Do I need a GitHub App or a Personal Access Token to use GitHub MCP?

Both work. The remote server at api.githubcopilot.com/mcp uses OAuth — no token to manage. Local Docker stdio uses a Personal Access Token (PAT) via GITHUB_PERSONAL_ACCESS_TOKEN. For team use, prefer a fine-grained PAT scoped to specific repos.

Can I limit what the GitHub MCP server lets the AI do?

Yes. Three layers: (1) PAT scopes — pick only repo, read:org, security_events. (2) --toolsets flag or GITHUB_TOOLSETS env — enable only repos, issues, pull_requests. (3) --read-only flag or GITHUB_READ_ONLY=1 disables every write tool.

github/github-mcp-server · 2026 cheatsheet

GitHub MCP Server

Q: Does GitHub MCP work with Claude Code, Cursor, and Claude Desktop?

Yes — all three. Claude Code uses `claude mcp add` or settings.json. Cursor reads ~/.cursor/mcp.json. Claude Desktop reads claude_desktop_config.json. VS Code 1.101+ supports MCP via .vscode/mcp.json.

GitHub's MCP server exposes 150+ tools across 18 toolsets — issues, PRs, repos, actions, code security, projects — to any MCP-capable AI client. Run it remotely via OAuth or locally via Docker stdio. Built for the QA workflow that needs to triage PRs, investigate flaky CI, and produce release notes from chat.

Remote: api.githubcopilot.com/mcpDocker: ghcr.io/github/github-mcp-server18 toolsetsOAuth · PATRead-only mode

01What is GitHub MCP?

The GitHub MCP Server is an open-source Go server published by GitHub (repo: github/github-mcp-server) that exposes the GitHub REST + GraphQL APIs as MCP tools. Your AI assistant — Claude Code, Cursor, Claude Desktop, VS Code Copilot, Windsurf, JetBrains — gets a uniform JSON interface to do anything you can do with the gh CLI: open issues, review diffs, fetch CI logs, scan vulnerabilities.

Two ways to run it:

• Remote (recommended for individuals): hosted by GitHub at https://api.githubcopilot.com/mcp/, authenticated via OAuth. Zero setup, always up-to-date.
• Local Docker stdio: ghcr.io/github/github-mcp-server + PAT. Required for GitHub Enterprise Server, offline use, or strict corporate environments.

02Install — pick your client

All configs below assume the remote server. For Docker stdio, swap the type: "http" block for command/args as shown at the bottom.

Claude Code (CLI)

One command — Claude Code handles OAuth in the browser:

terminal

claude mcp add --transport http github https://api.githubcopilot.com/mcp/

Cursor

Edit ~/.cursor/mcp.json (global) or .cursor/mcp.json (project):

~/.cursor/mcp.json

{
  "mcpServers": {
    "github": {
      "type": "http",
      "url": "https://api.githubcopilot.com/mcp/"
    }
  }
}

Claude Desktop

Edit claude_desktop_config.json (Settings → Developer → Edit Config):

claude_desktop_config.json

{
  "mcpServers": {
    "github": {
      "command": "npx",
      "args": ["-y", "mcp-remote@latest", "https://api.githubcopilot.com/mcp/"]
    }
  }
}

VS Code (with Copilot)

VS Code 1.101+ supports MCP natively. Add to .vscode/mcp.json:

.vscode/mcp.json

{
  "servers": {
    "github": {
      "type": "http",
      "url": "https://api.githubcopilot.com/mcp/"
    }
  }
}

Docker stdio (Enterprise / offline)

any MCP client

{
  "mcpServers": {
    "github": {
      "command": "docker",
      "args": [
        "run", "-i", "--rm",
        "-e", "GITHUB_PERSONAL_ACCESS_TOKEN",
        "-e", "GITHUB_TOOLSETS=repos,issues,pull_requests",
        "-e", "GITHUB_READ_ONLY=1",
        "ghcr.io/github/github-mcp-server"
      ],
      "env": {
        "GITHUB_PERSONAL_ACCESS_TOKEN": "ghp_xxx..."
      }
    }
  }
}

☝ Note: GITHUB_READ_ONLY=1 disables every write tool. Use this for QA assistants by default.

03Toolsets — all 18

Toolsets group related tools so you can enable only what you need. Smaller context = better tool choice = fewer hallucinations.

Toolset	Default	Description
context	✓	Current user, repo, branch context (always include)
repos	✓	Read files, list commits, search code
issues	✓	Create, read, comment, label, search issues
pull_requests	✓	Create, read, review, merge PRs
users	✓	Search users, organizations
actions		List workflows, get runs, fetch job logs
code_security		List code scanning alerts (CodeQL)
dependabot		List dependabot vulnerability alerts
secret_protection		List secret scanning alerts
security_advisories		GHSA advisories
discussions		GitHub Discussions
gists		Create, list, update gists
git		Low-level Git operations (refs, blobs)
labels		Manage repo labels
notifications		Inbox notifications
orgs		Organization-level data
projects		GitHub Projects v2 (added Jan 2026)
stargazers		Star/unstar repos

Set via flag: --toolsets=repos,issues,pull_requests or env: GITHUB_TOOLSETS=.... Enable experimental tools with GITHUB_INSIDERS=true or URL /mcp/insiders.

04Security Risk Matrix

The biggest mistake QA teams make is plugging in a PAT with repo scope and forgetting that merge_pull_request is in the toolset. The AI will use it if asked. Use this matrix to decide what to enable.

