The GitHub MCP Server can now scan your code changes for vulnerable dependencies before you commit or open a pull request. You’ll catch known vulnerabilities while you write code with MCP-compatible IDEs and AI coding agents. It’s now in public preview for repositories with Dependabot alerts enabled.

How it works

The dependency vulnerability scanning tools ship as part of the GitHub MCP Server’s dependabot toolset. Once enabled, your AI coding agent can run dependency vulnerability scanning based on your prompts. When you ask the agent to check for vulnerable dependencies, it invokes the toolset, sends dependency information to the GitHub Advisory Database, and returns structured results with affected packages, severity, and recommended fixed versions. For more thorough post-commit checks, the toolset can also run the Dependabot CLI locally to diff dependency graphs before and after your changes.

Get started

  1. Set up the GitHub MCP Server in your developer environment and enable the dependabot toolset:
    • In GitHub Copilot CLI, the GitHub MCP Server is preinstalled. Run copilot --add-github-mcp-toolset dependabot to enable the dependabot toolset for your session.
    • In Visual Studio Code, add "X-MCP-Toolsets": "dependabot" to your GitHub MCP Server headers, or pick Dependabot from the toolset selector in Copilot Chat.
  2. Install the advanced-security plugin for GitHub Copilot for a more tailored dependency vulnerability scanning experience. For example:
  3. Ask your agent to scan your current changes for vulnerable dependencies before you commit.

Here’s an example prompt you can use: Scan the dependencies I added on this branch for known vulnerabilities and tell me which versions to upgrade to before I commit.

Learn more

Join the discussion within GitHub Community.