DEV

github-mcp-server

Official GitHub MCP server. Browse, search, and modify repos, issues, PRs, and Actions from any MCP-aware agent. Mature, fast-moving.

Alive Recommended REVIEWED 2026-05-06
VERDICT

If your agent touches code or repositories, this is the default. Maintained by GitHub themselves.

What it does

Exposes a wide set of GitHub operations as MCP tools— listing repos, reading files, searching code, opening issues, drafting PRs, reading workflow runs, and more. Probably the most-installed MCP server in 2026.

Why you’d install it

If your agent reads or writes code, github-mcp-server is the path of least resistance. The alternative — wiring octokit.js calls into a custom tool layer — duplicates work that GitHub now maintains officially.

Setup

  1. Generate a PAT (classic or fine-grained). Pick the smallest scope that covers your use case.
  2. Install the server:
    # Claude Desktop (config.json under "mcpServers")
    "github": {
      "command": "npx",
      "args": ["-y", "@github/mcp-server"],
      "env": { "GITHUB_TOKEN": "ghp_..." }
    }
  3. Restart Claude Desktop or your MCP host. Tools appear under “github”.

My take

Pending Sush’s real usage notes. Structure here reflects public information.

For reading and exploring repos — fine. For writes — always pair with a human-in-the-loop step until you’re confident. Don’t grant delete_repo scopes lightly.

Combinations

Works especially well with:

  • filesystem-mcp — for local + remote unified file access
  • slack-mcp — to post PR summaries to channels
  • playwright-mcp — to verify deployed previews

Used in recipes:

▸ MCP SECURITY SCORECARD Methodology v1.0 · Confidence HIGH · Reviewed 2026-05-07 · Next review due 2026-08-07
METHODOLOGY ↗
ADOPT WITH LIMITS

FOR: Any agentic workflow that reads or writes GitHub resources.

Default for code-touching agents. Adopt with fine-grained PATs scoped to the smallest set of repos and permissions the task needs; never grant `repo` (full) scope to a long-running agent.

Maintainer corp

Maintained by GitHub itself. Staff team. Release cadence is weekly during active development.

Licence MIT

Standard permissive licence.

Code review yes

PRs go through GitHub's internal review. Open-source repo with public history.

Secrets handling scoped

PAT or fine-grained token passed via env or stdin. Never persisted in tool output. Recommends fine-grained tokens with the smallest scope possible.

Sandbox process

Runs as a subprocess of the MCP host. No additional sandboxing inside the server.

Filesystem access none

Server itself doesn't touch local filesystem. Repository contents flow through API calls only.

Shell access no

No shell tools exposed.

Network egress allow-list

Only api.github.com (and uploads/downloads to github.com release assets).

OAuth handling scoped

Fine-grained PATs let you scope to specific repos and permission sets. Classic PATs work but tend to over-grant.

Default permissions broad

Depends entirely on PAT scope. A classic PAT with `repo` scope gives the agent everything across all your repos. Always use fine-grained tokens scoped to the smallest set of repos and permissions the task needs.

Prompt-injection exposure high

Tool responses include issue / PR / file content authored by third parties. Hostile content in any read result can attempt to redirect the agent. Treat all tool output as untrusted text.

Supply chain surface low

Go binary; dep tree small relative to JS-based MCP servers. All major deps are first-party Go libraries or GitHub-maintained packages.

Dep CVE surface clean

No active CVEs in the dep tree at last scan. GitHub Security Advisories monitors automatically.

Rate-limit risk medium

GitHub primary rate limit is 5,000 req/h for authenticated requests; secondary rate limits trigger on bursty patterns. Long-running agents can hit secondary limits.

Signed releases yes

GitHub signs its release artefacts; binary releases verifiable.

Security policy yes

GitHub's standard security policy applies (private vulnerability reporting via Security tab).

Telemetry none

No telemetry beyond standard GitHub API request logs (server-side, governed by GitHub's privacy policy).

Data residency cloud

Data flows through GitHub's API endpoints. Repository data residency is GitHub-managed (regional for Enterprise; US for public).

Credential storage memory

Tokens live in process env. No on-disk credential cache.

DESTRUCTIVE TOOLS

7 present · human approval optional

  • create_or_update_file
  • delete_file
  • create_branch
  • merge_pull_request
  • close_issue
  • delete_workflow_run
  • cancel_workflow_run

NOT A FORMAL SECURITY AUDIT · Adoption posture based on public-source review · See methodology for what's measured and what isn't