Skip to content

Document optional GitHub MCP security scanning integration#72

Closed
Copilot wants to merge 3 commits into
mainfrom
copilot/add-secret-scanning-feature
Closed

Document optional GitHub MCP security scanning integration#72
Copilot wants to merge 3 commits into
mainfrom
copilot/add-secret-scanning-feature

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented May 13, 2026
edited
Loading

✨ Enhancement

GitHub MCP now supports secret scanning generally and dependency scanning in preview, creating an opportunity to add scanner-backed validation to the threat detection pipeline. This PR documents how to integrate those capabilities without weakening the detector’s current isolation model.

  • Recommendation

    • Add MCP security scanning as an optional gh-aw orchestration pre-validation phase.
    • Keep the detector binary/container focused on artifact analysis and free of direct GitHub network dependencies.
    • Treat MCP secret scanning findings as blocking by default when Secret Protection is enabled.
    • Start MCP dependency scanning as opt-in or warn-only while the capability remains in preview.

  • Artifact contract

    • Documents optional normalized MCP scanner outputs: 
      mcp-security/
├── secret-scanning.json
└── dependency-scanning.json

  • Specification

    • Adds TD-07a covering MCP scanner ownership, blocking behavior, preview dependency-scanning posture, and fallback behavior when MCP tooling is unavailable.

Copilot AI linked an issue May 13, 2026 that may be closed by this pull request
security scanning #53
Open
Copilot AI changed the title [WIP] Add secret scanning to GitHub MCP Document optional GitHub MCP security scanning integration May 13, 2026
Copilot AI requested a review from davidslater May 13, 2026 21:17
@davidslater davidslater marked this pull request as ready for review May 13, 2026 21:23
Copilot AI review requested due to automatic review settings May 13, 2026 21:23
Copilot AI reviewed May 13, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Documentation-only PR adding guidance for an optional GitHub MCP security scanning integration as an orchestrator-owned pre-validation phase, while preserving the detector container's network-isolation posture.

Changes:

  • Adds a new "Optional GitHub MCP Security Scanning" section to README with recommended integration steps and tradeoffs.
  • Adds spec requirement TD-07a covering MCP scanner ownership, blocking behavior, preview posture for dependency scanning, and fallback behavior.
  • Documents an optional mcp-security/ artifact directory in both README and spec artifact layouts.
Show a summary per file
File Description
specs/threat-detection-spec.md Adds TD-07a requirement and mcp-security/ entry in artifact tree
README.md Adds TOC entry, new section describing MCP scanning integration, and mcp-security/ artifact entry

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 2/2 changed files
  • Comments generated: 0

This was referenced May 13, 2026
Closed
Closed
Closed
Closed
Closed
Closed
This was referenced May 13, 2026
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@davidslater davidslater Awaiting requested review from davidslater

Assignees

@davidslater davidslater

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

security scanning

3 participants

@davidslater