GitHub: Secret scanning via MCP server reaches GA — AI agents detect credentials before commit

GitHub declared secret scanning through the GitHub MCP Server generally available (GA) on May 5 — a tool giving AI coding agents the ability to detect exposed credentials in code before they reach a repository.

MCP (Model Context Protocol) is an open protocol that allows AI agents and language models to call external tools and data sources in a standardized way. Secret scanning detects API keys, passwords, certificates, and other credentials exposed in code.

How does the tool work in practice?

The integration works with MCP-compatible IDEs and Copilot CLI: a developer or agent can request a scan with a command like “Scan my current changes for exposed secrets” and receive a list of files and lines to fix.

Scanning happens before the commit, shifting security control left in the development cycle — credentials are caught locally rather than first landing in Git history where they are harder to remove.

What does the GA version add?

The new GA version respects push protection customization settings at the repository and organization level. This means enterprise rules about which types of secrets may or may not be recorded apply when an agent triggers scanning, avoiding inconsistency between manual and agent-driven workflows.

What was released in parallel?

On the same day, dependency scanning through the MCP Server entered public preview — vulnerability scanning integrated with the GitHub Advisory Database. Development teams can use natural language to request a CVE overview for the packages they depend on.

Both tools together make AI-assisted coding workflows more secure in the early development phase, showing how MCP is becoming a standard security extension for agentic developer tooling, not just a channel for code generation.