Add Global Security Advisories Toolset #919
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There was a problem hiding this comment.
Pull Request Overview
This PR adds a new security advisories toolset to the GitHub MCP Server, providing tools to query GitHub's global security advisories to help users find vulnerabilities in their dependencies and discover patched versions.
- Introduces two new tools:
list_global_security_advisoriesfor querying advisories with filters, andget_global_security_advisoryfor retrieving specific advisories by ID - Adds comprehensive test coverage for both new tools including success and error scenarios
- Updates documentation to include the new security advisories toolset
Reviewed Changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| pkg/github/tools.go | Registers the new security_advisories toolset with the DefaultToolsetGroup |
| pkg/github/security_advisories.go | Implements the two security advisory tools with parameter validation and GitHub API integration |
| pkg/github/security_advisories_test.go | Provides comprehensive test coverage for both tools including mock API responses |
| README.md | Documents the new security advisories tools and their parameters |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
You can also share your feedback on Copilot code review for a chance to win a $100 gift card. Take the survey.
jurre
force-pushed
the
jurre/security-advisories
branch
5 times, most recently
from
3e79c93 to
8b15c86
Compare
jurre
force-pushed
the
jurre/security-advisories
branch
from
8b15c86 to
ea3f02b
Compare
tommaso-moro
requested changes
Aug 21, 2025
There was a problem hiding this comment.
Lgtm but I think it would be good to make the type param optional in the ListGlobalSecurityAdvisories tool, as per the endpoint docs
jurre
force-pushed
the
jurre/security-advisories
branch
from
ea3f02b to
64030f7
Compare
ipapapa
pushed a commit
to ipapapa/github-mcp-server
that referenced
this pull request
Aug 28, 2025
LuluBeatson
added a commit
that referenced
this pull request
Sep 4, 2025
* docs: Add Google Gemini CLI installation guide and integration - Add comprehensive installation guide for Google Gemini CLI - Include Docker and binary configuration options - Add authentication setup for Gemini API and Vertex AI - Update main README.md to include Gemini CLI in installation guides - Update installation guides index with Gemini CLI entry and support matrix - Follow established documentation patterns and security best practices * Fix Gemini CLI command syntax and add remote server method - Replace all 'gemini-cli' commands with correct 'gemini' syntax - Fix verification commands to use '/mcp list' and '/tools' prompts - Add httpUrl remote server method as primary configuration option - Update config file paths from settings.json to config.json - Correct npx installation command syntax - Add link to official Gemini CLI documentation Addresses feedback from soisyourface in PR review. * Emphasize official Gemini CLI documentation link Reduce detailed installation steps and direct users to official docs for up-to-date instructions, addressing reviewer feedback about maintainability. * Fix Gemini CLI configuration file name: config.json -> settings.json The correct configuration file for Gemini CLI is settings.json, not config.json. This applies to both global (~/.gemini/settings.json) and project-specific (.gemini/settings.json) configurations as confirmed by official documentation. * Remove Gemini CLI installation and authentication sections Removed lines 11-41 containing Gemini CLI installation commands and authentication setup instructions. * Add Podman as Docker alternative in prerequisites Added Podman as container engine option alongside Docker. * Remove references to deprecated npm package * Add comprehensive ~/.gemini/.env file example * Fix authorization header to use literal token placeholder Environment variable substitution in headers is not yet supported by Gemini CLI (see google-gemini/gemini-cli#5282). * Add issue types (#869) * feat: add type to issues * test: add `type` test for create and update issues * Generate docs and toolsnaps * Update pkg/github/issues.go Co-authored-by: Copilot <[email protected]> * Use github ptr --------- Co-authored-by: Pranav RK <[email protected]> Co-authored-by: Pranav RK <[email protected]> Co-authored-by: Alon Kenneth <[email protected]> Co-authored-by: Copilot <[email protected]> * Enable Dependabot (#654) * Create/Update dependabot.yaml * Apply suggestion from @Copilot Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> * Bump SDK version to 0.36.0 (#863) * Use server.ServerResourceTemplate and server.ServerPrompt wrappers (#886) * Update "Close inactive issues" workflow to close issues after 180 days of inactivity (#909) * update PR_DAYS_BEFORE_STALE * update to mark as stale after 60 days * Update Claude MCP install guide after testing (#706) * Revise Claude installation guide - Verified Claude Code installation steps - Identified and documented issues with Claude Desktop setup - Updated installation documentation based on testing * Revise instructions for opening Claude Code Updated recommendations for opening Claude Code. * Update docs/installation-guides/install-claude.md Co-authored-by: Copilot <[email protected]> * Update docs/installation-guides/install-claude.md Co-authored-by: Copilot <[email protected]> * Update installation guide for Claude setup Added installation option for using Claude Code using a release binary. * Change section title for Go Binary installation Updated section title for