github
diff --git a/‎README.md
Lines changed: 26 additions & 3 deletions b/‎README.md
Lines changed: 26 additions & 3 deletions
diff --git a/‎docs/remote-server.md
Lines changed: 1 addition & 0 deletions b/‎docs/remote-server.md
Lines changed: 1 addition & 0 deletions
diff --git a/‎pkg/github/security_advisories.go
Lines changed: 228 additions & 0 deletions b/‎pkg/github/security_advisories.go
Lines changed: 228 additions & 0 deletions
@@ -36,7 +36,7 @@ Alternatively, to manually configure VS Code, choose the appropriate JSON block
 <tr><th align=left colspan=2>VS Code (version 1.101 or greater)</th></tr>
 <tr valign=top>
 <td>
-  
+
 ```json
 {
   "servers": {
@@ -130,7 +130,7 @@ To keep your GitHub PAT secure and reusable across different MCP hosts:
    ```bash
    # CLI usage
    claude mcp update github -e GITHUB_PERSONAL_ACCESS_TOKEN=$GITHUB_PAT
-   
+
    # In config files (where supported)
    "env": {
      "GITHUB_PERSONAL_ACCESS_TOKEN": "$GITHUB_PAT"
@@ -241,7 +241,7 @@ For other MCP host applications, please refer to our installation guides:
 
 - **[GitHub Copilot in other IDEs](/docs/installation-guides/install-other-copilot-ides.md)** - Installation for JetBrains, Visual Studio, Eclipse, and Xcode with GitHub Copilot
 - **[Claude Code & Claude Desktop](docs/installation-guides/install-claude.md)** - Installation guide for Claude Code and Claude Desktop
-- **[Cursor](docs/installation-guides/install-cursor.md)** - Installation guide for Cursor IDE  
+- **[Cursor](docs/installation-guides/install-cursor.md)** - Installation guide for Cursor IDE
 - **[Windsurf](docs/installation-guides/install-windsurf.md)** - Installation guide for Windsurf IDE
 
 For a complete overview of all installation options, see our **[Installation Guides Index](docs/installation-guides)**.
@@ -295,6 +295,7 @@ The following sets of tools are available (all are on by default):
 | `pull_requests` | GitHub Pull Request related tools |
 | `repos` | GitHub Repository related tools |
 | `secret_protection` | Secret protection related tools, such as GitHub Secret Scanning |
+| `security_advisories` | Security advisories related tools |
 | `users` | GitHub User related tools |
 <!-- END AUTOMATED TOOLSETS -->
 
@@ -923,6 +924,28 @@ The following sets of tools are available (all are on by default):
 
 <details>
 
+<summary>Security Advisories</summary>
+
+- **get_global_security_advisory** - Get a global security advisory
+  - `ghsaId`: GitHub Security Advisory ID (format: GHSA-xxxx-xxxx-xxxx). (string, required)
+
+- **list_global_security_advisories** - List global security advisories
+  - `affects`: Filter advisories by affected package or version (e.g. "package1,package2@1.0.0"). (string, optional)
+  - `cveId`: Filter by CVE ID. (string, optional)
+  - `cwes`: Filter by Common Weakness Enumeration IDs (e.g. ["79", "284", "22"]). (string[], optional)
+  - `ecosystem`: Filter by package ecosystem. (string, optional)
+  - `ghsaId`: Filter by GitHub Security Advisory ID (format: GHSA-xxxx-xxxx-xxxx). (string, optional)
+  - `isWithdrawn`: Whether to only return withdrawn advisories. (boolean, optional)
+  - `modified`: Filter by publish or update date or date range (ISO 8601 date or range). (string, optional)
+  - `published`: Filter by publish date or date range (ISO 8601 date or range). (string, optional)
+  - `severity`: Filter by severity. (string, optional)
+  - `type`: Advisory type. (string, optional)
+  - `updated`: Filter by update date or date range (ISO 8601 date or range). (string, optional)
+
+</details>
+
+<details>
+
 <summary>Users</summary>
 
 - **search_users** - Search users
 
@@ -32,6 +32,7 @@ Below is a table of available toolsets for the remote GitHub MCP Server. Each to
