- Notifications
You must be signed in to change notification settings - Fork943
feat: implement Dependabot security update tools#180
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Open
smadi0x86 wants to merge2 commits intogithub:mainChoose a base branch
base:main
Could not load branches
Branch not found:{{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline, and old review comments may become outdated.
Uh oh!
There was an error while loading.Please reload this page.
Open
Changes fromall commits
Commits
Show all changes
2 commits Select commitHold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Uh oh!
There was an error while loading.Please reload this page.
Jump to
Jump to file
Failed to load files.
Loading
Uh oh!
There was an error while loading.Please reload this page.
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,238 @@ | ||
| package github | ||
| import ( | ||
| "context" | ||
| "encoding/json" | ||
| "fmt" | ||
| "github.com/github/github-mcp-server/pkg/translations" | ||
| "github.com/google/go-github/v69/github" | ||
| "github.com/mark3labs/mcp-go/mcp" | ||
| "github.com/mark3labs/mcp-go/server" | ||
| ) | ||
| // SecurityAndAnalysis represents the security and analysis settings for a repository | ||
| type SecurityAndAnalysis struct { | ||
| AdvancedSecurity struct { | ||
| Status string `json:"status"` | ||
| } `json:"advanced_security"` | ||
| SecretScanning struct { | ||
| Status string `json:"status"` | ||
| } `json:"secret_scanning"` | ||
| SecretScanningPushProtection struct { | ||
| Status string `json:"status"` | ||
| } `json:"secret_scanning_push_protection"` | ||
| } | ||
| // GetSecuritySettings retrieves security settings for a repository | ||
| func GetSecuritySettings(client *github.Client, t translations.TranslationHelperFunc) (tool mcp.Tool, handler server.ToolHandlerFunc) { | ||
| return mcp.NewTool("get_security_settings", | ||
| mcp.WithDescription(t("TOOL_GET_SECURITY_SETTINGS_DESCRIPTION", "Get security settings for a repository")), | ||
| mcp.WithString("owner", | ||
| mcp.Required(), | ||
| mcp.Description(t("PARAM_OWNER_DESCRIPTION", "Repository owner")), | ||
| ), | ||
| mcp.WithString("repo", | ||
| mcp.Required(), | ||
| mcp.Description(t("PARAM_REPO_DESCRIPTION", "Repository name")), | ||
| ), | ||
| ), func(ctx context.Context, request mcp.CallToolRequest) (*mcp.CallToolResult, error) { | ||
| owner, ok := request.Params.Arguments["owner"].(string) | ||
| if !ok { | ||
| return nil, fmt.Errorf("missing required parameter: owner") | ||
| } | ||
| repo, ok := request.Params.Arguments["repo"].(string) | ||
| if !ok { | ||
| return nil, fmt.Errorf("missing required parameter: repo") | ||
| } | ||
| repository, _, err := client.Repositories.Get(ctx, owner, repo) | ||
| if err != nil { | ||
| return nil, fmt.Errorf("failed to get repository settings: %w", err) | ||
| } | ||
| response, err := json.Marshal(repository.SecurityAndAnalysis) | ||
| if err != nil { | ||
| return nil, fmt.Errorf("failed to marshal response: %w", err) | ||
| } | ||
| return mcp.NewToolResultText(string(response)), nil | ||
| } | ||
| } | ||
| // UpdateSecuritySettings updates security settings for a repository | ||
| func UpdateSecuritySettings(client *github.Client, t translations.TranslationHelperFunc) (tool mcp.Tool, handler server.ToolHandlerFunc) { | ||
| return mcp.NewTool("update_security_settings", | ||
| mcp.WithDescription(t("TOOL_UPDATE_SECURITY_SETTINGS_DESCRIPTION", "Update security settings for a repository")), | ||
| mcp.WithString("owner", | ||
| mcp.Required(), | ||
| mcp.Description(t("PARAM_OWNER_DESCRIPTION", "Repository owner")), | ||
| ), | ||
| mcp.WithString("repo", | ||
| mcp.Required(), | ||
| mcp.Description(t("PARAM_REPO_DESCRIPTION", "Repository name")), | ||
| ), | ||
| mcp.WithObject("settings", | ||
