- Notifications
You must be signed in to change notification settings - Fork2.7k
Add Global Security Advisories Toolset#919
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Merged
Merged
Uh oh!
There was an error while loading.Please reload this page.
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Pull Request Overview
This PR adds a new security advisories toolset to the GitHub MCP Server, providing tools to query GitHub's global security advisories to help users find vulnerabilities in their dependencies and discover patched versions.
- Introduces two new tools:
list_global_security_advisoriesfor querying advisories with filters, andget_global_security_advisoryfor retrieving specific advisories by ID - Adds comprehensive test coverage for both new tools including success and error scenarios
- Updates documentation to include the new security advisories toolset
Reviewed Changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| pkg/github/tools.go | Registers the new security_advisories toolset with the DefaultToolsetGroup |
| pkg/github/security_advisories.go | Implements the two security advisory tools with parameter validation and GitHub API integration |
| pkg/github/security_advisories_test.go | Provides comprehensive test coverage for both tools including mock API responses |
| README.md | Documents the new security advisories tools and their parameters |
Tip: Customize your code reviews with copilot-instructions.md.Create the file orlearn how to get started.
You can also share your feedback on Copilot code review for a chance to win a $100 gift card.Take the survey.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
3e79c93 to8b15c86Comparerusly2002ms-cmd approved these changesAug 19, 2025
rusly2002ms-cmd left a comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
@Ruslyms
8b15c86 toea3f02bCompareUh oh!
There was an error while loading.Please reload this page.
tommaso-moro requested changesAug 21, 2025
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Lgtm but I think it would be good to make thetype param optional in theListGlobalSecurityAdvisories tool, as per theendpoint docs
ea3f02b to64030f7Comparetommaso-moro approved these changesAug 21, 2025
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
lgtm! 🚀
47040f4 intomain 16 checks passed
Uh oh!
There was an error while loading.Please reload this page.
ipapapa pushed a commit to ipapapa/github-mcp-server that referenced this pull requestAug 28, 2025
LuluBeatson added a commit that referenced this pull requestSep 4, 2025
* docs: Add Google Gemini CLI installation guide and integration- Add comprehensive installation guide for Google Gemini CLI- Include Docker and binary configuration options- Add authentication setup for Gemini API and Vertex AI- Update main README.md to include Gemini CLI in installation guides- Update installation guides index with Gemini CLI entry and support matrix- Follow established documentation patterns and security best practices* Fix Gemini CLI command syntax and add remote server method- Replace all 'gemini-cli' commands with correct 'gemini' syntax- Fix verification commands to use '/mcp list' and '/tools' prompts- Add httpUrl remote server method as primary configuration option- Update config file paths from settings.json to config.json- Correct npx installation command syntax- Add link to official Gemini CLI documentationAddresses feedback from soisyourface in PR review.* Emphasize official Gemini CLI documentation linkReduce detailed installation steps and direct users to official docs forup-to-date instructions, addressing reviewer feedback about maintainability.* Fix Gemini CLI configuration file name: config.json -> settings.jsonThe correct configuration file for Gemini CLI is settings.json, not config.json.This applies to both global (~/.gemini/settings.json) and project-specific(.gemini/settings.json) configurations as confirmed by official documentation.* Remove Gemini CLI installation and authentication sectionsRemoved lines 11-41 containing Gemini CLI installation commands andauthentication setup instructions.* Add Podman as Docker alternative in prerequisitesAdded Podman as container engine option alongside Docker.* Remove references to deprecated npm package* Add comprehensive ~/.gemini/.env file example* Fix authorization header to use literal token placeholderEnvironment variable substitution in headers is not yet supportedby Gemini CLI (seegoogle-gemini/gemini-cli#5282).* Add issue types (#869)* feat: add type to issues* test: add `type` test for create and update issues* Generate docs and toolsnaps* Update pkg/github/issues.goCo-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>* Use github ptr---------Co-authored-by: Pranav RK <pranavrk7@gmail.com>Co-authored-by: Pranav RK <39577726+radar07@users.noreply.github.com>Co-authored-by: Alon Kenneth <11458012+akenneth@users.noreply.github.com>Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>* Enable Dependabot (#654)* Create/Update dependabot.yaml* Apply suggestion from @CopilotCo-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>---------Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>* Bump SDK version to 0.36.0 (#863)* Use server.ServerResourceTemplate and server.ServerPrompt wrappers (#886)* Update "Close inactive issues" workflow to close issues after 180 days of inactivity (#909)* update PR_DAYS_BEFORE_STALE* update to mark as stale after 60 days* Update Claude MCP install guide after testing (#706)* Revise Claude installation guide- Verified Claude Code installation steps- Identified and documented issues with Claude Desktop setup- Updated installation documentation based on testing* Revise instructions for opening Claude CodeUpdated recommendations for opening Claude Code.