Integrate SafeDep MCP in GitHub Agentic Workflow

Overview

GitHub Agentic Workflow is a brand new feature from GitHub. It is essentially GitHub Actions, but users write English in .md files instead of steps in .yml.

Here is a simple example of a GitHub Agentic Workflow:

1
---
2
# metadata, IO, AI settings
3
---
4

5
# Daily Repo Status
6

7
Create an upbeat daily status report for the repo as a GitHub issue.
8

9
## What to include
10

11
- Recent repository activity (issues, PRs, discussions, releases, code changes)
12
- Progress tracking, goal reminders and highlights
13
- Project status and recommendations
14
- Actionable next steps for maintainers
15

16
## Style
17

18
- Be positive, encouraging, and helpful 🌟
19
- Use emojis moderately for engagement
20
- Keep it concise - adjust length based on actual activity

It uses AI agents in CI to execute this prompt, providing them with context about the repository, issues, pull requests, discussions, etc. It can be triggered just like existing GitHub Actions are triggered, such as on: pull_request, on: issues_create, on: daily, etc.

Creating New Agentic Workflow

GitHub CLI is required when working with Agentic Workflows. If it is not already installed, install it now.

Follow the Getting Started documentation for Agentic Workflows to create your first agentic workflow.

1
# install gh-aw extension
2
gh extension install github/gh-aw

Create new agentic workflow:

1
# at root of your project
2
gh aw add-wizard githubnext/agentics/daily-repo-status

This will setup Agent Provider + API Keys in GitHub secrets.

At a high level, the flow looks like this:

• Create a .md file in .github/workflows/new-agent-workflow.md

• Write your agentic workflow, and then compile it.

  1
  gh aw compile

  This will create a .lock.yml file, which is an actual GitHub Actions file that the gh aw CLI generates from our .md file.

• Commit and Push!

Using SafeDep MCP

Agentic Workflows support MCP, which helps integrate any MCP server that can then be used by agents running in CI.

We will integrate the SafeDep MCP server to run on every Pull Request and check the security posture of any introduced or updated dependencies.

Create a new .github/workflows/safedep-check-on-pr.md file.

1
touch .github/workflows/safedep-check-on-pr.md

Paste this content into that file:

1
---
2
on: pull_request
3

4
permissions:
5
  contents: read
6
  pull-requests: read
7

8
safe-outputs:
9
  add-comment:
10
    target: 'triggering' # Ensures the comment is posted on the PR that started the workflow
11

12
mcp-servers:
13
  safedep:
14
    url: 'https://mcp.safedep.io/model-context-protocol/threats/v1/mcp'
15
    headers:
16
      Authorization: '${{ secrets.SAFEDEP_API_KEY }}'
17
      X-Tenant-ID: '${{ secrets.SAFEDEP_TENANT_ID }}'
18
    allowed: ['*']
19
---
20

21
# SafeDep Security Check
22

23
Your task is to use SafeDep security checks to determine if the OSS packages introduced or updated in the Pull Request are safe to merge.

Note: We are using secrets here; you must add SAFEDEP_API_KEY and SAFEDEP_TENANT_ID to your repository secrets. See the SafeDep MCP Docs for a guide on how to get these values. Compile the agentic workflow file by running:

1
# from root of your project
2
gh aw compile

This will create a new .yml GitHub Actions file.

Commit and Push!

This workflow will be executed on every pull request, and a summary comment will be posted on it.

Conclusion

Using SafeDep MCP in GitHub Agentic Workflow is a powerful way to integrate AI SDLC security into your CI/CD, we have only scratched the surface, we can also create a workflow to run daily or weekly that creates a summary report of the security posture of all OSS packages. Possibilities are endless.