Add support for listing repo security advisories at the org level

jurre · jurre · commit b5ecdb670604 · 2025-08-21T12:11:34.000+02:00
diff --git a/README.md b/README.md
@@ -937,6 +937,12 @@ The following sets of tools are available (all are on by default):
   - `type`: Advisory type. (string, optional)
   - `updated`: Filter by update date or date range (ISO 8601 date or range). (string, optional)
 
+- **list_org_repository_security_advisories** - List org repository security advisories
+  - `direction`: Sort direction. (string, optional)
+  - `org`: The organization login. (string, required)
+  - `sort`: Sort field. (string, optional)
+  - `state`: Filter by advisory state. (string, optional)
+
 - **list_repository_security_advisories** - List repository security advisories
   - `direction`: Sort direction. (string, optional)
   - `owner`: The owner of the repository. (string, required)
diff --git a/pkg/github/security_advisories.go b/pkg/github/security_advisories.go
@@ -315,3 +315,83 @@ func GetGlobalSecurityAdvisory(getClient GetClientFn, t translations.Translation
 			return mcp.NewToolResultText(string(r)), nil
 		}
 }
+
+func ListOrgRepositorySecurityAdvisories(getClient GetClientFn, t translations.TranslationHelperFunc) (tool mcp.Tool, handler server.ToolHandlerFunc) {
+	return mcp.NewTool("list_org_repository_security_advisories",
+			mcp.WithDescription(t("TOOL_LIST_ORG_REPOSITORY_SECURITY_ADVISORIES_DESCRIPTION", "List repository security advisories for a GitHub organization.")),
+			mcp.WithToolAnnotation(mcp.ToolAnnotation{
+				Title:        t("TOOL_LIST_ORG_REPOSITORY_SECURITY_ADVISORIES_USER_TITLE", "List org repository security advisories"),
+				ReadOnlyHint: ToBoolPtr(true),
+			}),
+			mcp.WithString("org",
+				mcp.Required(),
+				mcp.Description("The organization login."),
+			),
+			mcp.WithString("direction",
+				mcp.Description("Sort direction."),
+				mcp.Enum("asc", "desc"),
+			),
+			mcp.WithString("sort",
+				mcp.Description("Sort field."),
+				mcp.Enum("created", "updated", "published"),
+			),
+			mcp.WithString("state",
+				mcp.Description("Filter by advisory state."),
+				mcp.Enum("triage", "draft", "published", "closed"),
+			),
+		), func(ctx context.Context, request mcp.CallToolRequest) (*mcp.CallToolResult, error) {
+			org, err := RequiredParam[string](request, "org")
+			if err != nil {
+				return mcp.NewToolResultError(err.Error()), nil
+			}
+			direction, err := OptionalParam[string](request, "direction")
+			if err != nil {
+				return mcp.NewToolResultError(err.Error()), nil
+			}
+			sortField, err := OptionalParam[string](request, "sort")
+			if err != nil {
+				return mcp.NewToolResultError(err.Error()), nil
+			}
+			state, err := OptionalParam[string](request, "state")
+			if err != nil {
+				return mcp.NewToolResultError(err.Error()), nil
+			}
+
+			client, err := getClient(ctx)
+			if err != nil {
+				return nil, fmt.Errorf("failed to get GitHub client: %w", err)
+			}
+
+			opts := &github.ListRepositorySecurityAdvisoriesOptions{}
+			if direction != "" {
+				opts.Direction = direction
+			}
+			if sortField != "" {
+				opts.Sort = sortField
+			}
+			if state != "" {
+				opts.State = state
+			}
+
+			advisories, resp, err := client.SecurityAdvisories.ListRepositorySecurityAdvisoriesForOrg(ctx, org, opts)
