Describe the feature or problem you'd like to solve
The current security_advisories toolset only supports reading advisories (list_repository_security_advisories, list_org_repository_security_advisories, get_global_security_advisory). There is no support for creating, updating, publishing, or requesting CVE IDs for advisories via MCP, forcing security teams to context-switch to the GitHub web UI or REST API for these operations.
Proposed solution
Add three new tools to the security_advisories toolset:
create_repository_security_advisory — create a new draft advisory (POST /repos/{owner}/{repo}/security-advisories)update_repository_security_advisory — update an existing advisory, including transitioning state to published (PATCH /repos/{owner}/{repo}/security-advisories/{ghsa_id})request_cve_for_repository_security_advisory — request a CVE ID from GitHub for a draft advisory (POST /repos/{owner}/{repo}/security-advisories/{ghsa_id}/cve)
This would allow security teams to manage the full advisory lifecycle — from draft creation through CVE assignment and publication — entirely within the MCP toolset, without leaving their workflow.
Example prompts or workflows (for tools/toolsets only)
- Create a draft advisory: "Create a draft security advisory for a stored XSS vulnerability in our Core product affecting versions below 2.1.0, patched in 2.1.0."
- Update an existing draft: "Update advisory GHSA-xxxx-xxxx-xxxx to add the CVSS vector string and change the severity to high."
- Request a CVE ID: "Request a CVE ID from GitHub for advisory GHSA-xxxx-xxxx-xxxx."
- Publish an advisory: "Publish advisory GHSA-xxxx-xxxx-xxxx."
- End-to-end workflow: "Create a draft advisory for an OS command injection vulnerability in our product, request a CVE ID, and publish it once the CVE has been assigned."
Additional context
Relevant REST API documentation:
Describe the feature or problem you'd like to solve
The current
security_advisoriestoolset only supports reading advisories (list_repository_security_advisories,list_org_repository_security_advisories,get_global_security_advisory). There is no support for creating, updating, publishing, or requesting CVE IDs for advisories via MCP, forcing security teams to context-switch to the GitHub web UI or REST API for these operations.Proposed solution
Add three new tools to the
security_advisoriestoolset:create_repository_security_advisory— create a new draft advisory (POST /repos/{owner}/{repo}/security-advisories)update_repository_security_advisory— update an existing advisory, including transitioning state topublished(PATCH /repos/{owner}/{repo}/security-advisories/{ghsa_id})request_cve_for_repository_security_advisory— request a CVE ID from GitHub for a draft advisory (POST /repos/{owner}/{repo}/security-advisories/{ghsa_id}/cve)This would allow security teams to manage the full advisory lifecycle — from draft creation through CVE assignment and publication — entirely within the MCP toolset, without leaving their workflow.
Example prompts or workflows (for tools/toolsets only)
Additional context
Relevant REST API documentation: