GitHub adds MCP secret scanning

AI coding agents are starting to look less like autocomplete and more like junior developers with shell access. That changes the security problem. The weak point is no longer just the code they write, but the tools and protocols they use to write it. This week GitHub moved on that gap by upgrading security inside its GitHub MCP Server — making secret scanning generally available on May 5 and adding dependency scanning in public preview a day later. ### What is MCP, in plain English? Model Context Protocol is the plumbing that lets an AI assistant talk to outside tools in a structured way. Instead of only generating text, the model can ask a server to inspect a repo, open files, run checks, or prepare a pull request. Anthropic started the protocol, but it has spread fast because it gives agents a common way to use software. GitHub has been leaning into that with its own MCP Server and registry. (thenewstack.io) ### What actually changed at GitHub? Two things. Secret scanning through the GitHub MCP Server, which entered public preview on March 17, is now generally available. And dependency scanning for the GitHub MCP Server is now in public preview. So an agent using GitHub’s MCP tools can check code for exposed credentials and known vulnerable dependencies as part of the same workflow it uses to edit or submit code. (github.blog) ### Why is secret scanning the first obvious win? Because agents are very good at doing the dumb dangerous thing quickly — like copying tokens into config files, test fixtures, or example code. GitHub’s GA change matters because the MCP secret-scanning tools now honor the same push-protection customizations a repo or organization already uses. Basically, if a team has already tuned how secret blocking and bypas(github.blog 1) (github.blog 2) ### Why add dependency scanning too? Because leaked secrets are only one failure mode. Agents also generate code that pulls in packages, updates manifests, and stitches together examples from all over the place. Dependency scanning is meant to catch the other classic software-supply-chain problem — known vulnerable packages showing up in what the agent just changed. GitHub is treating the agent’s output like any other code artifact that needs review before it lands. (thenewstack.io) ### Why does this matter more now? Turns out MCP servers are turning into a real attack surface. Security researchers have been flagging agent and MCP risks at multiple layers — from exposed secrets to malicious instructions and command-execution issues in deployed MCP setups. The details differ, but the pattern is the same: once an agent can act through tools, the tool layer becomes part of the software supply chain. (venturebeat.com)ly-chain-scanner)) ### Does this secure AI coding by itself? No — and that is the catch. Secret scanning catches secrets. Dependency scanning catches known vulnerable packages. Neither one solves prompt injection, bad permissions, unsafe tool design, or an agent making a terrible but syntactically valid change. Think of this like adding seat belts, not self-driving perfection. You still need least-privilege access, human review, tests, and tight controls on which MCP servers developers can install. (github.blog) ### Why should developers care if they are not using GitHub Copilot? Because this is bigger than one assistant. GitHub is signaling that agent workflows belong inside normal AppSec and DevSecOps controls. If a repo advertises MCP support, the serious question is no longer “can an agent use this?” but “what guardrails fire before the agent ships something stupid?” Secret hygiene, dependency hygiene, and policy reuse are becoming table stakes. (github.blog) ### Bottom line? GitHub is folding AI agents into the same security model as the rest of software delivery. That is the important shift. The novelty is not just that agents can scan for secrets and bad packages — it is that GitHub now treats agent actions as production supply-chain events that need the same brakes as human ones. (github.blog)