+			if err != nil {
+				return nil, fmt.Errorf("failed to list organization repository security advisories: %w", err)
+			}
+			defer func() { _ = resp.Body.Close() }()
+
+			if resp.StatusCode != http.StatusOK {
+				body, err := io.ReadAll(resp.Body)
+				if err != nil {
+					return nil, fmt.Errorf("failed to read response body: %w", err)
+				}
+				return mcp.NewToolResultError(fmt.Sprintf("failed to list organization repository advisories: %s", string(body))), nil
+			}
+
+			r, err := json.Marshal(advisories)
+			if err != nil {
+				return nil, fmt.Errorf("failed to marshal advisories: %w", err)
+			}
+
+			return mcp.NewToolResultText(string(r)), nil
+		}
+}
diff --git a/pkg/github/security_advisories_test.go b/pkg/github/security_advisories_test.go
@@ -385,3 +385,142 @@ func Test_ListRepositorySecurityAdvisories(t *testing.T) {
 		})
 	}
 }
+
+func Test_ListOrgRepositorySecurityAdvisories(t *testing.T) {
+	// Verify tool definition once
+	mockClient := github.NewClient(nil)
+	tool, _ := ListOrgRepositorySecurityAdvisories(stubGetClientFn(mockClient), translations.NullTranslationHelper)
+
+	assert.Equal(t, "list_org_repository_security_advisories", tool.Name)
+	assert.NotEmpty(t, tool.Description)
+	assert.Contains(t, tool.InputSchema.Properties, "org")
+	assert.Contains(t, tool.InputSchema.Properties, "direction")
+	assert.Contains(t, tool.InputSchema.Properties, "sort")
+	assert.Contains(t, tool.InputSchema.Properties, "state")
+	assert.ElementsMatch(t, tool.InputSchema.Required, []string{"org"})
+
+	// Endpoint pattern for org repository security advisories
+	var GetOrgsSecurityAdvisoriesByOrg = mock.EndpointPattern{
+		Pattern: "/orgs/{org}/security-advisories",
+		Method:  "GET",
+	}
+
+	adv1 := &github.SecurityAdvisory{
+		GHSAID:      github.Ptr("GHSA-aaaa-bbbb-cccc"),
+		Summary:     github.Ptr("Org repo advisory 1"),
+		Description: github.Ptr("First advisory"),
+		Severity:    github.Ptr("low"),
+	}
+	adv2 := &github.SecurityAdvisory{
+		GHSAID:      github.Ptr("GHSA-dddd-eeee-ffff"),
+		Summary:     github.Ptr("Org repo advisory 2"),
+		Description: github.Ptr("Second advisory"),
+		Severity:    github.Ptr("critical"),
+	}
+
+	tests := []struct {
+		name               string
+		mockedClient       *http.Client
+		requestArgs        map[string]interface{}
+		expectError        bool
+		expectedAdvisories []*github.SecurityAdvisory
+		expectedErrMsg     string
+	}{
+		{
+			name: "successful listing (no filters)",
+			mockedClient: mock.NewMockedHTTPClient(
+				mock.WithRequestMatchHandler(
+					GetOrgsSecurityAdvisoriesByOrg,
+					expect(t, expectations{
+						path:        "/orgs/octo/security-advisories",
+						queryParams: map[string]string{},
+					}).andThen(
+						mockResponse(t, http.StatusOK, []*github.SecurityAdvisory{adv1, adv2}),
+					),
+				),
+			),
+			requestArgs: map[string]interface{}{
+				"org": "octo",
+			},
+			expectError:        false,
+			expectedAdvisories: []*github.SecurityAdvisory{adv1, adv2},
+		},
+		{
+			name: "successful listing with filters",
+			mockedClient: mock.NewMockedHTTPClient(
+				mock.WithRequestMatchHandler(
+					GetOrgsSecurityAdvisoriesByOrg,
+					expect(t, expectations{
+						path: "/orgs/octo/security-advisories",
+						queryParams: map[string]string{
+							"direction": "asc",
