GitHub Actions Integration
Automate security scanning in your GitHub workflows with MCPSafe.
Setup
Add your API key to repository secrets
Go to Settings → Secrets and variables → Actions → New repository secret
Name: MCPSAFE_API_KEY
Create the workflow file
Create .github/workflows/security.yml in your repository
Commit and push
The workflow will run automatically on push and pull requests
Basic Workflow
Simple Security Scan
Fail builds when high severity vulnerabilities are found
name: MCPSafe Security Scan
on:
push:
branches: [main, master]
pull_request:
branches: [main, master]
jobs:
security-scan:
name: Security Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
- name: Install MCPSafe CLI
run: npm install -g @mcpsafe/cli
- name: Run Security Scan
env:
MCPSAFE_API_KEY: ${{ secrets.MCPSAFE_API_KEY }}
run: mcpsafe scan ./ --wait --fail-on highGitHub Code Scanning (SARIF)
SARIF Integration
Upload results to GitHub Security tab for inline annotations
name: MCPSafe Security Scan with SARIF
on:
push:
branches: [main, master]
pull_request:
permissions:
contents: read
security-events: write
jobs:
security-scan:
name: Security Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
- name: Install MCPSafe CLI
run: npm install -g @mcpsafe/cli
- name: Run Security Scan
env:
MCPSAFE_API_KEY: ${{ secrets.MCPSAFE_API_KEY }}
run: mcpsafe scan ./ --wait --format sarif --output results.sarif
continue-on-error: true
- name: Upload SARIF to GitHub Security
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
- name: Check for Critical Vulnerabilities
env:
MCPSAFE_API_KEY: ${{ secrets.MCPSAFE_API_KEY }}
run: mcpsafe scan ./ --wait --fail-on criticalSecurity Tab
View all findings in GitHub Security
PR Annotations
See issues inline on pull requests
PR Comments
Post Security Grade to Pull Requests
Automatically comment scan results on PRs
name: MCPSafe PR Security Review
on:
pull_request:
types: [opened, synchronize]
permissions:
contents: read
pull-requests: write
jobs:
security-review:
name: Security Review
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
- name: Install MCPSafe CLI
run: npm install -g @mcpsafe/cli
- name: Run Security Scan
id: scan
env:
MCPSAFE_API_KEY: ${{ secrets.MCPSAFE_API_KEY }}
run: |
mcpsafe scan ./ --wait --format json --output scan-results.json
echo "grade=$(jq -r '.data.results.grade' scan-results.json)" >> $GITHUB_OUTPUT
echo "score=$(jq -r '.data.results.securityScore' scan-results.json)" >> $GITHUB_OUTPUT
continue-on-error: true
- name: Comment on PR
uses: actions/github-script@v7
with:
script: |
const grade = '${{ steps.scan.outputs.grade }}';
const score = '${{ steps.scan.outputs.score }}';
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: `## 🛡️ MCPSafe Security Scan Results\n\n**Security Grade:** ${grade} (${score}/100)\n\nSee the Security tab for detailed findings.`
})Best Practices
Use branch protection rules
Require the security scan to pass before merging PRs
Run on main and PRs
Catch issues both in active development and before merge
Never commit API keys
Always use repository secrets for sensitive values