Add Global Security Advisories Toolset

Author: jurre

README.md

@@ -666,6 +666,29 @@ export GITHUB_MCP_TOOL_ADD_ISSUE_COMMENT_DESCRIPTION="an alternative description
     - `repo`: Repository name (string, required)
     - `prNumber`: Pull request number (string, required)
     - `path`: File or directory path (string, optional)
+    
+## Security Advisories
+
+- **`list_global_security_advisories`**
+  List global security advisories
+
+  - **Parameters**:
+    - * `ghsaId`: Filter by GitHub Security Advisory ID (string, optional – format: `GHSA-xxxx-xxxx-xxxx`)
+    - * `type`: Advisory type (string, optional – one of `reviewed`, `malware`, `unreviewed`)
+    - * `cveId`: Filter by CVE ID (string, optional)
+    - * `ecosystem`: Filter by package ecosystem (string, optional – one of `actions`, `composer`, `erlang`, `go`, `maven`, `npm`, `nuget`, `other`, `pip`, `pub`, `rubygems`, `rust`)
+    - * `severity`: Filter by severity (string, optional – one of `unknown`, `low`, `medium`, `high`, `critical`)
+    - * `cwes`: Filter by Common Weakness Enumeration IDs (array of strings, optional – e.g. `["79", "284", "22"]`)
+    - * `isWithdrawn`: Whether to only return withdrawn advisories (boolean, optional)
+    - * `affects`: Filter advisories by affected package or version (string, optional – e.g. `"package1,package2@1.0.0"`)
+    - * `published`: Filter by publish date or date range (string, optional – ISO 8601 date or range)
+    - * `updated`: Filter by update date or date range (string, optional – ISO 8601 date or range)
+    - * `modified`: Filter by publish or update date or date range (string, optional – ISO 8601 date or range)
+
+- **`get_global_security_advisory`**
+  Get a global security advisory
+
+  - **Template**: `advisories/{ghsaId}`
 