+							"sort":      "created",
+							"state":     "triage",
+						},
+					}).andThen(
+						mockResponse(t, http.StatusOK, []*github.SecurityAdvisory{adv1}),
+					),
+				),
+			),
+			requestArgs: map[string]interface{}{
+				"org":       "octo",
+				"direction": "asc",
+				"sort":      "created",
+				"state":     "triage",
+			},
+			expectError:        false,
+			expectedAdvisories: []*github.SecurityAdvisory{adv1},
+		},
+		{
+			name: "listing fails",
+			mockedClient: mock.NewMockedHTTPClient(
+				mock.WithRequestMatchHandler(
+					GetOrgsSecurityAdvisoriesByOrg,
+					expect(t, expectations{
+						path:        "/orgs/octo/security-advisories",
+						queryParams: map[string]string{},
+					}).andThen(
+						mockResponse(t, http.StatusForbidden, map[string]string{"message": "Forbidden"}),
+					),
+				),
+			),
+			requestArgs: map[string]interface{}{
+				"org": "octo",
+			},
+			expectError:    true,
+			expectedErrMsg: "failed to list organization repository security advisories",
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			client := github.NewClient(tc.mockedClient)
+			_, handler := ListOrgRepositorySecurityAdvisories(stubGetClientFn(client), translations.NullTranslationHelper)
+
+			request := createMCPRequest(tc.requestArgs)
+
+			result, err := handler(context.Background(), request)
+
+			if tc.expectError {
+				require.Error(t, err)
+				assert.Contains(t, err.Error(), tc.expectedErrMsg)
+				return
+			}
+
+			require.NoError(t, err)
+
+			textContent := getTextResult(t, result)
+
+			var returnedAdvisories []*github.SecurityAdvisory
+			err = json.Unmarshal([]byte(textContent.Text), &returnedAdvisories)
+			assert.NoError(t, err)
+			assert.Len(t, returnedAdvisories, len(tc.expectedAdvisories))
+			for i, advisory := range returnedAdvisories {
+				assert.Equal(t, *tc.expectedAdvisories[i].GHSAID, *advisory.GHSAID)
+				assert.Equal(t, *tc.expectedAdvisories[i].Summary, *advisory.Summary)
+				assert.Equal(t, *tc.expectedAdvisories[i].Description, *advisory.Description)
+				assert.Equal(t, *tc.expectedAdvisories[i].Severity, *advisory.Severity)
+			}
+		})
+	}
+}
diff --git a/pkg/github/tools.go b/pkg/github/tools.go
@@ -164,6 +164,7 @@ func DefaultToolsetGroup(readOnly bool, getClient GetClientFn, getGQLClient GetG
 			toolsets.NewServerTool(ListGlobalSecurityAdvisories(getClient, t)),
 			toolsets.NewServerTool(GetGlobalSecurityAdvisory(getClient, t)),
 			toolsets.NewServerTool(ListRepositorySecurityAdvisories(getClient, t)),
+			toolsets.NewServerTool(ListOrgRepositorySecurityAdvisories(getClient, t)),
 		)
 
 	// Keep experiments alive so the system doesn't error out when it's always enabled

Original file line number	Diff line number	Diff line change
`@@ -164,6 +164,7 @@ func DefaultToolsetGroup(readOnly bool, getClient GetClientFn, getGQLClient GetG`
`164`	`164`	`toolsets.NewServerTool(ListGlobalSecurityAdvisories(getClient, t)),`
`165`	`165`	`toolsets.NewServerTool(GetGlobalSecurityAdvisory(getClient, t)),`
`166`	`166`	`toolsets.NewServerTool(ListRepositorySecurityAdvisories(getClient, t)),`
	`167`	`+ toolsets.NewServerTool(ListOrgRepositorySecurityAdvisories(getClient, t)),`
`167`	`168`	`)`
`168`	`169`
`169`	`170`	`// Keep experiments alive so the system doesn't error out when it's always enabled`