Jonathan Miller
622060373d
Generic: Project CI / Tests (push) Blocked by required conditions
Universal: CodeQL Analysis / Security Scan Summary (push) Blocked by required conditions
Generic: Repo Health / Scripts governance (push) Blocked by required conditions
Generic: Repo Health / Repository health (push) Blocked by required conditions
Generic: Repo Health / Report Issues (push) Blocked by required conditions
MCP: Standards Compliance / Compliance Summary (push) Blocked by required conditions
Generic: Repo Health / Site Health (push) Has been skipped
Generic: Repo Health / Access control (push) Successful in 2s
Universal: Changelog Validation / Validate CHANGELOG.md (push) Failing after 9s
MCP: Standards Compliance / License Header Validation (push) Failing after 10s
MCP: Standards Compliance / Secret Scanning (push) Successful in 10s
MCP: Standards Compliance / README Completeness Check (push) Failing after 9s
MCP: Standards Compliance / Repository Structure Validation (push) Failing after 11s
MCP: Standards Compliance / Workflow Configuration Check (push) Failing after 11s
MCP: Standards Compliance / Coding Standards Check (push) Failing after 12s
MCP: Standards Compliance / Git Repository Hygiene (push) Successful in 10s
MCP: Standards Compliance / Documentation Quality Check (push) Successful in 12s
MCP: Standards Compliance / File Naming Standards (push) Successful in 5s
MCP: Standards Compliance / Insecure Code Pattern Detection (push) Successful in 5s
MCP: Standards Compliance / Line Length Check (push) Failing after 6s
Generic: Project CI / Lint & Validate (push) Successful in 24s
MCP: Standards Compliance / File Size Limits (push) Successful in 4s
MCP: Standards Compliance / Binary File Detection (push) Successful in 5s
MCP: Standards Compliance / TODO/FIXME Tracking (push) Successful in 5s
MCP: Standards Compliance / Dead Code Detection (push) Successful in 7s
MCP: Standards Compliance / Broken Link Detection (push) Successful in 8s
MCP: Standards Compliance / API Documentation Coverage (push) Successful in 8s
MCP: Standards Compliance / Accessibility Check (push) Successful in 5s
MCP: Standards Compliance / Performance Metrics (push) Successful in 5s
MCP: Standards Compliance / Terraform Configuration Validation (push) Successful in 11s
Universal: CodeQL Analysis / Analyze (javascript) (push) Failing after 1m16s
MCP: Standards Compliance / Code Complexity Analysis (push) Successful in 1m2s
MCP: Standards Compliance / Version Consistency Check (push) Successful in 1m14s
Universal: CodeQL Analysis / Analyze (actions) (push) Failing after 1m19s
MCP: Standards Compliance / Code Duplication Detection (push) Successful in 1m1s
Universal: Sync Version on Merge / Propagate README version (push) Failing after 42s
MCP: Standards Compliance / Unused Dependencies Check (push) Successful in 1m1s
MCP: Standards Compliance / Script Integrity Validation (push) Successful in 1m16s
MCP: Standards Compliance / Dependency Vulnerability Scanning (push) Successful in 1m6s
MCP: Standards Compliance / Enterprise Readiness Check (push) Successful in 57s
MCP: Standards Compliance / Repository Health Check (push) Successful in 1m7s
The self-hosted runners don't support shivammathur/setup-php or GitHub clone of MokoStandards. Use the pre-installed /opt/mokoplatform on the runner host instead.
Security Policy
Supported Versions
| Version | Supported |
|---|---|
| 0.0.x | Yes |
Reporting a Vulnerability
To report a security vulnerability, please email hello@mokoconsulting.tech with the subject line [SECURITY] gitea-api-mcp. Do not open a public issue for security vulnerabilities.
We will acknowledge receipt within 48 hours and provide an initial assessment within 5 business days.
Token Storage Security
Configuration File
The config file ~/.gitea-api-mcp.json stores Gitea API tokens in plaintext. Follow these practices to protect your tokens:
File Permissions
Set restrictive permissions on the config file so only your user can read it:
chmod 600 ~/.gitea-api-mcp.json
On Windows, ensure the file is only readable by your user account through the file properties security tab.
What to Avoid
- Never commit
~/.gitea-api-mcp.jsonor any file containing tokens to version control - Never share config files containing real tokens
- Never log or print token values in debug output
- Never store tokens in environment variables visible to other processes if avoidable
Token Scope
When generating Gitea access tokens, follow the principle of least privilege:
- Only grant the scopes (permissions) your workflow requires
- Use separate tokens for separate purposes or environments
- Rotate tokens periodically
- Revoke tokens that are no longer needed
Token Generation
- Navigate to your Gitea instance Settings > Applications
- Under "Manage Access Tokens," enter a token name
- Select only the required scopes
- Click "Generate Token"
- Copy the token immediately -- it will not be shown again
Network Security
TLS Verification
By default, the client verifies TLS certificates. The insecure: true option disables certificate verification for self-signed certificates. Use this only for:
- Local development instances
- Internal instances with self-signed certificates where the network is trusted
Never use insecure: true for production instances accessible over the public internet.
API Prefix
All requests are sent to /api/v1 endpoints with:
Authorization: token <your-token>headerContent-Type: application/jsonheader- 30-second request timeout
MCP Transport Security
This server uses stdio transport, meaning it communicates through standard input/output with the MCP client (e.g., Claude Code). The token is never exposed through network ports or HTTP endpoints by the MCP server itself.
Security Checklist
- Config file permissions set to
600(Unix) or user-only (Windows) - Tokens scoped to minimum required permissions
- Config file excluded from version control (
.gitignore) insecureflag only used for trusted internal instances- Tokens rotated on a regular schedule
- Unused tokens revoked promptly