 ## Library Usage
 

pkg/github/security_advisories.go

@@ -0,0 +1,198 @@
+package github
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+
+	"github.com/github/github-mcp-server/pkg/translations"
+	"github.com/google/go-github/v72/github"
+	"github.com/mark3labs/mcp-go/mcp"
+	"github.com/mark3labs/mcp-go/server"
+)
+
+func ListGlobalSecurityAdvisories(getClient GetClientFn, t translations.TranslationHelperFunc) (tool mcp.Tool, handler server.ToolHandlerFunc) {
+	return mcp.NewTool("list_global_security_advisories",
+			mcp.WithDescription(t("TOOL_LIST_GLOBAL_SECURITY_ADVISORIES_DESCRIPTION", "List global security advisories from GitHub.")),
+			mcp.WithToolAnnotation(mcp.ToolAnnotation{
+				Title:        t("TOOL_LIST_GLOBAL_SECURITY_ADVISORIES_USER_TITLE", "List global security advisories"),
+				ReadOnlyHint: toBoolPtr(true),
+			}),
+			mcp.WithString("ghsaId",
+				mcp.Description("Filter by GitHub Security Advisory ID (format: GHSA-xxxx-xxxx-xxxx)."),
+			),
+			mcp.WithString("type",
+				mcp.Description("Advisory type."),
+				mcp.Enum("reviewed", "malware", "unreviewed"),
+			),
+			mcp.WithString("cveId",
+				mcp.Description("Filter by CVE ID."),
+			),
+			mcp.WithString("ecosystem",
+				mcp.Description("Filter by package ecosystem."),
+				mcp.Enum("actions", "composer", "erlang", "go", "maven", "npm", "nuget", "other", "pip", "pub", "rubygems", "rust"),
+			),
+			mcp.WithString("severity",
+				mcp.Description("Filter by severity."),
+				mcp.Enum("unknown", "low", "medium", "high", "critical"),
+			),
+			mcp.WithArray("cwes",
+				mcp.Description("Filter by Common Weakness Enumeration IDs (e.g. [\"79\", \"284\", \"22\"])."),
+			),
+			mcp.WithBoolean("isWithdrawn",
+				mcp.Description("Whether to only return withdrawn advisories."),
+			),
+			mcp.WithString("affects",
+				mcp.Description("Filter advisories by affected package or version (e.g. \"package1,package2@1.0.0\")."),
+			),
+			mcp.WithString("published",
+				mcp.Description("Filter by publish date or date range (ISO 8601 date or range)."),
+			),
+			mcp.WithString("updated",
+				mcp.Description("Filter by update date or date range (ISO 8601 date or range)."),
+			),
+			mcp.WithString("modified",
+				mcp.Description("Filter by publish or update date or date range (ISO 8601 date or range)."),
+			),
+		), func(ctx context.Context, request mcp.CallToolRequest) (*mcp.CallToolResult, error) {
+			client, err := getClient(ctx)
+			if err != nil {
+				return nil, fmt.Errorf("failed to get GitHub client: %w", err)
+			}
+
+			ghsaID, err := OptionalParam[string](request, "ghsaId")
+			if err != nil {
+				return mcp.NewToolResultError(fmt.Sprintf("invalid ghsaId: %v", err)), nil
+			}
+
+			typ, err := OptionalParam[string](request, "type")
+			if err != nil {
+				return mcp.NewToolResultError(fmt.Sprintf("invalid type: %v", err)), nil
+			}
+
+			cveID, err := OptionalParam[string](request, "cveId")
+			if err != nil {
+				return mcp.NewToolResultError(fmt.Sprintf("invalid cveId: %v", err)), nil
+			}
+
+			eco, err := OptionalParam[string](request, "ecosystem")
+			if err != nil {
+				return mcp.NewToolResultError(fmt.Sprintf("invalid ecosystem: %v", err)), nil
+			}
+
+			sev, err := OptionalParam[string](request, "severity")
+			if err != nil {
+				return mcp.NewToolResultError(fmt.Sprintf("invalid severity: %v", err)), nil
+			}
+
+			cwes, err := OptionalParam[[]string](request, "cwes")
+			if err != nil {
+				return mcp.NewToolResultError(fmt.Sprintf("invalid cwes: %v", err)), nil
+			}
+
+			isWithdrawn, err := OptionalParam[bool](request, "isWithdrawn")
+			if err != nil {
+				return mcp.NewToolResultError(fmt.Sprintf("invalid isWithdrawn: %v", err)), nil
+			}
+
+			affects, err := OptionalParam[string](request, "affects")
+			if err != nil {
+				return mcp.NewToolResultError(fmt.Sprintf("invalid affects: %v", err)), nil
+			}
+
+			published, err := OptionalParam[string](request, "published")
+			if err != nil {
+				return mcp.NewToolResultError(fmt.Sprintf("invalid published: %v", err)), nil
+			}
+
+			updated, err := OptionalParam[string](request, "updated")
+			if err != nil {
+				return mcp.NewToolResultError(fmt.Sprintf("invalid updated: %v", err)), nil
+			}
+
+			modified, err := OptionalParam[string](request, "modified")
+			if err != nil {
+				return mcp.NewToolResultError(fmt.Sprintf("invalid modified: %v", err)), nil
+			}
+
+			advisories, resp, err := client.SecurityAdvisories.ListGlobalSecurityAdvisories(ctx, &github.ListGlobalSecurityAdvisoriesOptions{
+				GHSAID:      &ghsaID,
+				Type:        &typ,
+				CVEID:       &cveID,
+				Ecosystem:   &eco,
+				Severity:    &sev,
+				CWEs:        cwes,
+				IsWithdrawn: &isWithdrawn,
+				Affects:     &affects,
+				Published:   &published,
+				Updated:     &updated,
+				Modified:    &modified,
+			})
+			if err != nil {
+				return nil, fmt.Errorf("failed to list global security advisories: %w", err)
+			}
+			defer func() { _ = resp.Body.Close() }()
+
+			if resp.StatusCode != http.StatusOK {
+				body, err := io.ReadAll(resp.Body)
+				if err != nil {
+					return nil, fmt.Errorf("failed to read response body: %w", err)
+				}
+				return mcp.NewToolResultError(fmt.Sprintf("failed to list advisories: %s", string(body))), nil
+			}
+
+			r, err := json.Marshal(advisories)
+			if err != nil {
+				return nil, fmt.Errorf("failed to marshal advisories: %w", err)
+			}
+
+			return mcp.NewToolResultText(string(r)), nil
+		}
+}
+
+func GetGlobalSecurityAdvisory(getClient GetClientFn, t translations.TranslationHelperFunc) (tool mcp.Tool, handler server.ToolHandlerFunc) {
+	return mcp.NewTool("get_global_security_advisory",
+			mcp.WithDescription(t("TOOL_GET_GLOBAL_SECURITY_ADVISORY_DESCRIPTION", "Get a global security advisory")),
+			mcp.WithToolAnnotation(mcp.ToolAnnotation{
+				Title:        t("TOOL_GET_GLOBAL_SECURITY_ADVISORY_USER_TITLE", "Get a global security advisory"),
+				ReadOnlyHint: toBoolPtr(true),
+			}),
+			mcp.WithString("ghsaId",
+				mcp.Description("GitHub Security Advisory ID (format: GHSA-xxxx-xxxx-xxxx)."),
+				mcp.Required(),
+			),
+		), func(ctx context.Context, request mcp.CallToolRequest) (*mcp.CallToolResult, error) {
+			client, err := getClient(ctx)
+			if err != nil {
+				return nil, fmt.Errorf("failed to get GitHub client: %w", err)
+			}
+
+			ghsaID, err := requiredParam[string](request, "ghsaId")
+			if err != nil {
+				return mcp.NewToolResultError(fmt.Sprintf("invalid ghsaId: %v", err)), nil
+			}
+
+			advisory, resp, err := client.SecurityAdvisories.GetGlobalSecurityAdvisories(ctx, ghsaID)
+			if err != nil {
+				return nil, fmt.Errorf("failed to get advisory: %w", err)
+			}
+			defer func() { _ = resp.Body.Close() }()
+
+			if resp.StatusCode != http.StatusOK {
+				body, err := io.ReadAll(resp.Body)
+				if err != nil {
+					return nil, fmt.Errorf("failed to read response body: %w", err)
+				}
+				return mcp.NewToolResultError(fmt.Sprintf("failed to get advisory: %s", string(body))), nil
+			}
+
+			r, err := json.Marshal(advisory)
+			if err != nil {
+				return nil, fmt.Errorf("failed to marshal advisory: %w", err)
+			}
+
+			return mcp.NewToolResultText(string(r)), nil
+		}
+}