Add support for creating and updating repository security advisories#2631
Open
advancedresearcharray wants to merge 8 commits into
Open
Conversation
advancedresearcharray
force-pushed
the
feat/repository-security-advisory-write-2506
branch
from
6f86876 to
709eff1
Compare
Expose create, update, and CVE request operations in the security_advisories toolset so security teams can manage advisories without leaving MCP workflows. Closes github#2506
advancedresearcharray
force-pushed
the
feat/repository-security-advisory-write-2506
branch
from
709eff1 to
2a1584f
Compare
Author
|
Cleaned commit history and PR description (removed third-party attribution trailers). PR adds three CI workflows are awaiting maintainer approval for this fork PR. |
added 2 commits
June 7, 2026 00:20
Reject update_repository_security_advisory calls that only provide owner, repo, and ghsaId to avoid sending empty PATCH requests.
Regenerate docs so the security advisory PR only updates the security_advisories toolset section.
advancedresearcharray
force-pushed
the
feat/repository-security-advisory-write-2506
branch
2 times, most recently
from
7676be3 to
dcc3220
Compare
GitHub's create advisory API requires exactly one of severity or cvss_vector_string. Reject invalid combinations at the MCP layer with clear errors, and add regression tests.
advancedresearcharray
force-pushed
the
feat/repository-security-advisory-write-2506
branch
from
dcc3220 to
a2f8099
Compare
Implement validateSeverityOrCVSS that was documented but missing from the prior commit. Create requires exactly one of severity or cvssVectorString; update rejects both together. Also require package name in vulnerability schema per GitHub API. Co-authored-by: Cursor <cursoragent@cursor.com>
Add regression coverage ensuring create, update, and CVE request tools are registered in the security_advisories toolset with write hints. Co-authored-by: Cursor <cursoragent@cursor.com>
Implement three write operations in the security_advisories toolset using direct REST calls for POST/PATCH endpoints not yet in go-github, plus CVE request via the existing client. Consolidate unit tests into security_advisories_test.go. Closes github#2506 Co-authored-by: Cursor <cursoragent@cursor.com>
Reject advisories missing package.ecosystem before calling GitHub, and remove unreachable AcceptedError handling since go-github already normalizes 202 responses from RequestCVE. Co-authored-by: Cursor <cursoragent@cursor.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
create_repository_security_advisory,update_repository_security_advisory, andrequest_cve_for_repository_security_advisorytools to thesecurity_advisoriestoolsetCloses #2506
Test plan
go test ./pkg/github -run 'Test_(Create|Update|RequestCVE|ParseAdvisory)'go test ./pkg/githubgo run ./cmd/github-mcp-server generate-docs