Back to Home
mcp-research icon

mcp-security-scans

by mcp-research

View Source

Overview

Automates the discovery, forking, and enablement of GitHub Advanced Security (GHAS) features on MCP (Model Context Protocol) server repositories, and generates comprehensive security reports.

Installation

Run Command
python -m src.process_mcp_repos

Environment Variables

  • GH_APP_ID
  • GH_APP_PRIVATE_KEY
  • GITHUB_TOKEN

Security Notes

The AppInstallationAuthStrategy in `src/github.py` uses a hardcoded `installation_id=65023400`. This is a critical security and usability flaw, as the GitHub App must be installed with this specific ID on the target organization for proper authentication. Additionally, `src/github.py`'s `clone_repository` uses `subprocess.run` with `curl -L` and `tar -xvf` to download and extract tarballs from external GitHub URLs. While `libmagic` is used for basic file type verification, following redirects (`-L`) and extracting external archives is a significant supply chain risk, as a compromised source repository could lead to arbitrary code execution on the system running the script. The script also requires extensive `Read & Write` GitHub App permissions, amplifying the impact of any vulnerabilities or credential compromise.

Similar Servers

github-mcp-server

26078

The GitHub MCP Server enables AI agents, assistants, and chatbots to interact with GitHub's platform for repository management, issue/PR automation, CI/CD intelligence, code analysis, and team collaboration through natural language.

Other
9
$Medium

octocode-mcp

674

The Octocode Research server enables AI agents to perform expert code forensics and deep-dive research across local filesystems (LSP, ripgrep, file I/O) and external GitHub repositories (code search, repo structure, pull requests, package search). It's optimized for architectural analysis, pattern discovery, and implementation planning.

Other
9
$Low

devduck

16

This project serves as a GitHub Action or an agent-based system designed for automating development workflows, potentially integrating with AWS using OIDC for authentication.

6
$Medium

planet-mcp

8

A Python-based project or service, likely related to development or build automation, given the tooling present.

5
$Low

Stats

Interest Score20
Security Score4
Cost ClassHigh
Avg Tokens15
Stars1
Forks1
Last Update2026-01-01

Tags

GitHubSecurityAutomationGHASPythonRepository Management