Poutine MCP Server Integration Guide
October 6, 2025 ยท View on GitHub
The Poutine MCP (Model Context Protocol) server allows AI coding assistants to analyze repositories and CI/CD pipelines for security vulnerabilities directly from your development environment.
Prerequisites
-
Install Poutine: Follow the installation guide to install Poutine
-
GitHub Authentication: Set up GitHub CLI authentication
gh auth login -
Set GitHub Token Environment Variable: Before launching your AI coding assistant, export the GitHub token:
export GH_TOKEN=$(gh auth token)The Poutine MCP server will automatically pick up the
GH_TOKENenvironment variable from your shell session.
Setup
Claude Code
claude mcp add poutine poutine mcp-server
Gemini CLI
gemini mcp add poutine poutine mcp-server
Other MCP-Compatible Clients
Add the following configuration to your MCP-compatible AI coding assistant:
"mcpServers": {
"poutine": {
"type": "stdio",
"command": "poutine",
"args": [
"mcp-server"
],
}
}
Note: The Poutine MCP server will automatically pick up the GH_TOKEN environment variable from your shell session. Make sure you've set it (see Prerequisites) before launching your AI coding assistant.
Available MCP Tools
Once configured, the following tools are available to your AI assistant:
analyze_org
Scan all repositories in a GitHub/GitLab organization.
Parameters:
org(required): Organization namescm_provider(optional): "github" or "gitlab" (default: "github")scm_base_url(optional): Base URL for self-hosted instancesthreads(optional): Number of parallel threads (default: 2)ignore_forks(optional): Skip forked repositories (default: false)
analyze_repo
Scan a specific repository.
Parameters:
repo(required): Repository name in format "org/repo"scm_provider(optional): "github" or "gitlab" (default: "github")scm_base_url(optional): Base URL for self-hosted instancesref(optional): Git branch or commit to analyze (default: "HEAD")
analyze_local
Scan a local repository by file path.
Parameters:
path(required): Local file system path to the repository
analyze_repo_stale_branches
Scan repository branches for pull_request_target vulnerabilities.
Parameters:
repo(required): Repository name in format "org/repo"scm_provider(optional): "github" or "gitlab" (default: "github")scm_base_url(optional): Base URL for self-hosted instancesthreads(optional): Number of parallel threads (default: 5)expand(optional): Expand output to full format (default: false)regex(optional): Regex pattern for workflow matching (default: "pull_request_target")
analyze_manifest
Analyze CI/CD pipeline manifest content for security issues.
Parameters:
content(required): The complete YAML manifest contentmanifest_type(required): Type of manifest - "github-actions", "gitlab-ci", "azure-pipelines", or "tekton"
Note: This tool is automatically called when AI assistants generate or modify CI/CD workflows to ensure security best practices.
Example AI Assistant Prompts
Here are some example prompts you can use with your AI coding assistant:
Organization-wide scan:
Use Poutine to scan all repositories in the <your_org> organization
Single repository analysis:
Analyze the security of the repository actions/checkout
Local repository scan:
Scan the repository at /Users/me/projects/myapp for supply chain vulnerabilities
Stale branch analysis:
Check the myorg/myrepo repository for pull_request_target vulnerabilities in stale branches
Workflow generation with automatic security validation:
Create a GitHub Actions workflow that runs tests on pull requests
(The AI will automatically use analyze_manifest to validate the generated workflow)