* Update docs/installation-guides/install-claude.mdCo-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>* Update docs/installation-guides/install-claude.mdCo-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>* Update installation guide for Claude setupAdded installation option for using Claude Code using a release binary.* Change section title for Go Binary installationUpdated section title for clarity regarding installation without Docker.* Close double quote in bash command---------Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>Co-authored-by: LuluBeatson <lulubeatson@github.com>Co-authored-by: Matt Holloway <mattdholloway@github.com>Co-authored-by: Tommaso Moro <37270480+tommaso-moro@users.noreply.github.com>* Add actions job log buffer and profiler (#866)* add sliding window for actions logs* refactor: fix sliding* remove trim content* only use up to 1mb of memory for logs* update to tail lines in second pass* add better memory usage calculation* increase window size to 5MB* update test* update vers* undo vers change* add incremental memory tracking* use ring buffer* remove unused ctx param* remove manual GC clear* fix cca feedback* extract ring buffer logic to new package* handle log content processing errors and use correct param for maxjobloglines* fix tailing* account for if tailLines exceeds window size* add profiling thats reusable* remove profiler testing* refactor profiler: introduce safeMemoryDelta for accurate memory delta calculations* linter fixes* Update pkg/buffer/buffer.goCo-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>* use flag for maxJobLogLines* add param passing for context window size* refactor: rename contextWindowSize to contentWindowSize for consistency* fix: use tailLines if bigger but only if <= 5000* fix: limit tailLines to a maximum of 500 for log content download* Update cmd/github-mcp-server/main.goCo-authored-by: Adam Holt <omgitsads@github.com>* Update cmd/github-mcp-server/main.goCo-authored-by: Adam Holt <omgitsads@github.com>* move profiler to internal/* update actions test with new profiler location* fix: adjust buffer size limits* make line buffer 1028kb* fix mod path* change test to use same buffer size as normal use* improve test for non-sliding window implementation to not count empty lines* make test memory measurement more accurate* remove impossible conditional---------Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>Co-authored-by: Adam Holt <omgitsads@github.com>* Add get_release_by_tag tool (#938)* add get_release_by_tag tool* add tool* add tests* autogen* remove comment* docs(readme): Update readme to point to correct installation guides index (#892)* docs(readme): Update readme to point to correct installation guides index* feat(contributors): add list_repository_contributors tool* Revert "feat(contributors): add list_repository_contributors tool"This reverts commitece480e.---------Co-authored-by: Tommaso Moro <37270480+tommaso-moro@users.noreply.github.com>* Add Global Security Advisories Toolset (#919)* Repository security advisories (#925)* Add support for listing repo level security advisories* Add support for listing repo security advisories at the org level* Update Cursor installation link (#940)* use new link* update local install link* Change role from "system" to "user" in prompt messages for `AssignCodingAgentPrompt` and `IssueToFixWorkflowPrompt`. Role "system" is not allowed by Claude Code in MCP provided prompt (allowed only role "user" and "assistant") (#941)Co-authored-by: 0xGosu <0xGosu@gmail.com>* Local MCP is supported* Refactor Gemini CLI install guide* Remove Bearer from Authorization header* Add reference to main README for latest config* Bearer needed for headers, add references* Add minimal response to CRUD tools, `repositories` and `search` toolsets (#988)* add comprehensive minimal response where appropriate* remove unneeded comments* remove incorrect diff param* update docs* rm comment* Update pkg/github/repositories.goCo-authored-by: Lulu <59149422+LuluBeatson@users.noreply.github.com>* update toolsnaps and docs* change minimal_output to use new OptionalBoolParamWithDefault* Update pkg/github/repositories.goCo-authored-by: Lulu <59149422+LuluBeatson@users.noreply.github.com>* refactor minimal conversion funcs to minimal_types.go* consolidate response structs and remove unneeded message field* consolidate response further* remove CloneURL field* Update pkg/github/repositories.goCo-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>* Update pkg/github/server.goCo-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>* fix undefined* change incorrect comment* remove old err var declaration* Update pkg/github/repositories.goCo-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>* fix syntax issue* update toolsnaps---------Co-authored-by: Lulu <59149422+LuluBeatson@users.noreply.github.com>Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>* initial org repo create support (#1023)---------Co-authored-by: JoannaaKL <joannaakl@github.com>Co-authored-by: Pranav RK <pranavrk7@gmail.com>Co-authored-by: Pranav RK <39577726+radar07@users.noreply.github.com>Co-authored-by: Alon Kenneth <11458012+akenneth@users.noreply.github.com>Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>Co-authored-by: Zack Koppert <zkoppert@github.com>Co-authored-by: Ksenia Bobrova <almaleksia@github.com>Co-authored-by: Tommaso Moro <37270480+tommaso-moro@users.noreply.github.com>Co-authored-by: Dimitrios Philliou <d1m1tr10s@github.com>Co-authored-by: LuluBeatson <lulubeatson@github.com>Co-authored-by: Matt Holloway <mattdholloway@github.com>Co-authored-by: Adam Holt <omgitsads@github.com>Co-authored-by: Rebecca Biju <113070179+beccccaboo@users.noreply.github.com>Co-authored-by: Jurre <jurre@github.com>Co-authored-by: 0xGosu <0xGosu@gmail.com>Co-authored-by: Lulu <59149422+LuluBeatson@users.noreply.github.com>
nickytonline pushed a commit to nickytonline/github-mcp-http that referenced this pull requestOct 4, 2025
nickytonline pushed a commit to nickytonline/github-mcp-http that referenced this pull requestOct 4, 2025
…b#757)* docs: Add Google Gemini CLI installation guide and integration- Add comprehensive installation guide for Google Gemini CLI- Include Docker and binary configuration options- Add authentication setup for Gemini API and Vertex AI- Update main README.md to include Gemini CLI in installation guides- Update installation guides index with Gemini CLI entry and support matrix- Follow established documentation patterns and security best practices* Fix Gemini CLI command syntax and add remote server method- Replace all 'gemini-cli' commands with correct 'gemini' syntax- Fix verification commands to use '/mcp list' and '/tools' prompts- Add httpUrl remote server method as primary configuration option- Update config file paths from settings.json to config.json- Correct npx installation command syntax- Add link to official Gemini CLI documentationAddresses feedback from soisyourface in PR review.* Emphasize official Gemini CLI documentation linkReduce detailed installation steps and direct users to official docs forup-to-date instructions, addressing reviewer feedback about maintainability.* Fix Gemini CLI configuration file name: config.json -> settings.jsonThe correct configuration file for Gemini CLI is settings.json, not config.json.This applies to both global (~/.gemini/settings.json) and project-specific(.gemini/settings.json) configurations as confirmed by official documentation.* Remove Gemini CLI installation and authentication sectionsRemoved lines 11-41 containing Gemini CLI installation commands andauthentication setup instructions.* Add Podman as Docker alternative in prerequisitesAdded Podman as container engine option alongside Docker.* Remove references to deprecated npm package* Add comprehensive ~/.gemini/.env file example* Fix authorization header to use literal token placeholderEnvironment variable substitution in headers is not yet supportedby Gemini CLI (seegoogle-gemini/gemini-cli#5282).* Add issue types (github#869)* feat: add type to issues* test: add `type` test for create and update issues* Generate docs and toolsnaps* Update pkg/github/issues.goCo-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>* Use github ptr---------Co-authored-by: Pranav RK <pranavrk7@gmail.com>Co-authored-by: Pranav RK <39577726+radar07@users.noreply.github.com>Co-authored-by: Alon Kenneth <11458012+akenneth@users.noreply.github.com>Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>* Enable Dependabot (github#654)* Create/Update dependabot.yaml* Apply suggestion from @CopilotCo-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>---------Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>* Bump SDK version to 0.36.0 (github#863)* Use server.ServerResourceTemplate and server.ServerPrompt wrappers (github#886)* Update "Close inactive issues" workflow to close issues after 180 days of inactivity (github#909)* update PR_DAYS_BEFORE_STALE* update to mark as stale after 60 days* Update Claude MCP install guide after testing (github#706)* Revise Claude installation guide- Verified Claude Code installation steps- Identified and documented issues with Claude Desktop setup- Updated installation documentation based on testing* Revise instructions for opening Claude CodeUpdated recommendations for opening Claude Code.* Update docs/installation-guides/install-claude.mdCo-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>* Update docs/installation-guides/install-claude.mdCo-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>* Update installation guide for Claude setupAdded installation option for using Claude Code using a release binary.* Change section title for Go Binary installationUpdated section title for clarity regarding installation without Docker.