 | Pull Requests  | GitHub Pull Request related tools                | https://api.githubcopilot.com/mcp/x/pull_requests     | [Install](https://insiders.vscode.dev/redirect/mcp/install?name=gh-pull_requests&config=%7B%22type%22%3A%20%22http%22%2C%22url%22%3A%20%22https%3A%2F%2Fapi.githubcopilot.com%2Fmcp%2Fx%2Fpull_requests%22%7D)             | [read-only](https://api.githubcopilot.com/mcp/x/pull_requests/readonly)                                        | [Install read-only](https://insiders.vscode.dev/redirect/mcp/install?name=gh-pull_requests&config=%7B%22type%22%3A%20%22http%22%2C%22url%22%3A%20%22https%3A%2F%2Fapi.githubcopilot.com%2Fmcp%2Fx%2Fpull_requests%2Freadonly%22%7D)                                                              |
 | Repositories   | GitHub Repository related tools                  | https://api.githubcopilot.com/mcp/x/repos             | [Install](https://insiders.vscode.dev/redirect/mcp/install?name=gh-repos&config=%7B%22type%22%3A%20%22http%22%2C%22url%22%3A%20%22https%3A%2F%2Fapi.githubcopilot.com%2Fmcp%2Fx%2Frepos%22%7D)                             | [read-only](https://api.githubcopilot.com/mcp/x/repos/readonly)                                                | [Install read-only](https://insiders.vscode.dev/redirect/mcp/install?name=gh-repos&config=%7B%22type%22%3A%20%22http%22%2C%22url%22%3A%20%22https%3A%2F%2Fapi.githubcopilot.com%2Fmcp%2Fx%2Frepos%2Freadonly%22%7D)                                                                              |
 | Secret Protection | Secret protection related tools, such as GitHub Secret Scanning | https://api.githubcopilot.com/mcp/x/secret_protection | [Install](https://insiders.vscode.dev/redirect/mcp/install?name=gh-secret_protection&config=%7B%22type%22%3A%20%22http%22%2C%22url%22%3A%20%22https%3A%2F%2Fapi.githubcopilot.com%2Fmcp%2Fx%2Fsecret_protection%22%7D)     | [read-only](https://api.githubcopilot.com/mcp/x/secret_protection/readonly)                                    | [Install read-only](https://insiders.vscode.dev/redirect/mcp/install?name=gh-secret_protection&config=%7B%22type%22%3A%20%22http%22%2C%22url%22%3A%20%22https%3A%2F%2Fapi.githubcopilot.com%2Fmcp%2Fx%2Fsecret_protection%2Freadonly%22%7D)                                                      |
+| Security Advisories | Security advisories related tools                | https://api.githubcopilot.com/mcp/x/security_advisories | [Install](https://insiders.vscode.dev/redirect/mcp/install?name=gh-security_advisories&config=%7B%22type%22%3A%20%22http%22%2C%22url%22%3A%20%22https%3A%2F%2Fapi.githubcopilot.com%2Fmcp%2Fx%2Fsecurity_advisories%22%7D) | [read-only](https://api.githubcopilot.com/mcp/x/security_advisories/readonly)                                  | [Install read-only](https://insiders.vscode.dev/redirect/mcp/install?name=gh-security_advisories&config=%7B%22type%22%3A%20%22http%22%2C%22url%22%3A%20%22https%3A%2F%2Fapi.githubcopilot.com%2Fmcp%2Fx%2Fsecurity_advisories%2Freadonly%22%7D)                                                  |
 | Users          | GitHub User related tools                        | https://api.githubcopilot.com/mcp/x/users             | [Install](https://insiders.vscode.dev/redirect/mcp/install?name=gh-users&config=%7B%22type%22%3A%20%22http%22%2C%22url%22%3A%20%22https%3A%2F%2Fapi.githubcopilot.com%2Fmcp%2Fx%2Fusers%22%7D)                             | [read-only](https://api.githubcopilot.com/mcp/x/users/readonly)                                                | [Install read-only](https://insiders.vscode.dev/redirect/mcp/install?name=gh-users&config=%7B%22type%22%3A%20%22http%22%2C%22url%22%3A%20%22https%3A%2F%2Fapi.githubcopilot.com%2Fmcp%2Fx%2Fusers%2Freadonly%22%7D)                                                                              |
 
 <!-- END AUTOMATED TOOLSETS -->
 
@@ -0,0 +1,228 @@
+package github