Tool (example)	Risk	What can go wrong
get_file_contents	🟢 Read	Safe; reads any file you have access to.
search_code / search_issues	🟢 Read	Safe; respects auth scope.
list_commits / list_pull_requests	🟢 Read	Safe; metadata only.
list_*_alerts (code_security)	🟢 Read	Requires security_events scope.
add_issue_comment	🟡 Write (low)	Visible to repo collaborators. Reversible by edit/delete.
create_issue	🟡 Write (low)	Visible publicly on public repos. Reversible by close.
create_pull_request	🟡 Write (medium)	Creates branch + PR; reversible by closing PR.
create_or_update_file	🟠 Write (high)	Commits directly to the default branch unless you specify another. Hard to undo silently.
merge_pull_request	🔴 Destructive	Merges to main/master. May trigger deploy. Never run unattended.

Recommended setup for QA chat assistants:

1. PAT scope: repo:read, read:org, security_events (no write scopes).
2. GITHUB_READ_ONLY=1 as a belt-and-suspenders layer.
3. Toolsets: context, repos, issues, pull_requests, actions, code_security.
4. For destructive ops (merge, push), use a separate PAT only when explicitly asked.

05QA Cookbook — copy-paste prompts

Each prompt is tested with Claude Code + Cursor against a real repo. Replace {OWNER}/{REPO} with your repo path.

RECIPE 01

Regression PR Triage

Read every PR opened against main in the last 7 days, summarize what changed, and flag any that touch high-risk paths.

Required toolsets: repospull_requests

Use the GitHub MCP to list open pull_requests against the default branch from the last 7 days for repo {OWNER}/{REPO}.

For each PR:
1. Fetch the diff (get_pull_request_files).
2. Identify if any changed file matches these high-risk paths: src/payment/**, src/auth/**, src/migrations/**.
3. List the PR number, title, author, files changed, and a 1-sentence risk note.

Format as a markdown table sorted by risk (high → low). Do not comment on or merge any PR.

RECIPE 02

Flaky Test Investigation

Find recent CI failures, fetch job logs, and propose a hypothesis for the flake.

Required toolsets: actionsrepos

Using GitHub MCP (toolset: actions), list the 20 most recent failed workflow runs for repo {OWNER}/{REPO} on the main branch.

For each failure:
1. Fetch the failing job logs (get_job_logs).
2. Extract the test name(s) that failed and the assertion message.
3. Group failures by test name.
4. For any test that failed >2 times across different commits, mark it as "flaky candidate" and propose a hypothesis (timing, network, shared state).

Output: markdown report with sections "Flaky candidates" and "One-off failures".

RECIPE 03

Release Notes from PRs

Generate a clean, customer-facing changelog from PRs merged since the last tag.

Required toolsets: pull_requestsrepos

Using GitHub MCP, find all PRs merged into main between the last release tag and HEAD for repo {OWNER}/{REPO}.

For each merged PR:
1. Read the PR title, body, and labels.
2. Categorize: "Features" (label: enhancement), "Fixes" (label: bug), "Other".
3. Skip PRs labeled "internal" or "ci".
4. Rewrite each item in a 1-line, user-facing tone (no jargon, no PR numbers in the line itself).

Output: markdown grouped by category, ready to paste into release notes.

06Troubleshooting

401 / 403 on every call. Your PAT lacks the toolset's scope. code_security needs security_events; repos on private repos needs repo not public_repo.

Tool not found errors. You set GITHUB_TOOLSETS too narrowly. context must always be included — many tools depend on it.

OAuth loop in Claude Desktop. Use the mcp-remote proxy (shown in install section), not direct HTTP. Claude Desktop's native OAuth flow lags behind Claude Code.

GitHub Enterprise Server (GHES). Set GITHUB_HOST=https://ghes.your-corp.com and use Docker stdio — the public hosted endpoint doesn't resolve to GHES.

07FAQ

Do I need a GitHub App or can I use a personal token?

Both work. The remote server at api.githubcopilot.com/mcp/ uses OAuth (no token to manage). For local Docker stdio you provide a Personal Access Token (PAT) via GITHUB_PERSONAL_ACCESS_TOKEN. For team use, prefer a fine-grained PAT scoped to specific repos.

Can I limit what the AI can do?

Yes — three layers. (1) PAT scopes: pick only repo, read:org, security_events as needed. (2) --toolsets flag: enable only the toolsets you need (e.g. repos,issues,pull_requests). (3) --read-only flag or GITHUB_READ_ONLY=1 disables every write tool. Stack all three for a safe QA assistant.

Why use Docker if there is a hosted server?

The hosted remote server is the easiest path for individuals — OAuth in one click. Choose Docker stdio when (a) you are on GitHub Enterprise Server, (b) you need offline use, (c) corporate policy blocks the GitHub Copilot endpoint, or (d) you want lockdown-mode to prevent public-repo content fetches.

Does GitHub MCP work with Claude Code, Cursor, and Claude Desktop equally?

Yes. Claude Code uses the same MCP JSON config format. Cursor settings live in ~/.cursor/mcp.json (or per-project .cursor/mcp.json). Claude Desktop uses claude_desktop_config.json. VS Code Copilot has its own .vscode/mcp.json. All accept the same server definition.

↗ github/github-mcp-server (source)← All MCP servers Next: Jira MCP →