| mcp.Required(), | ||
| mcp.Description(t("PARAM_SETTINGS_DESCRIPTION", "Security settings to update")), | ||
| ), | ||
| ), func(ctx context.Context, request mcp.CallToolRequest) (*mcp.CallToolResult, error) { | ||
| owner, ok := request.Params.Arguments["owner"].(string) | ||
| if !ok { | ||
| return nil, fmt.Errorf("missing required parameter: owner") | ||
| } | ||
| repo, ok := request.Params.Arguments["repo"].(string) | ||
| if !ok { | ||
| return nil, fmt.Errorf("missing required parameter: repo") | ||
| } | ||
| settings, ok := request.Params.Arguments["settings"].(map[string]interface{}) | ||
| if !ok { | ||
| return nil, fmt.Errorf("missing required parameter: settings") | ||
| } | ||
| // Get current repository settings | ||
| repository, _, err := client.Repositories.Get(ctx, owner, repo) | ||
| if err != nil { | ||
| return nil, fmt.Errorf("failed to get repository settings: %w", err) | ||
| } | ||
| // Initialize security settings if nil | ||
| if repository.SecurityAndAnalysis == nil { | ||
| repository.SecurityAndAnalysis = &github.SecurityAndAnalysis{} | ||
| } | ||
| // Update vulnerability alerts if specified | ||
| if vulnerabilityAlerts, ok := settings["vulnerability_alerts"].(bool); ok { | ||
| if repository.SecurityAndAnalysis.AdvancedSecurity == nil { | ||
| repository.SecurityAndAnalysis.AdvancedSecurity = &github.AdvancedSecurity{} | ||
| } | ||
| if vulnerabilityAlerts { | ||
| repository.SecurityAndAnalysis.AdvancedSecurity.Status = github.Ptr("enabled") | ||
| } else { | ||
| repository.SecurityAndAnalysis.AdvancedSecurity.Status = github.Ptr("disabled") | ||
| } | ||
| } | ||
| // Update other security settings | ||
| settingsJSON, err := json.Marshal(settings) | ||
| if err != nil { | ||
| return nil, fmt.Errorf("failed to marshal settings: %w", err) | ||
| } | ||
| var securitySettings github.SecurityAndAnalysis | ||
| if err := json.Unmarshal(settingsJSON, &securitySettings); err != nil { | ||
| return nil, fmt.Errorf("failed to unmarshal settings: %w", err) | ||
| } | ||
| // Merge the new settings with existing ones | ||
| if securitySettings.AdvancedSecurity != nil { | ||
| if repository.SecurityAndAnalysis.AdvancedSecurity == nil || repository.SecurityAndAnalysis.AdvancedSecurity.Status == "" { | ||
| repository.SecurityAndAnalysis.AdvancedSecurity = securitySettings.AdvancedSecurity | ||
| } | ||
| } | ||
| if securitySettings.SecretScanning != nil { | ||
| repository.SecurityAndAnalysis.SecretScanning = securitySettings.SecretScanning | ||
| } | ||
| if securitySettings.SecretScanningPushProtection != nil { | ||
| repository.SecurityAndAnalysis.SecretScanningPushProtection = securitySettings.SecretScanningPushProtection | ||
| } | ||
| // Update the repository | ||
| updatedRepo, _, err := client.Repositories.Edit(ctx, owner, repo, &github.Repository{ | ||
| SecurityAndAnalysis: repository.SecurityAndAnalysis, | ||
| }) | ||
| if err != nil { | ||
| return nil, fmt.Errorf("failed to update repository settings: %w", err) | ||
| } | ||
| // Return complete security settings | ||
| response, err := json.Marshal(updatedRepo.SecurityAndAnalysis) | ||
| if err != nil { | ||
| return nil, fmt.Errorf("failed to marshal response: %w", err) | ||
| } | ||
| return mcp.NewToolResultText(string(response)), nil | ||
| } | ||
| } | ||
| // GetDependabotSecurityUpdatesStatus checks if Dependabot security updates are enabled | ||
| func GetDependabotSecurityUpdatesStatus(client *github.Client, t translations.TranslationHelperFunc) (tool mcp.Tool, handler server.ToolHandlerFunc) { | ||
| return mcp.NewTool("get_dependabot_security_updates_status", | ||
| mcp.WithDescription(t("TOOL_GET_DEPENDABOT_SECURITY_UPDATES_STATUS_DESCRIPTION", "Check if Dependabot security updates are enabled for a repository")), | ||
| mcp.WithString("owner", | ||
| mcp.Required(), | ||