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+
+	"github.com/github/github-mcp-server/pkg/translations"
+	"github.com/google/go-github/v74/github"
+	"github.com/mark3labs/mcp-go/mcp"
+	"github.com/mark3labs/mcp-go/server"
+)
+
+func ListGlobalSecurityAdvisories(getClient GetClientFn, t translations.TranslationHelperFunc) (tool mcp.Tool, handler server.ToolHandlerFunc) {
+	return mcp.NewTool("list_global_security_advisories",
+			mcp.WithDescription(t("TOOL_LIST_GLOBAL_SECURITY_ADVISORIES_DESCRIPTION", "List global security advisories from GitHub.")),
+			mcp.WithToolAnnotation(mcp.ToolAnnotation{
+				Title:        t("TOOL_LIST_GLOBAL_SECURITY_ADVISORIES_USER_TITLE", "List global security advisories"),
+				ReadOnlyHint: ToBoolPtr(true),
+			}),
+			mcp.WithString("ghsaId",
+				mcp.Description("Filter by GitHub Security Advisory ID (format: GHSA-xxxx-xxxx-xxxx)."),
+			),
+			mcp.WithString("type",
+				mcp.Description("Advisory type."),
+				mcp.Enum("reviewed", "malware", "unreviewed"),
+				mcp.DefaultString("reviewed"),
+			),
+			mcp.WithString("cveId",
+				mcp.Description("Filter by CVE ID."),
+			),
+			mcp.WithString("ecosystem",
+				mcp.Description("Filter by package ecosystem."),
+				mcp.Enum("actions", "composer", "erlang", "go", "maven", "npm", "nuget", "other", "pip", "pub", "rubygems", "rust"),
+			),
+			mcp.WithString("severity",
+				mcp.Description("Filter by severity."),
+				mcp.Enum("unknown", "low", "medium", "high", "critical"),
+			),
+			mcp.WithArray("cwes",
+				mcp.Description("Filter by Common Weakness Enumeration IDs (e.g. [\"79\", \"284\", \"22\"])."),
+				mcp.Items(map[string]any{
+					"type": "string",
+				}),
+			),
+			mcp.WithBoolean("isWithdrawn",
+				mcp.Description("Whether to only return withdrawn advisories."),
+			),
+			mcp.WithString("affects",
+				mcp.Description("Filter advisories by affected package or version (e.g. \"package1,package2@1.0.0\")."),
+			),
+			mcp.WithString("published",
+				mcp.Description("Filter by publish date or date range (ISO 8601 date or range)."),
+			),
+			mcp.WithString("updated",
+				mcp.Description("Filter by update date or date range (ISO 8601 date or range)."),
+			),
+			mcp.WithString("modified",
+				mcp.Description("Filter by publish or update date or date range (ISO 8601 date or range)."),
+			),
+		), func(ctx context.Context, request mcp.CallToolRequest) (*mcp.CallToolResult, error) {
+			client, err := getClient(ctx)
+			if err != nil {
+				return nil, fmt.Errorf("failed to get GitHub client: %w", err)
+			}
+
+			ghsaID, err := OptionalParam[string](request, "ghsaId")
+			if err != nil {
+				return mcp.NewToolResultError(fmt.Sprintf("invalid ghsaId: %v", err)), nil
+			}
+
+			typ, err := OptionalParam[string](request, "type")
+			if err != nil {
+				return mcp.NewToolResultError(fmt.Sprintf("invalid type: %v", err)), nil
+			}
+
+			cveID, err := OptionalParam[string](request, "cveId")
+			if err != nil {
+				return mcp.NewToolResultError(fmt.Sprintf("invalid cveId: %v", err)), nil
+			}
+
+			eco, err := OptionalParam[string](request, "ecosystem")
+			if err != nil {
+				return mcp.NewToolResultError(fmt.Sprintf("invalid ecosystem: %v", err)), nil
+			}
+
+			sev, err := OptionalParam[string](request, "severity")
+			if err != nil {
+				return mcp.NewToolResultError(fmt.Sprintf("invalid severity: %v", err)), nil
+			}
+
+			cwes, err := OptionalParam[[]string](request, "cwes")
+			if err != nil {
+				return mcp.NewToolResultError(fmt.Sprintf("invalid cwes: %v", err)), nil
+			}
+
+			isWithdrawn, err := OptionalParam[bool](request, "isWithdrawn")
+			if err != nil {
+				return mcp.NewToolResultError(fmt.Sprintf("invalid isWithdrawn: %v", err)), nil
+			}
+
+			affects, err := OptionalParam[string](request, "affects")
