Skip to content

[guard-coverage] Guard coverage gap: 3 CLI write operations not covered (transfer_repository, pin_issue, unpin_issue) #2739

Closed
#2750
Closed
[guard-coverage] Guard coverage gap: 3 CLI write operations not covered (transfer_repository, pin_issue, unpin_issue)#2739
#2750
Assignees
lpcoxcopilot-swe-agent
Labels
automationguardsecurity
@github-actions

Description

@github-actions
github-actions
bot
opened on Mar 28, 2026

Summary

The GitHub guard fully covers all 83 tools currently exposed by the github-mcp-server. However, the following 3 GitHub CLI write operations have no guard entry and no matching prefix pattern, leaving a blind spot if agents invoke them via gh or direct REST API calls.

  • MCP tools scanned: 83 (80 core + 3 dynamic from AllTools() + DynamicTools())
  • CLI write commands scanned: all major categories (pr/, issue/, repo/, release/, workflow/, label/, project/, secret/, variable/)
  • Guard-covered write tools (tools.rs): 49 explicit entries + prefix patterns (create_*, delete_*, update_*, merge_*, lock_*, unlock_*)
  • Tools with explicit DIFC rules (tool_rules.rs): 67 unique match arms — all read tools covered
  • New CLI-only gaps found this run: 3

GitHub CLI-Only Gaps

These write operations are reachable via the GitHub CLI and direct REST API but have no corresponding MCP tool and no guard entry.

CLI Command REST Endpoint GitHub API Action Risk
gh repo transfer POST /repos/{owner}/{repo}/transfers Transfers repository ownership to another user or organization — irreversible High
gh issue pin POST /repos/{owner}/{repo}/issues/{issue_number}/pin Pins an issue to appear at the top of the issue list Low
gh issue unpin DELETE /repos/{owner}/{repo}/issues/{issue_number}/pin Unpins a previously pinned issue Low

Suggested remediation

Add pre-emptive entries to WRITE_OPERATIONS in guards/github-guard/rust-guard/src/tools.rs:

pub const WRITE_OPERATIONS: &[&str] = &[
    // ... existing entries ...
    "transfer_repository", // gh repo transfer — repo ownership transfer, irreversible
    "pin_issue",           // gh issue pin
    "unpin_issue",         // gh issue unpin
];

Stale Guard Entries (bonus)

The following entries in WRITE_OPERATIONS / READ_WRITE_OPERATIONS have no matching current tool in the upstream github-mcp-server (as of toolsnaps). They are not security risks (extra entries are conservative), but they add noise. Consider either marking them with a comment or removing them:

In WRITE_OPERATIONS (no MCP equivalent; not marked pre-emptive):

  • run_workflow — current MCP tool is actions_run_trigger, not run_workflow
  • rerun_workflow_run — no MCP tool with this name
  • rerun_failed_jobs — no MCP tool with this name
  • cancel_workflow_run — no MCP tool with this name
  • delete_workflow_run_logs — no MCP tool with this name
  • add_project_item — no MCP tool (superseded by projects_write)
  • delete_project_item — no MCP tool (covered by delete_* pattern anyway)

In READ_WRITE_OPERATIONS (no MCP equivalent; not marked pre-emptive):

  • create_pull_request_with_copilot — no MCP tool (covered by create_* pattern)
  • update_issue — no MCP tool; actual tool is issue_write (covered by update_* pattern)
  • update_project_item — no MCP tool (covered by update_* pattern)

No MCP Tool Classification Gaps

All 83 upstream tools are correctly classified:

  • All write/mutating MCP tools appear in WRITE_OPERATIONS, READ_WRITE_OPERATIONS, or are covered by prefix patterns
  • All read tools have explicit DIFC match arms in apply_tool_labels (tool_rules.rs)

References

Generated by GitHub Guard Coverage Checker (MCP + CLI) ·

  • expires on Apr 11, 2026, 8:08 PM UTC

Metadata

Metadata

Assignees

Labels

automationguardsecurity

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions