Add support for listing repo level security advisories

Author: jurre

README.md

@@ -937,6 +937,13 @@ The following sets of tools are available (all are on by default):
   - `type`: Advisory type. (string, required)
   - `updated`: Filter by update date or date range (ISO 8601 date or range). (string, optional)
 
+- **list_repository_security_advisories** - List repository security advisories
+  - `direction`: Sort direction. (string, optional)
+  - `owner`: The owner of the repository. (string, required)
+  - `repo`: The name of the repository. (string, required)
+  - `sort`: Sort field. (string, optional)
+  - `state`: Filter by advisory state. (string, optional)
+
 </details>
 
 <details>

pkg/github/security_advisories.go

@@ -183,6 +183,95 @@ func ListGlobalSecurityAdvisories(getClient GetClientFn, t translations.Translat
 		}
 }
 
+func ListRepositorySecurityAdvisories(getClient GetClientFn, t translations.TranslationHelperFunc) (tool mcp.Tool, handler server.ToolHandlerFunc) {
+	return mcp.NewTool("list_repository_security_advisories",
+			mcp.WithDescription(t("TOOL_LIST_REPOSITORY_SECURITY_ADVISORIES_DESCRIPTION", "List repository security advisories for a GitHub repository.")),
+			mcp.WithToolAnnotation(mcp.ToolAnnotation{
+				Title:        t("TOOL_LIST_REPOSITORY_SECURITY_ADVISORIES_USER_TITLE", "List repository security advisories"),
+				ReadOnlyHint: ToBoolPtr(true),
+			}),
+			mcp.WithString("owner",
+				mcp.Required(),
+				mcp.Description("The owner of the repository."),
+			),
+			mcp.WithString("repo",
+				mcp.Required(),
+				mcp.Description("The name of the repository."),
+			),
+			mcp.WithString("direction",
+				mcp.Description("Sort direction."),
+				mcp.Enum("asc", "desc"),
+			),
+			mcp.WithString("sort",
+				mcp.Description("Sort field."),
+				mcp.Enum("created", "updated", "published"),
+			),
+			mcp.WithString("state",
+				mcp.Description("Filter by advisory state."),
+				mcp.Enum("triage", "draft", "published", "closed"),
+			),
+		), func(ctx context.Context, request mcp.CallToolRequest) (*mcp.CallToolResult, error) {
+			owner, err := RequiredParam[string](request, "owner")
+			if err != nil {
+				return mcp.NewToolResultError(err.Error()), nil
+			}
+			repo, err := RequiredParam[string](request, "repo")
+			if err != nil {
+				return mcp.NewToolResultError(err.Error()), nil
+			}
+
+			direction, err := OptionalParam[string](request, "direction")
+			if err != nil {
+				return mcp.NewToolResultError(err.Error()), nil
+			}
+			sortField, err := OptionalParam[string](request, "sort")
+			if err != nil {
+				return mcp.NewToolResultError(err.Error()), nil
+			}
+			state, err := OptionalParam[string](request, "state")
+			if err != nil {
+				return mcp.NewToolResultError(err.Error()), nil
+			}
+
+			client, err := getClient(ctx)
+			if err != nil {
+				return nil, fmt.Errorf("failed to get GitHub client: %w", err)
+			}
+
+			opts := &github.ListRepositorySecurityAdvisoriesOptions{}
+			if direction != "" {
+				opts.Direction = direction
+			}
+			if sortField != "" {
+				opts.Sort = sortField
+			}
+			if state != "" {
+				opts.State = state
+			}
+
+			advisories, resp, err := client.SecurityAdvisories.ListRepositorySecurityAdvisories(ctx, owner, repo, opts)
+			if err != nil {
+				return nil, fmt.Errorf("failed to list repository security advisories: %w", err)
+			}
+			defer func() { _ = resp.Body.Close() }()
+
+			if resp.StatusCode != http.StatusOK {
+				body, err := io.ReadAll(resp.Body)
+				if err != nil {
+					return nil, fmt.Errorf("failed to read response body: %w", err)
+				}
+				return mcp.NewToolResultError(fmt.Sprintf("failed to list repository advisories: %s", string(body))), nil
+			}
+
+			r, err := json.Marshal(advisories)
+			if err != nil {
+				return nil, fmt.Errorf("failed to marshal advisories: %w", err)
+			}
+
+			return mcp.NewToolResultText(string(r)), nil
+		}
+}
+
 func GetGlobalSecurityAdvisory(getClient GetClientFn, t translations.TranslationHelperFunc) (tool mcp.Tool, handler server.ToolHandlerFunc) {
 	return mcp.NewTool("get_global_security_advisory",
 			mcp.WithDescription(t("TOOL_GET_GLOBAL_SECURITY_ADVISORY_DESCRIPTION", "Get a global security advisory")),

