github-security-mcp
Server Configuration
Describes the environment variables required to run the server.
| Name | Required | Description | Default |
|---|---|---|---|
| GITHUB_TOKEN | Yes | GitHub personal access token (classic or fine-grained) with appropriate scopes |
Capabilities
Features and capabilities supported by this server
| Capability | Details |
|---|---|
| tools | {
"listChanged": true
} |
Tools
Functions exposed to the LLM to take actions
| Name | Description |
|---|---|
| github_check_org_securityA | Check organization security settings: 2FA enforcement, default repository visibility, member privileges. Detects ORG-001, ORG-002, ORG-003. |
| github_check_org_ssoB | Check if SSO/SAML single sign-on is configured for the organization. Detects ORG-004. |
| github_check_org_membersB | Audit organization members: outside collaborators and member activity. Detects ORG-005, ORG-006. |
| github_check_org_appsA | Audit OAuth app authorizations and GitHub App installations for the organization. Detects ORG-007, ORG-008. |
| github_check_org_webhooksB | Check organization webhooks for insecure HTTP URLs and SSL verification. Detects ORG-009. |
| github_check_org_audit_logB | Review organization audit log for suspicious or high-risk events. Detects ORG-010. |
| github_list_org_reposA | List organization repositories with security metadata (visibility, fork count, archived status). Useful for selecting repos to audit. |
| github_check_repo_branch_protectionB | Check branch protection rules on the default branch: required reviews, status checks, admin enforcement, signed commits. Detects REPO-001. |
| github_check_repo_secretsB | Check if secret scanning and push protection are enabled for the repository. Detects REPO-002, REPO-003. |
| github_check_repo_code_scanningB | Check if code scanning (CodeQL) is configured and review open alerts. Detects REPO-004, REPO-005. |
| github_check_repo_dependabotB | Check Dependabot configuration and open security alerts. Detects REPO-006, REPO-007. |
| github_check_repo_settingsA | Check repository security settings: SECURITY.md, private vulnerability reporting, fork restrictions. Detects REPO-008, REPO-009, REPO-010. |
| github_check_repo_webhooksB | Check repository webhooks for insecure HTTP URLs and SSL verification. Detects REPO-011. |
| github_check_repo_deploy_keysA | Audit deploy keys for unnecessary write access. Detects REPO-012. |
| github_check_repo_codeownersA | Check if CODEOWNERS file exists for code review enforcement. Detects REPO-013. |
| github_check_workflow_injectionA | Scan workflow files for script injection vulnerabilities via untrusted event inputs (${{ github.event.issue.title }}, etc. in run: blocks). Detects ACT-001. |
| github_check_workflow_pr_targetA | Detect dangerous pull_request_target + checkout pattern that enables arbitrary code execution from fork PRs. Detects ACT-002. |
| github_check_workflow_permissionsB | Check GITHUB_TOKEN default permissions (should be read, not write). Detects ACT-003. |
| github_check_workflow_pinningB | Detect unpinned third-party actions (tag reference vs SHA pinning). Detects ACT-004. |
| github_check_workflow_runnersB | Detect self-hosted runners and assess persistence/exposure risk. Detects ACT-005. |
| github_check_workflow_environmentsB | Check deployment environments for missing protection rules (reviewers, wait timers, branch policies). Detects ACT-006. |
| github_check_workflow_secretsC | Detect patterns where secrets are passed to network commands (curl/wget) or logged in workflow files. Detects ACT-007. |
| github_check_workflow_oidcB | Check OIDC subject claim customization for secure cloud deployment trust. Detects ACT-008. |
| github_check_secret_scanningB | Check secret scanning coverage and review open alerts. Detects SEC-001, SEC-002. |
| github_check_push_protectionC | Check for secret scanning alerts where push protection was bypassed. Detects SEC-003. |
| github_check_secret_patternsA | Check if organization has defined custom secret scanning patterns. Detects SEC-004. |
| github_check_secret_scopingB | Review secret scoping across environments, repositories, and organization levels. Detects SEC-005. |
| github_check_dependency_graphA | Check if the dependency graph is enabled for vulnerability detection. Detects SUP-001. |
| github_check_dependabot_updatesA | Check if Dependabot security updates and version updates are configured. Detects SUP-002. |
| github_check_sbomB | Check if software bill of materials (SBOM) can be generated from the dependency graph. Detects SUP-003. |
| github_check_vulnerabilitiesB | Check for critical known vulnerabilities and stale unfixed alerts (>90 days). Detects SUP-004, SUP-005. |
| github_check_team_permissionsB | Audit team permissions for admin-level access to repositories. Detects ACC-001. |
| github_check_collaboratorsB | Check for outside collaborators with write, maintain, or admin permissions. Detects ACC-002. |
| github_check_app_permissionsB | Audit GitHub App installations for overly broad permission scopes. Detects ACC-003. |
| github_check_pat_usageA | Check for classic personal access tokens with overly broad scopes. Detects ACC-004. |
| github_list_checksA | List all available security checks with their IDs, categories, severities, and descriptions. Filterable by category and severity. |
| github_audit_summaryA | Aggregate all findings from the current session by category, severity, and status. Shows critical findings and top remediation actions. |
| github_audit_reportC | Generate a comprehensive markdown security report from all findings in the current session. |
| github_run_allA | Run all security checks for an organization and/or repository. Executes org, repo, actions, secrets, supply chain, and access control checks sequentially. |
Prompts
Interactive templates invoked by user choice
| Name | Description |
|---|---|
No prompts | |
Resources
Contextual data attached and managed by the client
| Name | Description |
|---|---|
No resources | |
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/badchars/github-security-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server