GitHub PR Review MCP Server

An MCP (Model Context Protocol) server for comprehensive GitHub Pull Request review, code analysis, and security issue detection.

Features

• 🔍 Comprehensive PR Analysis: Analyzes pull requests for code quality, security vulnerabilities, and best practices

• 🛡️ Security Scanning: Detects common security issues and vulnerabilities across multiple programming languages

• 📊 Code Quality Assessment: Evaluates code maintainability, complexity, and adherence to best practices

• 🚨 Risk Assessment: Provides overall risk ratings and actionable recommendations

• 🔧 Multi-language Support: Supports JavaScript, TypeScript, Python, Java, C#, PHP, and more

• 📋 Detailed Reporting: Generates comprehensive review reports with file-level analysis

Installation

Prerequisites

• Node.js 18.0.0 or higher

• GitHub Personal Access Token with repository access

Setup

1. Clone the repository:

git clone https://github.com/doraemon0905/github-review.git
cd github-review

2. Install dependencies:

npm install

3. Build the project:

npm run build

4. Set up environment variables:

export GITHUB_TOKEN=your_github_personal_access_token

Usage

Running the MCP Server

npm start

The server will start and listen for MCP connections on stdio.

Configuration in Cursor/Claude

Add the following configuration to your MCP settings:

{
  "github-pr-review": {
    "command": "node",
    "args": ["/path/to/github-review/dist/index.js"],
    "env": {
      "GITHUB_TOKEN": "your_github_token_here"
    }
  }
}

Available Tools

1. get_pull_request

Fetch pull request details including metadata and file changes.

Parameters:

• owner (string): Repository owner (username or organization)

• repo (string): Repository name

• pull_number (number): Pull request number

Example:

Get pull request microsoft/vscode #12345

2. review_pull_request

Perform a comprehensive review of a pull request including code analysis, issue detection, and security checks.

Parameters:

• owner (string): Repository owner

• repo (string): Repository name

• pull_number (number): Pull request number

• include_security (boolean, optional): Include security analysis (default: true)

• include_best_practices (boolean, optional): Include best practices recommendations (default: true)

• severity_threshold (string, optional): Minimum severity level to report - "low", "medium", "high", or "critical" (default: "medium")

Example:

Review pull request microsoft/vscode #12345 with high severity threshold

3. analyze_code_diff

Analyze specific code changes for issues and security vulnerabilities.

Parameters:

• diff_content (string): Git diff content to analyze

• file_path (string): Path of the file being analyzed

• language (string, optional): Programming language (auto-detected if not provided)

• include_security (boolean, optional): Include security analysis (default: true)

Example:

Analyze this diff for security issues:
```diff
+function validateUser(input) {
+  return eval(input.code);
+}

4. get_repository_prs

List pull requests for a repository with filtering options.

Parameters:

• owner (string): Repository owner

• repo (string): Repository name

• state (string, optional): PR state filter - "open", "closed", or "all" (default: "open")

• limit (number, optional): Maximum number of PRs to return (default: 10, max: 100)

• sort (string, optional): Sort criteria - "created", "updated", "popularity", or "long-running" (default: "created")

Example:

List open pull requests for microsoft/vscode

Security Analysis

The server detects various security issues including:

JavaScript/TypeScript

• Use of eval() and similar dangerous functions

• XSS vulnerabilities via innerHTML

• Unsafe setTimeout usage

• TypeScript any type usage

• Hardcoded secrets and API keys

Python

• Use of exec() and eval()

• Unsafe pickle usage

• Bare except clauses

• Input validation issues

PHP

• SQL injection patterns

• Use of dangerous functions

• Unvalidated superglobal usage

General

• Hardcoded passwords and API keys

• Commented-out code

• TODO/FIXME markers

• Long lines and code complexity

Code Quality Assessment

The analyzer evaluates:

• Complexity: Cyclomatic complexity based on decision points

• Maintainability: Score based on line count, complexity, and readability

• Duplicate Code: Detection of repeated code patterns

• Best Practices: Language-specific coding standards

• File Risk: Assessment based on file types and patterns

Risk Assessment

Each PR receives an overall risk rating:

• Low: Minor issues, safe to merge

• Medium: Some issues present, review recommended

• High: Security concerns or multiple issues

• Critical: Serious issues that block merging

Development

Project Structure

src/
├── index.ts              # Main MCP server
├── services/
│   ├── GitHubService.ts  # GitHub API interactions
│   ├── CodeAnalyzer.ts   # Code analysis engine
│   └── PRReviewer.ts     # PR review orchestrator

Building

npm run build

Development Mode

npm run dev

Linting

npm run lint

Testing

npm test

Contributing

1. Fork the repository

2. Create a feature branch: git checkout -b feature-name

3. Make your changes and add tests

4. Run the test suite: npm test

5. Run the linter: npm run lint

6. Commit your changes: git commit -am 'Add feature'

7. Push to the branch: git push origin feature-name

8. Create a Pull Request

License

This project is licensed under the MIT License - see the LICENSE file for details.

Security

If you discover a security vulnerability, please send an email to nguyentruonggiang91@gmail.com. All security vulnerabilities will be promptly addressed.

Changelog

Version 1.0.0

• Initial release

• GitHub PR analysis

• Multi-language security scanning

• Code quality assessment

• Risk assessment and recommendations