MokoConsulting/mcp-mokogitea-api
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
dev
mcp-mokogitea-api/SECURITY.md
T
Jonathan Miller b58ad0dfd6
Changelog Validation / Validate CHANGELOG.md (push) Failing after 3s
Details
Deploy to Demo Server (SFTP) / Verify Deployment Permission (push) Successful in 1s
Details
Build & Release / Build & Release Pipeline (push) Failing after 37s
Details
MCP Build & Validate / build (20) (push) Failing after 4s
Details
MCP Release / Build, Validate & Release (push) Failing after 36s
Details
MCP Build & Validate / build (22) (push) Failing after 10s
Details
Standards Compliance / Secret Scanning (push) Successful in 3s
Details
MCP Tool Inventory / inventory (push) Failing after 4s
Details
Standards Compliance / License Header Validation (push) Failing after 3s
Details
Standards Compliance / Repository Structure Validation (push) Failing after 3s
Details
Standards Compliance / Coding Standards Check (push) Failing after 2s
Details
Standards Compliance / Workflow Configuration Check (push) Failing after 2s
Details
Standards Compliance / Documentation Quality Check (push) Successful in 3s
Details
Standards Compliance / README Completeness Check (push) Failing after 2s
Details
Standards Compliance / Git Repository Hygiene (push) Successful in 2s
Details
Standards Compliance / Script Integrity Validation (push) Successful in 3s
Details
Standards Compliance / Line Length Check (push) Failing after 3s
Details
Standards Compliance / File Naming Standards (push) Successful in 2s
Details
Standards Compliance / Insecure Code Pattern Detection (push) Successful in 2s
Details
Standards Compliance / Version Consistency Check (push) Successful in 32s
Details
Standards Compliance / File Size Limits (push) Successful in 3s
Details
Standards Compliance / Dead Code Detection (push) Successful in 5s
Details
Standards Compliance / Binary File Detection (push) Successful in 3s
Details
Standards Compliance / TODO/FIXME Tracking (push) Successful in 3s
Details
Standards Compliance / Code Complexity Analysis (push) Successful in 34s
Details
Standards Compliance / Broken Link Detection (push) Successful in 3s
Details
Standards Compliance / API Documentation Coverage (push) Successful in 3s
Details
Standards Compliance / Accessibility Check (push) Successful in 3s
Details
Standards Compliance / Code Duplication Detection (push) Successful in 36s
Details
Standards Compliance / Performance Metrics (push) Successful in 3s
Details
Standards Compliance / Unused Dependencies Check (push) Successful in 37s
Details
Standards Compliance / Dependency Vulnerability Scanning (push) Successful in 39s
Details
Standards Compliance / Terraform Configuration Validation (push) Successful in 6s
Details
Deploy to Demo Server (SFTP) / SFTP Deploy → Demo (push) Successful in 3s
Details
Standards Compliance / Enterprise Readiness Check (push) Successful in 34s
Details
Standards Compliance / Repository Health Check (push) Successful in 33s
Details
Standards Compliance / Compliance Summary (push) Failing after 1s
Details
Sync Version from README / Propagate README version (push) Failing after 37s
Details
CodeQL Security Scanning / Analyze (actions) (push) Failing after 1m19s
Details
CodeQL Security Scanning / Analyze (javascript) (push) Failing after 1m18s
Details
CodeQL Security Scanning / Security Scan Summary (push) Successful in 1s
Details
MCP SDK Version Check / check-sdk (push) Failing after 5s
Details
Auto-Assign Issues & PRs / Assign unassigned issues and PRs (push) Successful in 1s
Details
feat(tools): expand to 88 tools — topics, collaborators, deploy keys, branch protection, org labels, actions secrets, mirrors, stats, compare, admin, issue labels 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-05-07 16:17:26 -05:00

3.1 KiB
Raw Permalink Blame History

Security Policy

Supported Versions

Version Supported
0.0.x Yes

Reporting a Vulnerability

To report a security vulnerability, please email hello@mokoconsulting.tech with the subject line [SECURITY] gitea-api-mcp. Do not open a public issue for security vulnerabilities.

We will acknowledge receipt within 48 hours and provide an initial assessment within 5 business days.

Token Storage Security

Configuration File

The config file ~/.gitea-api-mcp.json stores Gitea API tokens in plaintext. Follow these practices to protect your tokens:

File Permissions

Set restrictive permissions on the config file so only your user can read it:

chmod 600 ~/.gitea-api-mcp.json

On Windows, ensure the file is only readable by your user account through the file properties security tab.

What to Avoid

  • Never commit ~/.gitea-api-mcp.json or any file containing tokens to version control
  • Never share config files containing real tokens
  • Never log or print token values in debug output
  • Never store tokens in environment variables visible to other processes if avoidable

Token Scope

When generating Gitea access tokens, follow the principle of least privilege:

  • Only grant the scopes (permissions) your workflow requires
  • Use separate tokens for separate purposes or environments
  • Rotate tokens periodically
  • Revoke tokens that are no longer needed

Token Generation

  1. Navigate to your Gitea instance Settings > Applications
  2. Under "Manage Access Tokens," enter a token name
  3. Select only the required scopes
  4. Click "Generate Token"
  5. Copy the token immediately -- it will not be shown again

Network Security

TLS Verification

By default, the client verifies TLS certificates. The insecure: true option disables certificate verification for self-signed certificates. Use this only for:

  • Local development instances
  • Internal instances with self-signed certificates where the network is trusted

Never use insecure: true for production instances accessible over the public internet.

API Prefix

All requests are sent to /api/v1 endpoints with:

  • Authorization: token <your-token> header
  • Content-Type: application/json header
  • 30-second request timeout

MCP Transport Security

This server uses stdio transport, meaning it communicates through standard input/output with the MCP client (e.g., Claude Code). The token is never exposed through network ports or HTTP endpoints by the MCP server itself.

Security Checklist

  • Config file permissions set to 600 (Unix) or user-only (Windows)
  • Tokens scoped to minimum required permissions
  • Config file excluded from version control (.gitignore)
  • insecure flag only used for trusted internal instances
  • Tokens rotated on a regular schedule
  • Unused tokens revoked promptly
Reference in New Issue View Git Blame Copy Permalink