GitHub Lockdown Mode
GitHub lockdown mode is a security feature of the GitHub MCP server that filters content in public repositories to only surface items (issues, pull requests, comments, discussions, etc.) from users with push access to the repository. This protects agentic workflows from processing potentially malicious or misleading content from untrusted users.
To enable lockdown mode for your workflow:
- Set
lockdown: truein your workflow frontmatter - **Configure Additional Authentication for GitHub Tools
Lockdown Mode is automatically enabled for public repositories if Additional Authentication for GitHub Tools is configured. It is not in effect for private or internal repositories.
Security Benefits
Section titled “Security Benefits”GitHub lockdown mode protects against several attack vectors:
Input Manipulation
Section titled “Input Manipulation”Without lockdown, an attacker could:
- Create an issue with malicious code snippets or links
- Trigger an agentic workflow (e.g., issue triage, planning assistant)
- Attempt to hijack the workflow through prompt-injection
With lockdown: Only trusted contributors’ issues are visible to workflows.
Context Poisoning
Section titled “Context Poisoning”Attackers could flood public repositories with spam issues to:
- Overwhelm the AI context window with noise
- Manipulate AI decisions through volume of malicious suggestions
- Exhaust rate limits or credits
With lockdown: Only legitimate contributor content consumes workflow resources.
Social Engineering
Section titled “Social Engineering”Malicious users could craft issues that:
- Impersonate maintainers
- Request sensitive information
- Trick AI into revealing secrets or internal data
With lockdown: Only verified contributors can interact with workflows.
Example
Section titled “Example”---engine: copilot
tools: github: lockdown: true github-token: ${{ secrets.CUSTOM_TOKEN }} # Required for lockdown, and causes lockdown in public repos mode: remote toolsets: [repos, issues, pull_requests]---
# Your workflow that requires lockdown protection# Configure the required tokengh aw secrets set GH_AW_GITHUB_TOKEN --value "YOUR_FINE_GRAINED_PAT"Disabling Lockdown Mode
Section titled “Disabling Lockdown Mode”Explicitly disable lockdown for workflows designed to process content from all users:
tools: github: lockdown: false # Explicitly disable (see "When to Disable" below)When to Disable Lockdown
Section titled “When to Disable Lockdown”If working in a public repository, it is recommended that you use an explicit lockdown: true or lockdown: false.
Some workflows are designed to process content from all users and include appropriate safety controls. Safe use cases for lockdown: false in public repositories:
- Issue Triage: Workflows that label, categorize, or route issues from all users
- Issue Organization: Workflows that add issues to projects or milestones based on labels or content
- Issue Planning: Workflows that estimate complexity, suggest related issues, or draft implementation plans based on issue content
- Spam Detection: Workflows that identify and flag spam issues or comments
- Public Dashboards: Workflows that generate public reports or metrics based on all repository activity
- Command Workflows: Workflows that respond to specific commands in issue comments (e.g.,
/plan,/analyze) and verify user permissions before taking action
Related Documentation
Section titled “Related Documentation”- Authentication - Token configuration and security
- Tools - GitHub tools configuration
- Safe Outputs - Write operation controls
- Permissions - GitHub Actions permissions
- FAQ: Lockdown Mode - Common questions
- Troubleshooting: Access Issues - Resolving access problems
- GitHub MCP Server Documentation - Upstream reference