+			if err != nil {
+				return mcp.NewToolResultError(fmt.Sprintf("invalid affects: %v", err)), nil
+			}
+
+			published, err := OptionalParam[string](request, "published")
+			if err != nil {
+				return mcp.NewToolResultError(fmt.Sprintf("invalid published: %v", err)), nil
+			}
+
+			updated, err := OptionalParam[string](request, "updated")
+			if err != nil {
+				return mcp.NewToolResultError(fmt.Sprintf("invalid updated: %v", err)), nil
+			}
+
+			modified, err := OptionalParam[string](request, "modified")
+			if err != nil {
+				return mcp.NewToolResultError(fmt.Sprintf("invalid modified: %v", err)), nil
+			}
+
+			opts := &github.ListGlobalSecurityAdvisoriesOptions{}
+
+			if ghsaID != "" {
+				opts.GHSAID = &ghsaID
+			}
+			if typ != "" {
+				opts.Type = &typ
+			}
+			if cveID != "" {
+				opts.CVEID = &cveID
+			}
+			if eco != "" {
+				opts.Ecosystem = &eco
+			}
+			if sev != "" {
+				opts.Severity = &sev
+			}
+			if len(cwes) > 0 {
+				opts.CWEs = cwes
+			}
+
+			if isWithdrawn {
+				opts.IsWithdrawn = &isWithdrawn
+			}
+
+			if affects != "" {
+				opts.Affects = &affects
+			}
+			if published != "" {
+				opts.Published = &published
+			}
+			if updated != "" {
+				opts.Updated = &updated
+			}
+			if modified != "" {
+				opts.Modified = &modified
+			}
+
+			advisories, resp, err := client.SecurityAdvisories.ListGlobalSecurityAdvisories(ctx, opts)
+			if err != nil {
+				return nil, fmt.Errorf("failed to list global security advisories: %w", err)
+			}
+			defer func() { _ = resp.Body.Close() }()
+
+			if resp.StatusCode != http.StatusOK {
+				body, err := io.ReadAll(resp.Body)
+				if err != nil {
+					return nil, fmt.Errorf("failed to read response body: %w", err)
+				}
+				return mcp.NewToolResultError(fmt.Sprintf("failed to list advisories: %s", string(body))), nil
+			}
+
+			r, err := json.Marshal(advisories)
+			if err != nil {
+				return nil, fmt.Errorf("failed to marshal advisories: %w", err)
+			}
+
+			return mcp.NewToolResultText(string(r)), nil
+		}
+}
+
+func GetGlobalSecurityAdvisory(getClient GetClientFn, t translations.TranslationHelperFunc) (tool mcp.Tool, handler server.ToolHandlerFunc) {
+	return mcp.NewTool("get_global_security_advisory",
+			mcp.WithDescription(t("TOOL_GET_GLOBAL_SECURITY_ADVISORY_DESCRIPTION", "Get a global security advisory")),
+			mcp.WithToolAnnotation(mcp.ToolAnnotation{
+				Title:        t("TOOL_GET_GLOBAL_SECURITY_ADVISORY_USER_TITLE", "Get a global security advisory"),
+				ReadOnlyHint: ToBoolPtr(true),
+			}),
+			mcp.WithString("ghsaId",
+				mcp.Description("GitHub Security Advisory ID (format: GHSA-xxxx-xxxx-xxxx)."),
+				mcp.Required(),
+			),
+		), func(ctx context.Context, request mcp.CallToolRequest) (*mcp.CallToolResult, error) {
+			client, err := getClient(ctx)
+			if err != nil {
+				return nil, fmt.Errorf("failed to get GitHub client: %w", err)
+			}
+
+			ghsaID, err := RequiredParam[string](request, "ghsaId")
+			if err != nil {
+				return mcp.NewToolResultError(fmt.Sprintf("invalid ghsaId: %v", err)), nil
+			}
+
+			advisory, resp, err := client.SecurityAdvisories.GetGlobalSecurityAdvisories(ctx, ghsaID)
+			if err != nil {
+				return nil, fmt.Errorf("failed to get advisory: %w", err)
+			}
+			defer func() { _ = resp.Body.Close() }()
+
+			if resp.StatusCode != http.StatusOK {
+				body, err := io.ReadAll(resp.Body)
+				if err != nil {
+					return nil, fmt.Errorf("failed to read response body: %w", err)
+				}
+				return mcp.NewToolResultError(fmt.Sprintf("failed to get advisory: %s", string(body))), nil
+			}
+
+			r, err := json.Marshal(advisory)
+			if err != nil {
+				return nil, fmt.Errorf("failed to marshal advisory: %w", err)
+			}
+
+			return mcp.NewToolResultText(string(r)), nil
+		}
+}