copilot-security-instructions
Verified Safeby Robotti-io
Overview
This MCP server provides a toolkit of security-focused prompts and instructions to guide GitHub Copilot towards secure coding practices, helping developers identify and mitigate security risks.
Installation
npm startEnvironment Variables
- server.port
- server.hostname
- server.ssl
- server.ssl.pfx
- server.ssl.pfx.passphrase
- logger.transports.console.enabled
- logger.transports.console.level
- logger.transports.amqp.enabled
- logger.transports.amqp.level
- logger.transports.amqp.exchange
- logger.transports.amqp.hostname
- logger.transports.amqp.port
- logger.transports.amqp.username
- logger.transports.amqp.password
- logger.transports.amqp.vhost
- logger.transports.amqp.heartbeat
- logger.transports.amqp.locale
- logger.transports.amqp.type
- logger.transports.amqp.durable
Security Notes
The server uses an Express.js application and delegates core Model Context Protocol (MCP) handling to the `@modelcontextprotocol/sdk`. Input validation for retrieving prompts (`get_prompt` tool) uses `zod` and `z.enum(Object.keys(prompts))` which prevents path traversal and arbitrary file reads, a strong security practice. Configuration for sensitive data like AMQP credentials and SSL PFX passphrases are sourced from environment variables, which is appropriate. The `reqInfo` middleware logs the full `req.body`, which could expose sensitive data in logs if the logger is enabled and misconfigured. However, console and AMQP logging are disabled by default. No `eval` or other direct code execution vulnerabilities were found in the provided server code.
Similar Servers
ggmcp
The GitGuardian Developer MCP Server provides AI agents with tools to detect and remediate secret incidents in code, manage honeytokens for security monitoring, and handle incident management within a developer workflow.
copilot-kit
This repository provides a curated collection of GitHub Copilot prompts, instructions, and agent configurations to enhance developer productivity and streamline common development tasks within VS Code.
athena-protocol
This server acts as an AI tech lead, providing expert validation, impact analysis, and strategic guidance to AI coding agents before code changes are made.
mcp-fortress
Provides automated security scanning, runtime protection, and vulnerability detection for Model Context Protocol (MCP) servers and AI agent tools within developer environments.