clarity regarding installation without Docker. * Close double quote in bash command --------- Co-authored-by: Copilot <[email protected]> Co-authored-by: LuluBeatson <[email protected]> Co-authored-by: Matt Holloway <[email protected]> Co-authored-by: Tommaso Moro <[email protected]> * Add actions job log buffer and profiler (#866) * add sliding window for actions logs * refactor: fix sliding * remove trim content * only use up to 1mb of memory for logs * update to tail lines in second pass * add better memory usage calculation * increase window size to 5MB * update test * update vers * undo vers change * add incremental memory tracking * use ring buffer * remove unused ctx param * remove manual GC clear * fix cca feedback * extract ring buffer logic to new package * handle log content processing errors and use correct param for maxjobloglines * fix tailing * account for if tailLines exceeds window size * add profiling thats reusable * remove profiler testing * refactor profiler: introduce safeMemoryDelta for accurate memory delta calculations * linter fixes * Update pkg/buffer/buffer.go Co-authored-by: Copilot <[email protected]> * use flag for maxJobLogLines * add param passing for context window size * refactor: rename contextWindowSize to contentWindowSize for consistency * fix: use tailLines if bigger but only if <= 5000 * fix: limit tailLines to a maximum of 500 for log content download * Update cmd/github-mcp-server/main.go Co-authored-by: Adam Holt <[email protected]> * Update cmd/github-mcp-server/main.go Co-authored-by: Adam Holt <[email protected]> * move profiler to internal/ * update actions test with new profiler location * fix: adjust buffer size limits * make line buffer 1028kb * fix mod path * change test to use same buffer size as normal use * improve test for non-sliding window implementation to not count empty lines * make test memory measurement more accurate * remove impossible conditional --------- Co-authored-by: Copilot <[email protected]> Co-authored-by: Adam Holt <[email protected]> * Add get_release_by_tag tool (#938) * add get_release_by_tag tool * add tool * add tests * autogen * remove comment * docs(readme): Update readme to point to correct installation guides index (#892) * docs(readme): Update readme to point to correct installation guides index * feat(contributors): add list_repository_contributors tool * Revert "feat(contributors): add list_repository_contributors tool" This reverts commit ece480e. --------- Co-authored-by: Tommaso Moro <[email protected]> * Add Global Security Advisories Toolset (#919) * Repository security advisories (#925) * Add support for listing repo level security advisories * Add support for listing repo security advisories at the org level * Update Cursor installation link (#940) * use new link * update local install link * Change role from "system" to "user" in prompt messages for `AssignCodingAgentPrompt` and `IssueToFixWorkflowPrompt`. Role "system" is not allowed by Claude Code in MCP provided prompt (allowed only role "user" and "assistant") (#941) Co-authored-by: 0xGosu <[email protected]> * Local MCP is supported * Refactor Gemini CLI install guide * Remove Bearer from Authorization header * Add reference to main README for latest config * Bearer needed for headers, add references * Add minimal response to CRUD tools, `repositories` and `search` toolsets (#988) * add comprehensive minimal response where appropriate * remove unneeded comments * remove incorrect diff param * update docs * rm comment * Update pkg/github/repositories.go Co-authored-by: Lulu <[email protected]> * update toolsnaps and docs * change minimal_output to use new OptionalBoolParamWithDefault * Update pkg/github/repositories.go Co-authored-by: Lulu <[email protected]> * refactor minimal conversion funcs to minimal_types.go * consolidate response structs and remove unneeded message field * consolidate response further * remove CloneURL field * Update pkg/github/repositories.go Co-authored-by: Copilot <[email protected]> * Update pkg/github/server.go Co-authored-by: Copilot <[email protected]> * fix undefined * change incorrect comment * remove old err var declaration * Update pkg/github/repositories.go Co-authored-by: Copilot <[email protected]> * fix syntax issue * update toolsnaps --------- Co-authored-by: Lulu <[email protected]> Co-authored-by: Copilot <[email protected]> * initial org repo create support (#1023) --------- Co-authored-by: JoannaaKL <[email protected]> Co-authored-by: Pranav RK <[email protected]> Co-authored-by: Pranav RK <[email protected]> Co-authored-by: Alon Kenneth <[email protected]> Co-authored-by: Copilot <[email protected]> Co-authored-by: Zack Koppert <[email protected]> Co-authored-by: Ksenia Bobrova <[email protected]> Co-authored-by: Tommaso Moro <[email protected]> Co-authored-by: Dimitrios Philliou <[email protected]> Co-authored-by: LuluBeatson <[email protected]> Co-authored-by: Matt Holloway <[email protected]> Co-authored-by: Adam Holt <[email protected]> Co-authored-by: Rebecca Biju <[email protected]> Co-authored-by: Jurre <[email protected]> Co-authored-by: 0xGosu <[email protected]> Co-authored-by: Lulu <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This implements the Global Security Advisories tool, pulling from these endpoints, this allows users to query for vulnerabilities in their dependencies and figure out patched versions.
I'll follow this up with repo-level advisories as well, although I think for most use-cases users would probably want to use the existing Dependabot Alerts tool.
Addresses part of: #684