Skip to content

SarahGathoni/github-security-mcp

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
dist
dist
 
 
node_modules
node_modules
 
 
src
src
 
 
README.md
README.md
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 
tsconfig.json
tsconfig.json
 
 

Repository files navigation

github-security-mcp

MCP server that exposes GitHub security scanning and dependency patching as conversational tools for Claude.

Tools

Scanner

Tool What it does
scan_vulnerabilities Fetch open Dependabot alerts grouped by severity
check_outdated_deps Compare deps against latest npm / PyPI versions
get_repo_manifest Read package.json, requirements.txt, go.mod, etc.

Patcher

Tool What it does
open_patch_pr Branch + bump version + open PR
get_pr_status Check CI status on a PR
merge_pr Merge a PR (gates on CI by default)

Setup

1. Install dependencies

npm install

2. Build

npm run build

3. GitHub token

Create a GitHub Personal Access Token (classic or fine-grained) with:

  • repo scope (or fine-grained: Contents read/write, Pull requests read/write, Workflows read)
  • security_events read scope for vulnerability alerts
export GITHUB_TOKEN=ghp_your_token_here

4. Connect to Claude Desktop

Add this to your claude_desktop_config.json (macOS: ~/Library/Application Support/Claude/claude_desktop_config.json):

{
  "mcpServers": {
    "github-security-mcp": {
      "command": "node",
      "args": ["/absolute/path/to/github-security-mcp/dist/index.js"],
      "env": {
        "GITHUB_TOKEN": "ghp_your_token_here"
      }
    }
  }
}

Restart Claude Desktop — you'll see the tools available in the interface.

Example conversations

You: scan my repo owner/my-app

Claude: I found 3 open vulnerabilities in owner/my-app:
  - 1 critical: lodash 4.17.19 (CVE-2021-23337)
  - 2 high: ...

You: fix the critical one

Claude: Opening a PR to bump lodash from 4.17.19 to 4.17.21...
  PR #14 opened: https://github.com/owner/my-app/pull/14

You: check if CI passed on PR 14

Claude: PR #14 — all 3 CI checks passed. Ready to merge.

You: merge it

Claude: Merged PR #14 using squash strategy. SHA: abc123f

Project structure

src/
├── index.ts          ← MCP server, registers all tools
├── github.ts         ← shared Octokit client
└── tools/
    ├── scanner.ts    ← scan_vulnerabilities, check_outdated_deps, get_repo_manifest
    └── patcher.ts    ← open_patch_pr, get_pr_status, merge_pr

Adding the agent later

When you're ready to build the autonomous daily agent on top of this, it simply imports and calls the same tool handler functions directly — no MCP protocol overhead needed for the scheduled loop.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages