feat: add repository security advisory create, update, and CVE request tools

Add MCP tools for the repository security advisory lifecycle: create draft
advisories, update/publish them, and request CVE IDs. Enforce GHSA ID
validation, severity/CVSS mutual exclusivity (exactly one required on create),
field validation, and MCP safety annotations. Document the severity XOR
cvssVectorString requirement in tool schemas and README.

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: advancedresearcharray

README.md

@@ -1357,6 +1357,21 @@ The following sets of tools are available:
 
 <summary><picture><source media="(prefers-color-scheme: dark)" srcset="pkg/octicons/icons/shield-dark.png"><source media="(prefers-color-scheme: light)" srcset="pkg/octicons/icons/shield-light.png"><img src="pkg/octicons/icons/shield-light.png" width="20" height="20" alt="shield"></picture> Security Advisories</summary>
 
+- **create_repository_security_advisory** - Create repository security advisory
+  - **Required OAuth Scopes**: `security_events`
+  - **Accepted OAuth Scopes**: `repo`, `security_events`
+  - `credits`: Users credited for the advisory. (object[], optional)
+  - `cveId`: The CVE ID to assign to the advisory. (string, optional)
+  - `cvssVectorString`: The CVSS vector string for the advisory. Exactly one of severity or cvssVectorString is required. (string, optional)
+  - `cweIds`: Common Weakness Enumeration IDs (for example, ["CWE-79"]). (string[], optional)
+  - `description`: A detailed description of the security advisory. (string, required)
+  - `owner`: The owner of the repository. (string, required)
+  - `repo`: The name of the repository. (string, required)
+  - `severity`: The severity of the advisory. Exactly one of severity or cvssVectorString is required. (string, optional)
+  - `startPrivateFork`: Whether to create a temporary private fork for collaborating on a fix. (boolean, optional)
+  - `summary`: A short summary of the security advisory. (string, required)
+  - `vulnerabilities`: Affected products and version ranges. (object[], required)
+
 - **get_global_security_advisory** - Get a global security advisory
   - **Required OAuth Scopes**: `security_events`
   - **Accepted OAuth Scopes**: `repo`, `security_events`
@@ -1394,6 +1409,29 @@ The following sets of tools are available:
   - `sort`: Sort field. (string, optional)
   - `state`: Filter by advisory state. (string, optional)
 
+- **request_cve_for_repository_security_advisory** - Request CVE for repository security advisory
+  - **Required OAuth Scopes**: `security_events`
+  - **Accepted OAuth Scopes**: `repo`, `security_events`
+  - `ghsaId`: GitHub Security Advisory ID (format: GHSA-xxxx-xxxx-xxxx). (string, required)
+  - `owner`: The owner of the repository. (string, required)
+  - `repo`: The name of the repository. (string, required)
+
+- **update_repository_security_advisory** - Update repository security advisory
+  - **Required OAuth Scopes**: `security_events`
+  - **Accepted OAuth Scopes**: `repo`, `security_events`
+  - `credits`: Users credited for the advisory. (object[], optional)
+  - `cveId`: The CVE ID to assign to the advisory. (string, optional)
+  - `cvssVectorString`: The CVSS vector string for the advisory. Cannot be set together with severity. (string, optional)
+  - `cweIds`: Common Weakness Enumeration IDs (for example, ["CWE-79"]). (string[], optional)
+  - `description`: A detailed description of the security advisory. (string, optional)
+  - `ghsaId`: GitHub Security Advisory ID (format: GHSA-xxxx-xxxx-xxxx). (string, required)
+  - `owner`: The owner of the repository. (string, required)
+  - `repo`: The name of the repository. (string, required)
+  - `severity`: The severity of the advisory. Cannot be set together with cvssVectorString. (string, optional)
+  - `state`: The advisory state. Set to "published" to publish the advisory. (string, optional)
+  - `summary`: A short summary of the security advisory. (string, optional)
+  - `vulnerabilities`: Affected products and version ranges. (object[], optional)
+
 </details>
 
 <details>

pkg/github/__toolsnaps__/create_repository_security_advisory.snap

@@ -0,0 +1,158 @@
+{
+  "annotations": {
+    "destructiveHint": true,
+    "openWorldHint": true,
+    "title": "Create repository security advisory"
+  },
+  "description": "Create a draft repository security advisory. Exactly one of severity or cvssVectorString must be provided. When startPrivateFork is true, a temporary private fork is created for collaborating on a fix.",
+  "inputSchema": {
+    "properties": {
+      "credits": {
+        "description": "Users credited for the advisory.",
+        "items": {
+          "properties": {
+            "login": {
+              "description": "The GitHub username of the credited user.",
+              "type": "string"
+            },
+            "type": {
+              "description": "The credit type.",
+              "enum": [
+                "analyst",
+                "finder",
+                "reporter",
+                "coordinator",
+                "remediation_developer",
+                "remediation_reviewer",
+                "remediation_verifier",
+                "tool",
+                "sponsor",
+                "other"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "login",
+            "type"
+          ],
+          "type": "object"
+        },
+        "type": "array"
+      },
+      "cveId": {
+        "description": "The CVE ID to assign to the advisory.",
+        "type": "string"
+      },
+      "cvssVectorString": {
+        "description": "The CVSS vector string for the advisory. Exactly one of severity or cvssVectorString is required.",
+        "type": "string"
+      },
+      "cweIds": {
+        "description": "Common Weakness Enumeration IDs (for example, [\"CWE-79\"]).",
+        "items": {
+          "type": "string"
+        },
+        "type": "array"
+      },
+      "description": {
+        "description": "A detailed description of the security advisory.",
+        "type": "string"
+      },
+      "owner": {
+        "description": "The owner of the repository.",
+        "type": "string"
+      },
+      "repo": {
+        "description": "The name of the repository.",
+        "type": "string"
+      },
+      "severity": {
+        "description": "The severity of the advisory. Exactly one of severity or cvssVectorString is required.",
+        "enum": [
+          "low",
+          "medium",
+          "high",
+          "critical"
+        ],
+        "type": "string"
+      },
+      "startPrivateFork": {
+        "description": "Whether to create a temporary private fork for collaborating on a fix.",
+        "type": "boolean"
+      },
+      "summary": {
+        "description": "A short summary of the security advisory.",
+        "type": "string"
+      },
+      "vulnerabilities": {
+        "description": "Affected products and version ranges.",
+        "items": {
+          "properties": {
+            "package": {
+              "properties": {
+                "ecosystem": {
+                  "description": "The package ecosystem.",
+                  "enum": [
+                    "actions",
+                    "composer",
+                    "erlang",
+                    "go",
+                    "maven",
+                    "npm",
+                    "nuget",
+                    "other",
+                    "pip",
+                    "pub",
+                    "rubygems",
+                    "rust",
+                    "swift"
+                  ],
+                  "type": "string"
+                },
+                "name": {
+                  "description": "The package name.",
+                  "type": "string"
+                }
+              },
+              "required": [
+                "ecosystem",
+                "name"
+              ],
+              "type": "object"
+            },
+            "patched_versions": {
+              "description": "The version that patches the vulnerability.",
+              "type": "string"
+            },
+            "vulnerable_functions": {
+              "description": "Functions in the package that are affected.",
+              "items": {
+                "type": "string"
+              },
+              "type": "array"
+            },
+            "vulnerable_version_range": {
+              "description": "The range of affected versions (for example, \"\u003c 2.0.0\").",
+              "type": "string"
+            }
+          },
+          "required": [
+            "package"
+          ],
+          "type": "object"
+        },
+        "type": "array"
+      }
+    },
+    "required": [
+      "owner",
+      "repo",
+      "summary",
+      "description",
+      "vulnerabilities"
+    ],
+    "type": "object"
+  },
+  "name": "create_repository_security_advisory"
+}

pkg/github/__toolsnaps__/request_cve_for_repository_security_advisory.snap

@@ -0,0 +1,30 @@
+{
+  "annotations": {
+    "openWorldHint": true,
+    "title": "Request CVE for repository security advisory"
+  },
+  "description": "Request a CVE ID from GitHub for a draft repository security advisory.",
+  "inputSchema": {
+    "properties": {
+      "ghsaId": {
+        "description": "GitHub Security Advisory ID (format: GHSA-xxxx-xxxx-xxxx).",
+        "type": "string"
+      },
+      "owner": {
+        "description": "The owner of the repository.",
+        "type": "string"
+      },
+      "repo": {
+        "description": "The name of the repository.",
+        "type": "string"
+      }
+    },
+    "required": [
+      "owner",
+      "repo",
+      "ghsaId"
+    ],
+    "type": "object"
+  },
+  "name": "request_cve_for_repository_security_advisory"
+}