Dependency scanning with GitHub MCP Server is in public preview
Source: GitHub Changelog
The GitHub MCP Server can now scan your code changes for vulnerable dependencies before you commit or open a pull request. You’ll catch known vulnerabilities while you write code with MCP‑compatible IDEs and AI coding agents. It’s now in public preview for repositories with Dependabot alerts enabled.
How it works
The dependency vulnerability scanning tools ship as part of the GitHub MCP Server’s dependabot toolset. Once enabled, your AI coding agent can run dependency vulnerability scanning based on your prompts. When you ask the agent to check for vulnerable dependencies, it:
- Invokes the
dependabottoolset. - Sends dependency information to the GitHub Advisory Database.
- Returns structured results with affected packages, severity, and recommended fixed versions.
For more thorough post‑commit checks, the toolset can also run the Dependabot CLI locally to diff dependency graphs before and after your changes.
Get started
Set up the GitHub MCP Server
Set up the GitHub MCP Server in your developer environment and enable the dependabot toolset:
- GitHub Copilot CLI (preinstalled with the MCP Server):
copilot --add-github-mcp-toolset dependabot- Visual Studio Code: add the header
"X-MCP-Toolsets": "dependabot"to your GitHub MCP Server configuration, or select Dependabot from the toolset selector in Copilot Chat.
Install the advanced‑security plugin (optional)
For a more tailored dependency‑vulnerability scanning experience:
- GitHub Copilot CLI:
/plugin install advanced-security@copilot-plugins- Visual Studio Code: install the advanced‑security agent plugin (instructions) and then use the
/dependency-scanningcommand in Copilot Chat.
You can now ask your agent to scan your current changes before committing, e.g.:
Scan the dependencies I added on this branch for known vulnerabilities and tell me which versions to upgrade to before I commit.Learn more
Join the discussion in the GitHub Community announcements.