The GitHub MCP Server can now scan code changes for exposed secrets before you commit or open a pull request. The feature, now in public preview, works with any MCP-compatible IDE or AI coding agent and requires GitHub Secret Protection to be enabled on the repository.
The workflow is simple: ask your AI agent to check for secrets, and it invokes the scanning tools on the GitHub MCP Server. The agent sends code to GitHub's secret scanning engine and receives structured results with the locations and details of any exposed credentials.
How to Use It
- In GitHub Copilot CLI, run
copilot --add-github-mcp-tool run_secret_scanningto enable the tool - In VS Code, install the
advanced-securityagent plugin and use/secret-scanningin Copilot Chat - In any MCP-enabled agent, prompt: "Scan my current changes for exposed secrets and show me the files and lines I should update before I commit"
Why This Matters Now
AI coding agents generate code fast, but speed creates new risks. An agent pulling in an API key from context, hardcoding a database connection string, or scaffolding config files with placeholder credentials can leak secrets that a human reviewer might catch on a slower review cycle. Pre-commit scanning closes that gap by making the agent responsible for checking its own output.
This is also a signal about where security tooling is headed in the agent era. Rather than bolting security checks onto CI/CD pipelines that run after code is pushed, GitHub is moving the detection point to the moment of creation — inside the agent's own workflow. Expect this pattern to extend beyond secrets to dependency vulnerabilities, license compliance, and code quality checks, all surfaced through MCP before code ever leaves the developer's machine.