| mcp.Description(t("PARAM_OWNER_DESCRIPTION", "Repository owner")), | ||
| ), | ||
| mcp.WithString("repo", | ||
| mcp.Required(), | ||
| mcp.Description(t("PARAM_REPO_DESCRIPTION", "Repository name")), | ||
| ), | ||
| ), func(ctx context.Context, request mcp.CallToolRequest) (*mcp.CallToolResult, error) { | ||
| owner, ok := request.Params.Arguments["owner"].(string) | ||
| if !ok { | ||
| return nil, fmt.Errorf("missing required parameter: owner") | ||
| } | ||
| repo, ok := request.Params.Arguments["repo"].(string) | ||
| if !ok { | ||
| return nil, fmt.Errorf("missing required parameter: repo") | ||
| } | ||
| status, _, err := client.Repositories.GetAutomatedSecurityFixes(ctx, owner, repo) | ||
| if err != nil { | ||
| return nil, fmt.Errorf("failed to get Dependabot security updates status: %w", err) | ||
| } | ||
| response, err := json.Marshal(status) | ||
| if err != nil { | ||
| return nil, fmt.Errorf("failed to marshal response: %w", err) | ||
| } | ||
| return mcp.NewToolResultText(string(response)), nil | ||
| } | ||
| } | ||
| // EnableDependabotSecurityUpdates and DisableDependabotSecurityUpdates are currently disabled. | ||
| // Issue: There is a discrepancy in GitHub's API behavior regarding Dependabot security updates: | ||
| // 1. Public repositories should have Dependabot alerts enabled by default | ||
| // 2. However, the API still requires explicit enabling of vulnerability alerts | ||
| // 3. This creates a confusing user experience where the system says one thing but behaves differently | ||
| // 4. The functionality needs to be investigated and fixed before being re-enabled | ||
| // See: https://github.com/github/github-mcp-server/issues/176 | ||
| // EnableDependabotSecurityUpdates enables Dependabot security updates for a repository | ||
| // func EnableDependabotSecurityUpdates(client *github.Client, t translations.TranslationHelperFunc) (mcp.Tool, server.ToolHandlerFunc) { | ||
| // return mcp.NewTool("enable_dependabot_security_updates", | ||
| // mcp.WithDescription(t("TOOL_ENABLE_DEPENDABOT_SECURITY_UPDATES_DESCRIPTION", "Enable Dependabot security updates for a repository")), | ||
| // mcp.WithString("owner", | ||
| // mcp.Required(), | ||
| // mcp.Description(t("PARAM_OWNER_DESCRIPTION", "Repository owner")), | ||
| // ), | ||
| // mcp.WithString("repo", | ||
| // mcp.Required(), | ||
| // mcp.Description(t("PARAM_REPO_DESCRIPTION", "Repository name")), | ||
| // ), | ||
| // ), func(ctx context.Context, request mcp.CallToolRequest) (*mcp.CallToolResult, error) { | ||
| // return nil, fmt.Errorf("this functionality is currently disabled due to GitHub API behavior discrepancy") | ||
| // } | ||
| // } | ||
| // DisableDependabotSecurityUpdates disables Dependabot security updates for a repository | ||
| // func DisableDependabotSecurityUpdates(client *github.Client, t translations.TranslationHelperFunc) (mcp.Tool, server.ToolHandlerFunc) { | ||
| // return mcp.NewTool("disable_dependabot_security_updates", | ||
| // mcp.WithDescription(t("TOOL_DISABLE_DEPENDABOT_SECURITY_UPDATES_DESCRIPTION", "Disable Dependabot security updates for a repository")), | ||
| // mcp.WithString("owner", | ||
| // mcp.Required(), | ||
| // mcp.Description(t("PARAM_OWNER_DESCRIPTION", "Repository owner")), | ||
| // ), | ||
| // mcp.WithString("repo", | ||
| // mcp.Required(), | ||
| // mcp.Description(t("PARAM_REPO_DESCRIPTION", "Repository name")), | ||
| // ), | ||
| // ), func(ctx context.Context, request mcp.CallToolRequest) (*mcp.CallToolResult, error) { | ||
| // return nil, fmt.Errorf("this functionality is currently disabled due to GitHub API behavior discrepancy") | ||
| // } | ||
| // } |
Oops, something went wrong.
Uh oh!
There was an error while loading.Please reload this page.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.