copilot-security-instructions
Verified Safeby Robotti-io
Overview
This MCP server provides a toolkit to guide GitHub Copilot toward secure coding practices by offering customizable security-focused prompts and agents for integration into development workflows.
Installation
npm startEnvironment Variables
- server.port
- server.hostname
- server.ssl
- server.ssl.pfx
- server.ssl.pfx.passphrase
- logger.transports.console.enabled
- logger.transports.console.level
- logger.transports.amqp.enabled
- logger.transports.amqp.level
- logger.transports.amqp.hostname
- logger.transports.amqp.port
- logger.transports.amqp.username
- logger.transports.amqp.password
- logger.transports.amqp.exchange
- logger.transports.amqp.vhost
- logger.transports.amqp.heartbeat
- logger.transports.amqp.locale
- logger.transports.amqp.type
- logger.transports.amqp.durable
Security Notes
The server demonstrates a strong intent for security by focusing on secure coding practices and using `zod` for input schema validation (e.g., prompt names). However, there are critical security concerns regarding default configurations and logging practices: 1) The `reqInfo` middleware captures the entire `req.body` for all requests to `/mcp` POST endpoint, which is then logged by default via `logger.info`. If sensitive data is included in JSON-RPC requests, this could lead to information leakage. 2) The `.env.example` file specifies a default `server.ssl.pfx.passphrase` of 'PFX_PASSPHRASE' and default AMQP credentials ('guest'/'guest'). Using these defaults in a production environment would be a severe security vulnerability. While the documentation notes these need customization, they represent insecure-by-default settings.
Similar Servers
ggmcp
A focused MCP server for developers, providing remediation tools for secrets detected in code and honeytoken management capabilities.
copilot-kit
Provides a curated collection of GitHub Copilot prompts, instructions, and configurations to enhance developer productivity and streamline AI-assisted programming workflows in VS Code.
athena-protocol
An intelligent MCP server that acts as an AI tech lead for coding agents, providing expert validation, impact analysis, and strategic guidance before code changes are made.
mcp-fortress
Provides automated security scanning, runtime protection, and vulnerability detection for Model Context Protocol (MCP) servers and AI agent tools within developer environments.