Skip to content

Security: davidweb3-ctrl/mcp-git-enhanced

Security

SECURITY.md

Security Policy

Supported Versions

Security fixes are accepted for the current source release on the default branch.

Version Supported
1.x Yes
< 1.0.0 No

Reporting a Vulnerability

Please report security issues privately instead of opening a public issue when the report includes an exploitable path, sensitive repository data, or a bypass of the intended read-oriented trust model.

Use one of these channels:

  • GitHub private vulnerability reporting, if enabled for this repository.
  • A direct maintainer contact channel listed on the maintainer GitHub profile.

Please include:

  • A short summary of the issue.
  • Affected version or commit.
  • Reproduction steps.
  • Expected impact.
  • Whether the issue requires a malicious repository, malicious tool input, or only normal maintainer use.

The maintainer will acknowledge valid reports as soon as practical and will coordinate a fix before public disclosure when the impact justifies it.

Trust Boundaries

MCP Git Enhanced is a local repository inspection tool. It is designed to help AI assistants read and summarize Git state, not mutate repositories.

Current safety boundaries:

  • Tool handlers execute fixed Git commands with spawnSync.
  • Commands are invoked without shell interpolation.
  • The server does not expose branch deletion, checkout, reset, rebase, merge, commit, push, or force-push tools.
  • repoPath must point to a Git repository.

Known limitations:

  • Git itself may execute repository-local hooks or filters in some workflows. Run this server only against repositories you trust.
  • Large diffs and logs may expose sensitive local changes to the connected MCP client.
  • The server does not redact secrets from Git output.

Security Review Areas

High-priority review areas for future contributions:

  • Path handling and repository validation.
  • Git argument construction.
  • Output size limits and timeout behavior.
  • Secret exposure risks in diffs, logs, and commit output.
  • Any proposed mutating Git tool.

There aren't any published security advisories