GitHub adds secret scanning to AI coding agents through the MCP Server
Original: Secret scanning in AI coding agents via the GitHub MCP Server View original →
GitHub said on March 17, 2026 that AI coding agents can now run secret scanning through the GitHub MCP Server before a commit or pull request is opened. The change brings one of GitHub's core security controls directly into MCP-compatible IDEs and agent workflows, which matters because automated coding systems can introduce credential leaks at the same speed they generate code.
According to GitHub, the MCP Server can inspect code changes for exposed secrets while a developer or AI agent is still working locally. When a user asks an agent to check for secrets, the agent can call the MCP Server's secret scanning tools and send the relevant code to GitHub's scanning engine. The response returns structured findings, including the locations of suspected secrets and details about what was detected, so the issue can be fixed before the change reaches review or CI.
That workflow is important for teams experimenting with agentic development. In many organizations, secret scanning only becomes visible after code is pushed, which leaves room for accidental exposure in branches, logs, or collaboration tools. By moving detection earlier, GitHub is effectively turning secret scanning into a real-time guardrail for AI-assisted software delivery rather than a later-stage cleanup step.
GitHub said the feature is in public preview for repositories with GitHub Secret Protection enabled. The company also pointed users to an optional GitHub Advanced Security plugin for a more tailored experience. Those constraints mean the announcement is not a universal default yet, but it shows where platform vendors are headed: security services exposed as callable tools inside the same loop where humans and AI agents write code.
For enterprises, the larger takeaway is that AI coding adoption is quickly becoming a security integration problem as much as a model quality problem. Secret scanning via the GitHub MCP Server does not eliminate the need for reviews, policies, or access controls, but it gives teams a practical way to reduce one of the most common and costly failure modes in agent-driven development.
Related Articles
GitHub on 2026-03-09 detailed how Agentic Workflows are secured on top of GitHub Actions. The article is significant because it treats agents as untrusted components, isolates them from secrets, and stages writes before they can affect a repository.
GitHub announced a major JetBrains Copilot update on March 11, 2026. Custom agents, sub-agents, and plan agent are now generally available, while agent hooks, MCP auto-approve, and project instruction file support push the IDE further toward full agent workflows.
On March 11, 2026, OpenAI published new guidance on designing AI agents to resist prompt injection, framing untrusted emails, web pages, and other inputs as a core security boundary. The company says robust agents separate data from instructions, minimize privileges, and require monitoring and user confirmation before taking consequential actions.
Comments (0)
No comments yet. Be the first to comment!