ghas

The ghas-mcp-server is a specialized MCP server that provides three GitHub Advanced Security (GHAS) tools as MCP commands: list_dependabot_alerts, list_secret_scanning_alerts, and list_code_scanning_alerts. These tools let you query a repository for Dependabot alerts, secret scanning alerts, and code scanning alerts respectively. When configured in MCP, you run the server via npx pointing to the ghas-mcp-server package, and you can authenticate either with a personal access token (PAT) or by using the authenticated GitHub CLI (gh). The server reads GHAS data from your GitHub account and organization, so ensure your PAT (or GH CLI) has the read-only scopes required for the target resources and that you’re operating within the correct organization context. The tools are exposed as MCP operations you can invoke through your MCP client, returning structured results suitable for display or downstream automation.

Prerequisites:

• Node.js and npm installed on your machine (Node.js 14+ recommended).
• Access to a GitHub account with a PAT (read-only scopes) or have the GitHub CLI installed and authenticated.

Installation steps:

1. Install dependencies (via your project or environment where MCP configuration is used):
   • Ensure npm is available and run: npm install
2. Build the server (if you’re developing locally):
   • npm run build
3. Run or configure the MCP server in your VS Code MCP environment using the provided configuration snippet:
   • Use the example MCP config to reference the ghas-mcp-server package via npx: { "mcp": { "inputs": [] }, "servers": { "ghas-mcp-server": { "command": "npx", "args": ["-y", "@rajbos/ghas-mcp-server"], "env": { "GITHUB_PERSONAL_ACCESS_TOKEN_USE_GHCLI": "true" } } } }
4. If you prefer using a Personal Access Token (PAT) instead of GH CLI, configure the PAT as an environment variable in the same server block:
   • "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "<your_pat>" }
5. Start the MCP environment and ensure the server is loaded, then you can invoke the three tools via your MCP client (see how_to_use above) or test locally using the provided example paths.

Tips and common issues:

• Ensure you have the correct GHAS read-only scopes in your PAT: repo and security-related scopes as applicable for the repositories you query.
• If using the GH CLI route, make sure gh is authenticated with gh auth login before starting the MCP server.
• When using npx, the server package is fetched at runtime; if you have network restrictions, consider using a local build or npm install workflow.
• For local testing, the README provides a local-dist path example; adjust paths to your environment if you build locally.
• If you encounter permission or API rate limit issues, verify token scopes and GitHub API access from the host running the MCP server.
• The three tools expect a repository context; ensure you pass the correct owner/repo parameters when invoking each tool.