Skip to content

ci: add AgentScore MCP dependency policy gate#5582

Closed
Thezenmonster wants to merge 3 commits intokurrent-io:masterfrom
Thezenmonster:add-agentscore-gate
Closed

ci: add AgentScore MCP dependency policy gate#5582
Thezenmonster wants to merge 3 commits intokurrent-io:masterfrom
Thezenmonster:add-agentscore-gate

Conversation

@Thezenmonster
Copy link
Copy Markdown

@Thezenmonster Thezenmonster commented Apr 14, 2026
edited
Loading

What this does

Adds a GitHub Actions workflow that checks MCP package dependencies on every PR and push to master.

The Action auto-discovers MCP packages from:

  • `package.json` dependencies
  • MCP config files (`.mcp.json`, `mcp.json`, `.cursor/mcp.json`)

For your repo, it will detect and scan:

  • `@upstash/context7-mcp` (from `.mcp.json`)
  • `@modelcontextprotocol/server-sequential-thinking` (from `.mcp.json`)

What is NOT covered

`serena` is installed via `uvx --from git+https://github.com/oraios/serena\`. This is not an npm package and cannot be scanned. The Action will log a warning:

```
serena: git URL install (not an npm package). Not scannable by AgentScore.
```

How it works

  • No API key needed. Authenticates via GitHub OIDC.
  • First run auto-provisions the repo.
  • Shows per-package trust verdicts and AI capability classification.

To try it

Merge this PR. Push to master. The gate runs automatically.

Ref: #5575

Free 30-day pilot. No lock-in. Remove the workflow file anytime.

@Thezenmonster Thezenmonster requested a review from a team as a code owner April 14, 2026 12:19
@CLAassistant
Copy link
Copy Markdown

CLAassistant commented Apr 14, 2026
edited
Loading

CLA assistant check
All committers have signed the CLA.

@CLAassistant
Copy link
Copy Markdown

CLAassistant commented Apr 14, 2026

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

@Thezenmonster
fix: explicitly list npm MCP packages from .mcp.json
cbd4b42 
The Action does not yet parse .mcp.json directly. Packages are listed
explicitly. serena (git URL install) is not covered by this check.
@Thezenmonster
refactor: remove explicit packages list
9a0ae45 
The Action now auto-discovers MCP packages from .mcp.json and other
MCP config files. Non-npm sources (git URLs, Docker) are warned about
but cannot be scanned.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Thezenmonster @CLAassistant @alexeyzimarev