Skip to main content
Glama
badchars

github-security-mcp

by badchars

Server Configuration

Describes the environment variables required to run the server.

NameRequiredDescriptionDefault
GITHUB_TOKENYesGitHub personal access token (classic or fine-grained) with appropriate scopes

Capabilities

Features and capabilities supported by this server

CapabilityDetails
tools
{
  "listChanged": true
}

Tools

Functions exposed to the LLM to take actions

NameDescription
github_check_org_securityA

Check organization security settings: 2FA enforcement, default repository visibility, member privileges. Detects ORG-001, ORG-002, ORG-003.

github_check_org_ssoB

Check if SSO/SAML single sign-on is configured for the organization. Detects ORG-004.

github_check_org_membersB

Audit organization members: outside collaborators and member activity. Detects ORG-005, ORG-006.

github_check_org_appsA

Audit OAuth app authorizations and GitHub App installations for the organization. Detects ORG-007, ORG-008.

github_check_org_webhooksB

Check organization webhooks for insecure HTTP URLs and SSL verification. Detects ORG-009.

github_check_org_audit_logB

Review organization audit log for suspicious or high-risk events. Detects ORG-010.

github_list_org_reposA

List organization repositories with security metadata (visibility, fork count, archived status). Useful for selecting repos to audit.

github_check_repo_branch_protectionB

Check branch protection rules on the default branch: required reviews, status checks, admin enforcement, signed commits. Detects REPO-001.

github_check_repo_secretsB

Check if secret scanning and push protection are enabled for the repository. Detects REPO-002, REPO-003.

github_check_repo_code_scanningB

Check if code scanning (CodeQL) is configured and review open alerts. Detects REPO-004, REPO-005.

github_check_repo_dependabotB

Check Dependabot configuration and open security alerts. Detects REPO-006, REPO-007.

github_check_repo_settingsA

Check repository security settings: SECURITY.md, private vulnerability reporting, fork restrictions. Detects REPO-008, REPO-009, REPO-010.

github_check_repo_webhooksB

Check repository webhooks for insecure HTTP URLs and SSL verification. Detects REPO-011.

github_check_repo_deploy_keysA

Audit deploy keys for unnecessary write access. Detects REPO-012.

github_check_repo_codeownersA

Check if CODEOWNERS file exists for code review enforcement. Detects REPO-013.

github_check_workflow_injectionA

Scan workflow files for script injection vulnerabilities via untrusted event inputs (${{ github.event.issue.title }}, etc. in run: blocks). Detects ACT-001.

github_check_workflow_pr_targetA

Detect dangerous pull_request_target + checkout pattern that enables arbitrary code execution from fork PRs. Detects ACT-002.

github_check_workflow_permissionsB

Check GITHUB_TOKEN default permissions (should be read, not write). Detects ACT-003.

github_check_workflow_pinningB

Detect unpinned third-party actions (tag reference vs SHA pinning). Detects ACT-004.

github_check_workflow_runnersB

Detect self-hosted runners and assess persistence/exposure risk. Detects ACT-005.

github_check_workflow_environmentsB

Check deployment environments for missing protection rules (reviewers, wait timers, branch policies). Detects ACT-006.

github_check_workflow_secretsC

Detect patterns where secrets are passed to network commands (curl/wget) or logged in workflow files. Detects ACT-007.

github_check_workflow_oidcB

Check OIDC subject claim customization for secure cloud deployment trust. Detects ACT-008.

github_check_secret_scanningB

Check secret scanning coverage and review open alerts. Detects SEC-001, SEC-002.

github_check_push_protectionC

Check for secret scanning alerts where push protection was bypassed. Detects SEC-003.

github_check_secret_patternsA

Check if organization has defined custom secret scanning patterns. Detects SEC-004.

github_check_secret_scopingB

Review secret scoping across environments, repositories, and organization levels. Detects SEC-005.

github_check_dependency_graphA

Check if the dependency graph is enabled for vulnerability detection. Detects SUP-001.

github_check_dependabot_updatesA

Check if Dependabot security updates and version updates are configured. Detects SUP-002.

github_check_sbomB

Check if software bill of materials (SBOM) can be generated from the dependency graph. Detects SUP-003.

github_check_vulnerabilitiesB

Check for critical known vulnerabilities and stale unfixed alerts (>90 days). Detects SUP-004, SUP-005.

github_check_team_permissionsB

Audit team permissions for admin-level access to repositories. Detects ACC-001.

github_check_collaboratorsB

Check for outside collaborators with write, maintain, or admin permissions. Detects ACC-002.

github_check_app_permissionsB

Audit GitHub App installations for overly broad permission scopes. Detects ACC-003.

github_check_pat_usageA

Check for classic personal access tokens with overly broad scopes. Detects ACC-004.

github_list_checksA

List all available security checks with their IDs, categories, severities, and descriptions. Filterable by category and severity.

github_audit_summaryA

Aggregate all findings from the current session by category, severity, and status. Shows critical findings and top remediation actions.

github_audit_reportC

Generate a comprehensive markdown security report from all findings in the current session.

github_run_allA

Run all security checks for an organization and/or repository. Executes org, repo, actions, secrets, supply chain, and access control checks sequentially.

Prompts

Interactive templates invoked by user choice

NameDescription

No prompts

Resources

Contextual data attached and managed by the client

NameDescription

No resources

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/badchars/github-security-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server