Secure GitHub MCP Server

A secure implementation of a GitHub MCP (Machine Control Protocol) server with Keycloak integration for authentication and RBAC (Role-Based Access Control).

Features

OAuth2 authentication with Keycloak
Role-Based Access Control (RBAC)
GitHub integration for repository management
Secure configuration management
Tool-level permission checks

Prerequisites

Go 1.19 or later
Keycloak server (local or remote)
GitHub account and personal access token
Docker (optional, for running Keycloak locally)

Setup

Clone the repository:

git clone https://github.com/yourusername/secure-github-mcp-server.git
cd secure-github-mcp-server

Set up Keycloak:
- Install Keycloak locally or use a remote instance
- Create a new realm called "mcp-realm"
- Create a new client with the following settings:
  - Client ID: mcp-client
  - Client Protocol: openid-connect
  - Access Type: confidential
  - Valid Redirect URIs: http://localhost:8081/callback
- Create roles: admin, user, viewer
- Create test users and assign roles
Configure environment variables:

export KEYCLOAK_URL="http://localhost:8080"
export KEYCLOAK_REALM="mcp-realm"
export OAUTH_CLIENT_ID="your-client-id"
export OAUTH_CLIENT_SECRET="your-client-secret"
export MCP_AUTH_TOKEN="your-development-token"

Build and run the server:

make build
./bin/github-mcp-server

Configuration

The server can be configured using environment variables or a configuration file. For Claude desktop integration, use the following configuration:

{
  "mcpServers": {
    "secure-github": {
      "command": "/path/to/secure-github-mcp-server",
      "env": {
        "OAUTH_CLIENT_ID": "your_client_id",
        "OAUTH_CLIENT_SECRET": "your_client_secret",
        "KEYCLOAK_URL": "http://localhost:8080",
        "KEYCLOAK_REALM": "mcp-realm",
        "MCP_AUTH_TOKEN": "your-development-token"
      }
    }
  }
}

Available Tools

list_prs - List pull requests (requires read:tools permission)
list_issues - List repository issues (requires read:tools permission)
search_issues - Search issues by keyword (requires read:tools permission)
get_pending_reviews - Get PRs pending review (requires read:tools permission)
create_issue - Create a new issue (requires write:tools permission)
analyze_issue_priority - Analyze issue priority (requires read:tools permission)

Role Permissions

Admin: All permissions
User: read:tools, write:tools
Viewer: read:tools

Security Considerations

Always use HTTPS in production
Keep OAuth client secrets secure
Regularly rotate access tokens
Monitor authentication logs
Follow the principle of least privilege when assigning roles

Development

To run the server in development mode:

make dev

For testing:

make test

Contributing

Fork the repository
Create a feature branch
Commit your changes
Push to the branch
Create a Pull Request

License

MIT License - see LICENSE file for details

Name		Name	Last commit message	Last commit date
Latest commit History 11 Commits
auth		auth
bin		bin
config		config
tools		tools
Makefile		Makefile
README.md		README.md
go.mod		go.mod
go.sum		go.sum
input.json		input.json
main.go		main.go
test.sh		test.sh

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Repository files navigation

Secure GitHub MCP Server

Features

Prerequisites

Setup

Configuration

Available Tools

Role Permissions

Security Considerations

Development

Contributing

License

About

Uh oh!

Releases

Packages

Uh oh!

Contributors 2

Uh oh!

Languages

infracloudio/github-mcp-server

Folders and files

Latest commit

History

Repository files navigation

Secure GitHub MCP Server

Features

Prerequisites

Setup

Configuration

Available Tools

Role Permissions

Security Considerations

Development

Contributing

License

About

Resources

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Uh oh!

Contributors 2

Uh oh!

Languages

Packages