Skip to content

Document optional GitHub MCP security scanning integration #72

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
Copilot wants to merge 3 commits into from
+59 −0
Closed

Document optional GitHub MCP security scanning integration #72

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
cb582a8
Initial plan
Copilot May 13, 2026
05fa153
Document MCP security scanning recommendation
Copilot May 13, 2026
fa647a0
Merge branch 'main' into copilot/add-secret-scanning-feature
davidslater May 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 42 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ Threat Detection component for [GitHub Agentic Workflows](https://github.com/git
- [Quick Start](#quick-start)
- [Overview](#overview)
- [Guardrails and Security Considerations](#guardrails-and-security-considerations)
- [Optional GitHub MCP Security Scanning](#optional-github-mcp-security-scanning)
- [Usage](#usage)
- [Stage Status and Decisions](#stage-status-and-decisions)
- [Private Container Release Setup](#private-container-release-setup)
Expand Down Expand Up @@ -46,6 +47,44 @@ This project is designed to help reduce risk when running AI agent workflows by

Do not treat a "safe" result as a security guarantee. Use the output as one signal in a broader security review process.

## Optional GitHub MCP Security Scanning

GitHub MCP secret scanning and dependency scanning are a good defense-in-depth
fit for the threat detection pipeline, but they should stay outside the
detector binary/container. The detector should continue to operate on artifacts
without direct GitHub network access, while the parent `gh-aw` orchestration can
optionally run MCP validation before invoking `threat-detect`.

Recommended integration:

1. Add an orchestrator-owned MCP validation phase before AI-backed detection.
2. Run GitHub MCP secret scanning for the current changes when the repository
has Secret Protection enabled. Treat confirmed secret findings as blocking by
default because safe outputs should not proceed with exposed credentials.
3. Run GitHub MCP dependency scanning as an opt-in or warn-only check while the
tool remains in public preview. Allow repositories to promote it to blocking
once the signal and tool availability are acceptable for their workflow.
4. Normalize MCP results into optional detector artifacts such as
`mcp-security/secret-scanning.json` and
`mcp-security/dependency-scanning.json`, and include a concise summary in the
detector prompt so the AI analysis can correlate scanner findings with
prompt-injection and malicious-patch context.
5. If the MCP server or required repository features are unavailable, continue
with the existing detector unless the workflow explicitly configured that
scanner as required.

Tradeoffs:

- **Pros:** uses GitHub-native detectors, honors existing push-protection
customization, catches deterministic secret/dependency findings before model
review, and gives the detector structured evidence to reason about.
- **Cons:** requires MCP server/toolset availability and GitHub feature
enablement, introduces additional token/network dependencies in the
orchestrator job, and dependency scanning is still preview-quality.

This keeps the detector's no-network/container-isolation posture intact while
making MCP security scans an optional pre-validation layer in `gh-aw`.

## Usage

### CLI
Expand Down Expand Up @@ -104,6 +143,9 @@ Production AI-backed detection requires the selected engine CLI and its authenti
├── aw_info.json # Activation metadata (optional)
├── aw-*.patch # Git format-patch files (optional)
├── aw-*.bundle # Git bundle files (optional)
├── mcp-security/ # GitHub MCP scanner results (optional)
│ ├── secret-scanning.json
│ └── dependency-scanning.json
├── experiments/ # Experiment assignment/state files (optional)
└── comment-memory/ # Agent comment memory (optional)
└── *.md
Expand Down
17 changes: 17 additions & 0 deletions specs/threat-detection-spec.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,20 @@ threat-detection:
uses: trufflesecurity/trufflehog@main
```

**TD-07a**: GitHub MCP security scanning SHOULD be an optional
orchestrator-owned pre-validation phase, not a requirement inside the detector
container. Implementations SHOULD run GitHub MCP secret scanning before
AI-backed detection when Secret Protection is enabled and SHOULD fail closed on
confirmed secret findings unless the workflow explicitly configures warn-only
behavior. Implementations MAY run GitHub MCP dependency scanning as an opt-in or
warn-only check while the tool remains in public preview, with a repository
option to make findings blocking.

MCP scanner outputs SHOULD be normalized into optional artifacts under
`mcp-security/` and summarized for the detector prompt. Missing MCP server
support, disabled repository features, or unavailable toolsets SHOULD NOT block
the existing detector unless the scanner is explicitly configured as required.

---

## 5. Detection Output
Expand Down Expand Up @@ -167,6 +181,9 @@ MUST NOT allow Phase 1 to conclude safe.
├── agent_output.json # Agent structured output
├── aw-*.patch # Git format-patch files (optional)
├── aw-*.bundle # Git bundle files (optional)
├── mcp-security/ # GitHub MCP scanner results (optional)
│ ├── secret-scanning.json
│ └── dependency-scanning.json
└── comment-memory/ # Agent comment memory (optional)
└── *.md
```
Expand Down
Loading