mcp-dependabot by charlesgobina - MCP Server

Dependabot MCP Server

This tools is built to use the dependabot API, together with the model context protocol (MCP) to further reduce alert fatigue caused by dependabot security alerts through a conversation with an MCP Host.

Features

MCP Host has access to alerts through retrieval of all Dependabot alerts for a repository.
MCP Host can fetch details of a specific Dependabot alert by its ID.
MCP Host can explain vulnerabilities in simple terms, including technical details and recommended actions.
MCP Host can update the status of Dependabot alerts (e.g., dismiss or resolve alerts).

Project Structure

.env
[`package.json`](package.json )
[`tsconfig.json`](tsconfig.json )
build/
    [`index.js`](index.js )
    [`build/mcp_server.js`](build/mcp_server.js )
    data/
        [`build/data/all_data.js`](build/data/all_data.js )
        [`build/data/dependabot_alert.js`](build/data/dependabot_alert.js )
    tools/
        [`build/tools/tools.js`](build/tools/tools.js )
    
src/
    [`src/index.ts`](src/index.ts )
    [`src/mcp_server.ts`](src/mcp_server.ts )
    data/
        [`src/data/all_data.ts`](src/data/all_data.ts )
        [`src/data/dependabot_alert.ts`](src/data/dependabot_alert.ts )
    tools/
        [`src/tools/tools.ts`](src/tools/tools.ts )
    utils/
        [`src/utils/helpers.ts`](src/utils/helpers.ts )

Key Files

src/index.ts: Entry point for the application. Defines the MCP server and registers tools for interacting with Dependabot alerts.
src/mcp_server.ts: Sets up the MCP server and initializes the GitHub Octokit client.
src/utils/helpers.ts: Contains utility functions for formatting alerts, fetching alert data, determining risk levels, and recommending actions.
src/data/all_data.ts: Defines TypeScript interfaces for Dependabot alert data structures.
build/: Contains the compiled JavaScript files generated by TypeScript.

Prerequisites

Node.js (v16 or later)
npm (Node Package Manager)
A GitHub personal access token with repo and security_events scopes.

Installation

Clone the repository:

git clone https://github.com/your-username/dependabot-mcp-server.git
cd dependabot-mcp-server

Install dependencies:
```
npm install
```
Create a .env file in the root directory and add your GitHub token:
```
GITHUB_TOKEN=your_github_token
ALL=your_github_token
```
Build the project:
```
npm run build
```

Usage

Running the Server

Start the MCP server:

node build/index.js

The server will run on standard input/output (stdio) and expose tools for interacting with Dependabot alerts.

Available Tools

1. Get All Alerts

Command: get-alerts

Description: Retrieves all Dependabot alerts for the repository.

2. Get Specific Alert

Command: get-specific-alert

Parameters:

alertId (number): The ID of the alert to fetch.

Description: Fetches details of a specific Dependabot alert.

3. Explain Vulnerability

Command: explain-vulnerability

Parameters:

alertId (number): The ID of the alert to explain.

Description: Provides a simplified explanation of a vulnerability, including technical details and recommended actions.

4. Update Alert Status

Command: update-alert-status

Parameters:

alertId (number): The ID of the alert to update.
state (string): The new state of the alert (dismissed or resolved).
reason (string, optional): The reason for dismissal.
comment (string, optional): Additional comments explaining the decision.

Description: Updates the status of a Dependabot alert.

Environment Variables

GITHUB_TOKEN: Your GitHub personal access token.
ALL: An alternative token for authentication.

Development

TypeScript Compilation

To compile TypeScript files to JavaScript (Linux and Mac), run:

npm run build

Watch Mode

For development, you can use the buildw script to compile and run the project on Windows:

npm run buildw

License

This project is licensed under the .

Contributing

Contributions are welcome! Please open an issue or submit a pull request.

Acknowledgments

GitHub Dependabot for providing security alerts.
Model Context Protocol (MCP) for enabling tool integration.