(orCODEOWNERS/docs/CODEOWNERS) and flag any matched owner who is neither the PR author, a requested reviewer, nor an actual reviewer. No finding is raised if no CODEOWNERS file exists — see thecodeownersFoundoutput field.
security_triage
Read Code Scanning, Dependabot, and Secret Scanning alerts, triage by severity, recommend fix order.
release_readiness_check
Pre-release assessment: CI status, open bugs, CHANGELOG, release checklist, rollback template.
agent_handoff_packet
Generate a compact handoff packet so another agent can continue work without losing context.
branch_protection_status
Read classic branch protection AND repository rulesets for a branch (defaults to the repo's default branch). Flags missing required reviews, missing required status checks, allowed force pushes/deletions, and CODEOWNERS reviews not being enforced.
workflow_permissions_audit
Scan .github/workflows/*.yml (and .yaml) for permissions declarations (top-level and per-job) and flag least-privilege gaps.
owner/repo(string, optional): Repository coordinates. Falls back to GITHUB_OWNER / GITHUB_REPO.ref(string, optional): Branch, tag, or SHA to read workflow files from. Falls back to the repository's default branch.
Resources
URI | Description |
| Full Agentic SDLC standard with phases and human gates |
| Standard issue template |
| Standard PR summary template |
| Pre-release checklist template |
| Agent handoff template |
dryRun Safety Model
All write tools implement dryRun:
| Effect |
| Preview mode — no GitHub API writes |
| Live mode — actually writes to GitHub |
The default is always dryRun: true. Agents must explicitly pass dryRun: false.
Workflow Examples
1. Start a new feature
1. repo_context # understand the codebase
2. plan_from_context (goal=...) # generate SDLC plan
3. create_issue_set (dryRun:true) # preview issues
4. create_issue_set (dryRun:false) # create issues
5. prepare_work_item (issueNumber=N) # get agent brief2. Review a pull request
1. create_pr_summary (pullNumber=N) # diff overview
2. quality_gate_status (pullNumber=N) # CI check
3. review_pr_against_standard (standard:strict) # findings3. Pre-release check
1. security_triage # check alerts
2. release_readiness_check # full readiness
3. (fix blocking issues)
4. Human approval before tagging releaseSecurity
Never commit your
GITHUB_TOKEN— use.envor PowerShell$env:variablesdryRun: trueby default prevents accidental writesNo auto-merge, no force-push, no branch deletion
Secret scanning alerts are always rated
criticalThe server does not make outbound requests beyond the GitHub API
.github/CODEOWNERSroutes review of high-risk paths (.github/,src/github/,src/tools/) to the maintainer
Development
# Type check
npm run typecheck
# Watch mode
npm run dev
# Build
npm run build
# Test
npm run test
# Smoke test (no token needed)
npm run smokePublishing (Maintainers)
This package is published to npm using Trusted Publishing (OIDC) — no long-lived NPM_TOKEN secret is stored in the repo. Publishing is handled by .github/workflows/publish.yml.
One-time setup on npmjs.com
Sign in to npmjs.com and open the package's Settings -> Publishing access.
Add a Trusted Publisher with:
Provider:
GitHub ActionsRepository:
SakuraCianna/agentic-sdlc-mcpWorkflow filename:
publish.yml
Save. From then on,
publish.ymlpublishes without any npm token — GitHub issues a short-lived OIDC token that npm exchanges for a publish credential, and provenance is generated automatically.
First publish only: if the package name doesn't exist on npm yet, Trusted Publisher can't be linked until the package exists. In that case, do one manual
npm publishfrom your machine with a classic token first, then configure Trusted Publishing for all subsequent releases. Thepublish.ymlworkflow itself always uses OIDC — it never falls back to a token.
Triggering a publish
Preferred: create a GitHub Release (tag it, then "Publish release") — this fires
release: publishedand runspublish.ymlautomatically.Manual: go to Actions -> Publish to npm -> Run workflow (
workflow_dispatch).
Pre-publish checklist (run locally before tagging a release)
npm run typecheck
npm run build
npm run test
npm run smoke
npm run test:coverage
npm pack --dry-runnpm pack --dry-run prints exactly which files would ship in the published tarball, without creating one. Confirm only dist/, README.md, and .env.example are included — test files and package-lock.json must NOT appear (enforced by tsconfig.build.json, which excludes src/__tests__/** from the compiled dist/ output used for publishing).
GitHub Actions workflows
Workflow | Trigger | Purpose |
|
| Runs typecheck, build, test, smoke, and coverage on Node 24 |
| GitHub Release published, or manual dispatch | Publishes to npm via OIDC Trusted Publishing |
| Weekly schedule | Opens PRs for npm and GitHub Actions dependency updates (labelled |
License
MIT
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/SakuraCianna/agentic-sdlc-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server