GitHub MCP Gateway: A Model Context Protocol Gateway for Agentic Workflows

GitHub MCP Gateway is a secure gateway for MCP servers, designed to enable AI agents to access external resources (like GitHub) safely in controlled environments. Key features include WASM-based DIFC protection, integrity filtering, proxy mode, and containerized deployment, addressing the challenge of managing AI agents' access to external tools securely.

MCP (Model Context Protocol) is an open protocol by Anthropic for standardizing AI model interactions with external data/tools. GitHub MCP Gateway serves as a gateway implementation for the GitHub Agentic Workflows project, aiming to balance MCP's flexibility with strict security controls to prevent unauthorized access or data leaks. It uses containerized deployment (Docker) to proxy AI agents' MCP requests from sandboxes and apply preset security policies.

The gateway follows a 'security-first' design, with core components:

1. Gateway Core: Handles JSON-RPC 2.0 requests, supporting two modes—Routed Mode (per-server endpoints /mcp/{serverID}) and Unified Mode (single /mcp endpoint).
2. Guards Layer: Uses WASM to implement DIFC (Decentralized Information Flow Control) for fine-grained data flow control, with per-server configurations.
3. Auth Module: Uses API keys (per MCP spec 7.1) for authentication (via Authorization header).
4. Backend Support: Integrates with GitHub MCP servers (stdio/Docker) and Safe Outputs (write-only channels for authorized data flow).

The gateway uses two main policies:

• Allow-Only Policy: Restricts repo access (supports 'all', 'public', specific repos/prefixes) and sets minimum integrity levels (merged > approved > unapproved > none). Also includes blocked users, approval labels, and trusted users for multi-layer protection.
• Write-Sink Policy: For output servers, marks them as write-only and specifies allowed confidentiality labels to prevent data leaks.

Beyond MCP gateway, it supports HTTP forward proxy mode (awmg proxy) to intercept GitHub API requests (e.g., from gh CLI). This mode maps ~25 REST URL patterns and GraphQL queries, applying the same 6-stage DIFC filtering as the MCP gateway. Dual-mode design unifies security policies across MCP and traditional HTTP requests.

Deployment steps:

1. Pull Docker image: docker pull ghcr.io/github/gh-aw-mcpg:latest
2. Create config.json (gateway params, MCP server configs).
3. Run container with port/volume mappings (Docker socket, logs). Key configs: MCP_GATEWAY_PORT (listen port), MCP_GATEWAY_API_KEY (auth key), MCP_GATEWAY_WASM_GUARDS_DIR (WASM guards directory).

Main use cases:

• Enterprise AI agent deployment (secure GitHub access).
• Multi-tenant SaaS platforms (policy-based data isolation).
• Open-source project automation (safe tool access for contributors).
• Compliance-focused organizations (audit logs + integrity filtering to meet regulations).

GitHub MCP Gateway is an important exploration in AI infrastructure security, combining access control with MCP flexibility. Its WASM DIFC, fine-grained policies, and dual-mode design address production needs. As AI agents take on more complex tasks, such secure gateways will become essential. It sets a paradigm for balancing openness and control in AI agent workflows.