pkg/github/security_advisories_test.go

@@ -241,3 +241,147 @@ func Test_GetGlobalSecurityAdvisory(t *testing.T) {
 		})
 	}
 }
+
+func Test_ListRepositorySecurityAdvisories(t *testing.T) {
+	// Verify tool definition once
+	mockClient := github.NewClient(nil)
+	tool, _ := ListRepositorySecurityAdvisories(stubGetClientFn(mockClient), translations.NullTranslationHelper)
+
+	assert.Equal(t, "list_repository_security_advisories", tool.Name)
+	assert.NotEmpty(t, tool.Description)
+	assert.Contains(t, tool.InputSchema.Properties, "owner")
+	assert.Contains(t, tool.InputSchema.Properties, "repo")
+	assert.Contains(t, tool.InputSchema.Properties, "direction")
+	assert.Contains(t, tool.InputSchema.Properties, "sort")
+	assert.Contains(t, tool.InputSchema.Properties, "state")
+	assert.ElementsMatch(t, tool.InputSchema.Required, []string{"owner", "repo"})
+
+	// Local endpoint pattern for repository security advisories
+	var GetReposSecurityAdvisoriesByOwnerByRepo = mock.EndpointPattern{
+		Pattern: "/repos/{owner}/{repo}/security-advisories",
+		Method:  "GET",
+	}
+
+	// Setup mock advisories for success cases
+	adv1 := &github.SecurityAdvisory{
+		GHSAID:      github.Ptr("GHSA-1111-1111-1111"),
+		Summary:     github.Ptr("Repo advisory one"),
+		Description: github.Ptr("First repo advisory."),
+		Severity:    github.Ptr("high"),
+	}
+	adv2 := &github.SecurityAdvisory{
+		GHSAID:      github.Ptr("GHSA-2222-2222-2222"),
+		Summary:     github.Ptr("Repo advisory two"),
+		Description: github.Ptr("Second repo advisory."),
+		Severity:    github.Ptr("medium"),
+	}
+
+	tests := []struct {
+		name               string
+		mockedClient       *http.Client
+		requestArgs        map[string]interface{}
+		expectError        bool
+		expectedAdvisories []*github.SecurityAdvisory
+		expectedErrMsg     string
+	}{
+		{
+			name: "successful advisories listing (no filters)",
+			mockedClient: mock.NewMockedHTTPClient(
+				mock.WithRequestMatchHandler(
+					GetReposSecurityAdvisoriesByOwnerByRepo,
+					expect(t, expectations{
+						path:        "/repos/owner/repo/security-advisories",
+						queryParams: map[string]string{},
+					}).andThen(
+						mockResponse(t, http.StatusOK, []*github.SecurityAdvisory{adv1, adv2}),
+					),
+				),
+			),
+			requestArgs: map[string]interface{}{
+				"owner": "owner",
+				"repo":  "repo",
+			},
+			expectError:        false,
+			expectedAdvisories: []*github.SecurityAdvisory{adv1, adv2},
+		},
+		{
+			name: "successful advisories listing with filters",
+			mockedClient: mock.NewMockedHTTPClient(
+				mock.WithRequestMatchHandler(
+					GetReposSecurityAdvisoriesByOwnerByRepo,
+					expect(t, expectations{
+						path: "/repos/octo/hello-world/security-advisories",
+						queryParams: map[string]string{
+							"direction": "desc",
+							"sort":      "updated",
+							"state":     "published",
+						},
+					}).andThen(
+						mockResponse(t, http.StatusOK, []*github.SecurityAdvisory{adv1}),
+					),
+				),
+			),
+			requestArgs: map[string]interface{}{
+				"owner":     "octo",
+				"repo":      "hello-world",
+				"direction": "desc",
+				"sort":      "updated",
+				"state":     "published",
+			},
+			expectError:        false,
+			expectedAdvisories: []*github.SecurityAdvisory{adv1},
+		},
+		{
+			name: "advisories listing fails",
+			mockedClient: mock.NewMockedHTTPClient(
+				mock.WithRequestMatchHandler(
+					GetReposSecurityAdvisoriesByOwnerByRepo,
+					expect(t, expectations{
+						path:        "/repos/owner/repo/security-advisories",
+						queryParams: map[string]string{},
+					}).andThen(
+						mockResponse(t, http.StatusInternalServerError, map[string]string{"message": "Internal Server Error"}),
+					),
+				),
+			),
+			requestArgs: map[string]interface{}{
+				"owner": "owner",
+				"repo":  "repo",
+			},
+			expectError:    true,
+			expectedErrMsg: "failed to list repository security advisories",
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			client := github.NewClient(tc.mockedClient)
+			_, handler := ListRepositorySecurityAdvisories(stubGetClientFn(client), translations.NullTranslationHelper)
+
+			request := createMCPRequest(tc.requestArgs)
+
+			result, err := handler(context.Background(), request)
+
+			if tc.expectError {
+				require.Error(t, err)
+				assert.Contains(t, err.Error(), tc.expectedErrMsg)
+				return
+			}
+
+			require.NoError(t, err)
+
+			textContent := getTextResult(t, result)
+
+			var returnedAdvisories []*github.SecurityAdvisory
+			err = json.Unmarshal([]byte(textContent.Text), &returnedAdvisories)
+			assert.NoError(t, err)
+			assert.Len(t, returnedAdvisories, len(tc.expectedAdvisories))
+			for i, advisory := range returnedAdvisories {
+				assert.Equal(t, *tc.expectedAdvisories[i].GHSAID, *advisory.GHSAID)
+				assert.Equal(t, *tc.expectedAdvisories[i].Summary, *advisory.Summary)
+				assert.Equal(t, *tc.expectedAdvisories[i].Description, *advisory.Description)
+				assert.Equal(t, *tc.expectedAdvisories[i].Severity, *advisory.Severity)
+			}
+		})
+	}
+}

pkg/github/tools.go

@@ -163,6 +163,7 @@ func DefaultToolsetGroup(readOnly bool, getClient GetClientFn, getGQLClient GetG
 		AddReadTools(
 			toolsets.NewServerTool(ListGlobalSecurityAdvisories(getClient, t)),
 			toolsets.NewServerTool(GetGlobalSecurityAdvisory(getClient, t)),
+			toolsets.NewServerTool(ListRepositorySecurityAdvisories(getClient, t)),
 		)
 
 	// Keep experiments alive so the system doesn't error out when it's always enabled