* Close double quote in bash command---------Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>Co-authored-by: LuluBeatson <lulubeatson@github.com>Co-authored-by: Matt Holloway <mattdholloway@github.com>Co-authored-by: Tommaso Moro <37270480+tommaso-moro@users.noreply.github.com>* Add actions job log buffer and profiler (github#866)* add sliding window for actions logs* refactor: fix sliding* remove trim content* only use up to 1mb of memory for logs* update to tail lines in second pass* add better memory usage calculation* increase window size to 5MB* update test* update vers* undo vers change* add incremental memory tracking* use ring buffer* remove unused ctx param* remove manual GC clear* fix cca feedback* extract ring buffer logic to new package* handle log content processing errors and use correct param for maxjobloglines* fix tailing* account for if tailLines exceeds window size* add profiling thats reusable* remove profiler testing* refactor profiler: introduce safeMemoryDelta for accurate memory delta calculations* linter fixes* Update pkg/buffer/buffer.goCo-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>* use flag for maxJobLogLines* add param passing for context window size* refactor: rename contextWindowSize to contentWindowSize for consistency* fix: use tailLines if bigger but only if <= 5000* fix: limit tailLines to a maximum of 500 for log content download* Update cmd/github-mcp-server/main.goCo-authored-by: Adam Holt <omgitsads@github.com>* Update cmd/github-mcp-server/main.goCo-authored-by: Adam Holt <omgitsads@github.com>* move profiler to internal/* update actions test with new profiler location* fix: adjust buffer size limits* make line buffer 1028kb* fix mod path* change test to use same buffer size as normal use* improve test for non-sliding window implementation to not count empty lines* make test memory measurement more accurate* remove impossible conditional---------Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>Co-authored-by: Adam Holt <omgitsads@github.com>* Add get_release_by_tag tool (github#938)* add get_release_by_tag tool* add tool* add tests* autogen* remove comment* docs(readme): Update readme to point to correct installation guides index (github#892)* docs(readme): Update readme to point to correct installation guides index* feat(contributors): add list_repository_contributors tool* Revert "feat(contributors): add list_repository_contributors tool"This reverts commitece480e.---------Co-authored-by: Tommaso Moro <37270480+tommaso-moro@users.noreply.github.com>* Add Global Security Advisories Toolset (github#919)* Repository security advisories (github#925)* Add support for listing repo level security advisories* Add support for listing repo security advisories at the org level* Update Cursor installation link (github#940)* use new link* update local install link* Change role from "system" to "user" in prompt messages for `AssignCodingAgentPrompt` and `IssueToFixWorkflowPrompt`. Role "system" is not allowed by Claude Code in MCP provided prompt (allowed only role "user" and "assistant") (github#941)Co-authored-by: 0xGosu <0xGosu@gmail.com>* Local MCP is supported* Refactor Gemini CLI install guide* Remove Bearer from Authorization header* Add reference to main README for latest config* Bearer needed for headers, add references* Add minimal response to CRUD tools, `repositories` and `search` toolsets (github#988)* add comprehensive minimal response where appropriate* remove unneeded comments* remove incorrect diff param* update docs* rm comment* Update pkg/github/repositories.goCo-authored-by: Lulu <59149422+LuluBeatson@users.noreply.github.com>* update toolsnaps and docs* change minimal_output to use new OptionalBoolParamWithDefault* Update pkg/github/repositories.goCo-authored-by: Lulu <59149422+LuluBeatson@users.noreply.github.com>* refactor minimal conversion funcs to minimal_types.go* consolidate response structs and remove unneeded message field* consolidate response further* remove CloneURL field* Update pkg/github/repositories.goCo-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>* Update pkg/github/server.goCo-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>* fix undefined* change incorrect comment* remove old err var declaration* Update pkg/github/repositories.goCo-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>* fix syntax issue* update toolsnaps---------Co-authored-by: Lulu <59149422+LuluBeatson@users.noreply.github.com>Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>* initial org repo create support (github#1023)---------Co-authored-by: JoannaaKL <joannaakl@github.com>Co-authored-by: Pranav RK <pranavrk7@gmail.com>Co-authored-by: Pranav RK <39577726+radar07@users.noreply.github.com>Co-authored-by: Alon Kenneth <11458012+akenneth@users.noreply.github.com>Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>Co-authored-by: Zack Koppert <zkoppert@github.com>Co-authored-by: Ksenia Bobrova <almaleksia@github.com>Co-authored-by: Tommaso Moro <37270480+tommaso-moro@users.noreply.github.com>Co-authored-by: Dimitrios Philliou <d1m1tr10s@github.com>Co-authored-by: LuluBeatson <lulubeatson@github.com>Co-authored-by: Matt Holloway <mattdholloway@github.com>Co-authored-by: Adam Holt <omgitsads@github.com>Co-authored-by: Rebecca Biju <113070179+beccccaboo@users.noreply.github.com>Co-authored-by: Jurre <jurre@github.com>Co-authored-by: 0xGosu <0xGosu@gmail.com>Co-authored-by: Lulu <59149422+LuluBeatson@users.noreply.github.com>
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Labels
None yet
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading.Please reload this page.
This implements the Global Security Advisories tool, pulling fromthese endpoints, this allows users to query for vulnerabilities in their dependencies and figure out patched versions.
I'll follow this up with repo-level advisories as well, although I think for most use-cases users would probably want to use the existing Dependabot Alerts tool.
Addresses part of:#684