The remote GitHub MCP server now scans all tool call inputs in public repositories. If an exposed secret is detected, the call is blocked by default with clear details and bypass links if you want to intentionally proceed.

What’s included

  • 🛑 Users can block or bypass the secret block in MCP tool calls to detectable public repositories. Users that have opted out of push protection for their account will be unable to bypass the block.
  • 🤖 The remote MCP server provides clear, agent-usable responses.

Why this helps against prompt injection 🛡️

Public content (READMEs, issues, PR comments) can embed instructions that trick agents into pasting credentials into MCP tool calls. By inspecting data flowing to and from public repositories, this feature cuts off a common exfiltration path before secrets leave your control.

Benefits

  • Mitigates the primary secret-leak vector for MCP in public-repo workflows: secrets embedded in tool-call payloads (both write and read paths)
  • 🔐 Reduces exposure from prompt-injected attempts to exfiltrate tokens via tool parameters or responses

Availability & licensing

  • Works only for tool calls involving public repositories
  • Free for all plan types — no Copilot or GitHub Secret Protection license required

Support for private repositories with a GitHub Secret Protection license is coming soon.

Note that this feature doesn’t eliminate all risk. It won’t stop non-secret data leaks, model-only behaviors outside tool calls, or channels that are not scanned. Continue to follow security best practices, such as using least-privileged tokens and regularly rotating credentials.

Check out our documentation to learn more.

Join the GitHub Community discussion to share feedback and questions.

New tools and improvements for the GitHub MCP server (remote & local) ✨

  • GitHub Actions toolset: Workflow management from agents to discover/dispatch runs, monitor status, and tail logs for faster CI/CD loops and agentic debugging of failed actions builds
  • Gist toolset: Quick snippets and sharable artifacts without touching a repository
  • Sub-issues tools: add_sub_issue, list_sub_issues, remove_sub_issue, reprioritize_sub_issue are now available
  • PR workflow upgrades: update_pull_request now toggles draft and requests reviewers
  • Discussions at org scope: Richer fields & sorting (author, updatedAt, createdAt, title)
  • GraphQL & pagination: list_issues migrated from REST and GraphQL tools reliably paginate
  • File retrieval quality: Smarter path matching, / as default dir, SHA in get_file_contents
  • Search clarity: Separate tools for searching issues and pull requests, separate organization and user search, and tuned search_code params

🔗 Learn more on the GitHub MCP Server releases page