Keeping your code safe and secure is one of the most important parts of software development. Sometimes, developers accidentally commit sensitive information, such as API keys, passwords, or private tokens, which can lead to serious security issues. Manually checking every Pull Request for these issues takes a lot of time and can be easy to overlook. In this tutorial, you’ll learn how to create an automated system that scans new code changes in your GitHub repository for potential security risks. Using the Model Context Protocol (MCP) and Glama’s Automation tool, the automation will review your code, find exposed secrets, and deliver you a clear report, making it easier to keep your projects safe and secure.
Step-by-Step Tutorial
Here’s how to set up your own automation:
1. Set Up Your Discord Bot
First, create a bot in Discord’s Developer Portal and invite it to your server with the necessary permissions to send messages.
Follow the provided tutorial1 to create a Discord server, use the Discord webhook URL for the notify_me_mcp server, and add the URL accordingly.
2. Finding the Right MCP Server
a) Deploy the Notify_me_mcp Server by thesammykins2
b) Deploy the mcp-github by MissionSquad3
Click Deploy Server. A dialog box will appear; simply click Deploy.
Your MCP Servers page should now look like this4:
3. Navigating to the Automations Tab
Go to the Automations tab in your Glama window5.
Click New Automation and assign it a title.
Your automation page will open, where you’ll need to fill in the System Prompt and Trigger Message.
4. Configuring Your Automation
In this step, you’ll set up the System Prompt, Trigger Message, and schedule to ensure your Discord bot delivers timely, personalized security scan reports tailored to your repository’s needs.
Copy and paste the following System Prompt:
You are an expert automated security reviewer named 'GitHub Vulnerability Scanner'. Your task is to analyze new Pull Requests in a GitHub repository and check for potential security risks, especially exposed secrets like API keys, passwords, or tokens. You must be thorough and follow these steps exactly.
You have access to:
- @mcp-github: to get information about pull requests.
- @notify_me_mcp: to send the final report.
Instructions:
1. The user will provide a repository in the format 'owner/repo'.
2. Use @mcp-github’s list_pull_requests tool with state set to 'open' to find all open PRs.
3. For each open PR:
a. Use the "GitHub Server" to call get_pull_request_diff to retrieve the code changes.
b. Scan the new lines of code for exposed secrets like API keys (e.g., sk_live_..., ghp_...), passwords, database connection strings, or tokens.
c. Assign a status: "✅ Pass" if no secrets are found, or "🚨 FAIL" if any are detected.
4. After scanning all PRs, create a single, complete report in Markdown format showing the status and analysis for each PR.
5. If no open PRs are found, send the message: "No open Pull Requests to review today."
6. Use @notify_me_mcp to send the final report to the user’s configured channel.
Be accurate, thorough, and concise in your analysis.
Your setup should look like this (ensure you use the correct MCP Servers with the "@" sign):
Copy and paste the following Trigger Message:
Enter your repository in the format "username/repo" to start the security scan for open pull requests.
Next, set the time you want to receive this message daily:
Click Save, then Trigger Automation.
And DONE! Your automation is complete. Every day at your chosen time, open Discord to view the automated security scan report for your open pull requests, powered by your MCP server automation feature.
Behind the Scenes:
Step 1 – The Request
You start the process by triggering the automation with your GitHub repository name (e.g., Om-Shree-0709/Shinzo_Website). This informs the bot where to look and what needs to be reviewed.
Step 2 – Finding the Work
The AI, named GitHub Vulnerability Scanner, reads your request along with its instructions. It knows its first task is to find the relevant pull requests. It uses your GitHub Server integration to ask the real GitHub website for a list of all currently open pull requests in that repository.
Step 3 – The Investigation Loop
Once the list of open pull requests is received, GitHub Vulnerability Scanner starts examining each one, one at a time. For every pull request, it uses the GitHub Server integration again to retrieve the diff — the specific lines of code that were added or modified.
Step 4 – The Security Scan
The bot carefully scans the newly added or changed lines of code. Following the rules defined in your system prompt, it looks for potential security risks such as:
- API keys (e.g.,
sk_live_...,ghp_...) - Passwords or connection strings
- Hardcoded private tokens
Based on the results of the scan, it assigns a status to each pull request:
- ✅ Pass – No secrets or vulnerabilities found
- 🚨 FAIL – Exposed secrets or potential risks detected
Step 5 – The Final Report
After checking all open pull requests, GitHub Vulnerability Scanner compiles its findings into a structured and easy-to-read summary report in Markdown format. The report includes details for each pull request and explains the findings.
Step 6 – The Delivery
The final report is sent to your configured Discord channel using the Webhook URL you provided. If no open pull requests are found, it sends a message stating:
"No open Pull Requests to review today."
In just a few moments, this automation performs the tedious and repetitive tasks of a junior security developer, helping you quickly identify potential risks and focus on more complex development challenges.
Conclusion
Glama’s AI Automation feature, powered by the MCP GitHub and Notify Me MCP servers, makes securing your codebase effortless. It removes the burden of manually checking Pull Requests for exposed secrets and security risks. By scanning new code changes as soon as they are committed and delivering clear reports directly to your Discord server, this solution helps you catch vulnerabilities early, save time, and maintain a safer development process. Whether you’re managing open-source projects, onboarding new developers, or ensuring compliance, this automation tool is a simple yet powerful way to keep your code secure and your team focused on building better software.
Let Automation handle your security reviews, so you can focus on what matters most.
Top comments (6)
Didn't knew automation could be this simple
Yes Sir it is this Easy!!!
Loved this tutorial OM!
Thanks Anna! GLad you liked it!
Nice Article
Thanks Sir! Glad you liked it!