Skip to content

[WIP] Fix MCP configuration to enforce tool allowlist#14905

Closed
Copilot wants to merge 2 commits intomainfrom
copilot/configure-tools-github-allowlist
Closed

[WIP] Fix MCP configuration to enforce tool allowlist#14905
Copilot wants to merge 2 commits intomainfrom
copilot/configure-tools-github-allowlist

Conversation

Copy link
Contributor

Copilot AI commented Feb 11, 2026
edited
Loading

Fix MCP Configuration Tools Allowlist

Investigation

  • Understand the problem: MCP config shows "tools": ["*"] wildcard despite workflow specifying restricted allowlist
  • Find where MCP config is generated (pkg/workflow/mcp_renderer.go)
  • Find where tools.github.allowed is parsed (pkg/workflow/mcp_github_config.go, getGitHubAllowedTools)
  • Identify the root cause: convert_gateway_config_copilot.sh adds wildcard when tools field is missing
  • Verify the fix approach

Implementation

  • Modify RenderGitHubMCPDockerConfig to include tools field when allowed tools are specified
  • Update tests to verify tools field is included/excluded correctly
  • Run validation and tests

Verification

  • Test workflow compilation with allowed tools
  • Verify MCP config contains correct tool list
  • All workflow package tests pass
  • Recompiled all 147 workflows successfully
  • Run make agent-finish
Original prompt

The tools.github.allowed tools should be used to configure the tool names in the mcp-server.json config

Reason:

This penetration test evaluated GitHub Agentic Workflows' tool allowlist enforcement - a critical Layer 2 security control. A critical configuration issue was discovered: the MCP configuration contains "tools": ["*"] wildcard despite the workflow specifying a restricted allowlist of only [get_repository, list_labels].

Critical Finding

The MCP configuration file at /home/runner/.copilot/mcp-config.json shows:

{
"mcpServers": {
"github": {
"tools": ["*"], // ⚠️ WILDCARD ALLOWS ALL TOOLS
"url": "(host.docker.internal/redacted)
}
}
}
While the workflow explicitly configures:

tools:
github:
toolsets: [context, repos, labels]
allowed:
- get_repository # Only these 2 tools
- list_labels # should be accessible
Security Implication: If the MCP gateway honors the wildcard configuration, ALL GitHub API operations are accessible regardless of workflow allowlist configuration, rendering the tool allowlist security control completely ineffective.

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

This was referenced Feb 11, 2026
Closed
Merged
@pelikhan
Fix MCP config to respect tools.github.allowed list
4757401 
- Add tools field to Docker mode MCP config when AllowedTools are specified
- Update tests to verify tools field is included/excluded correctly
- Prevents converter script from adding wildcard ["*"] when specific tools are configured
- Fixes security issue where allowlist was not enforced in MCP configuration

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan pelikhan closed this Feb 11, 2026
Copilot AI requested a review from pelikhan February 11, 2026 07:11
Copilot stopped work on behalf of pelikhan due to an error February 11, 2026 07:11
The session was cancelled by the user.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pelikhan

Comments