Trust checks everywhere: MCP server and GitHub Action

The Trust API gives you scores on demand. But the best safety checks are the ones you never have to remember to run. Today we are shipping two integrations that embed trust checks directly where decisions happen: inside AI assistant conversations via MCP, and inside CI/CD pipelines via GitHub Actions.

The Fabric MCP server

The Model Context Protocol lets AI assistants call external tools during a conversation. The Fabric MCP server exposes a lookup tool that returns trust scores for any indexed service. When Claude Desktop (or any MCP client) considers using an external tool, it can check the trust score first and decide whether to proceed.

This means your AI assistant can automatically verify that a tool is safe before granting it access to your files, APIs, or data. No manual lookup required.

Setup

Add the Fabric MCP server to your Claude Desktop configuration:

{
  "mcpServers": {
    "fabric-trust": {
      "command": "npx",
      "args": ["@anthropic/fabric-trust-mcp"],
      "env": {
        "FABRIC_API_KEY": "fl_live_..."
      }
    }
  }
}

Once configured, Claude can call the lookup tool with any service slug and receive the full score breakdown. The response includes the composite score, status label, coverage ratio, and all six signal scores.

What it looks like in practice

When you ask Claude to use a tool it has not seen before, it can first check the trust score. If the score is below a threshold you set, Claude can warn you or refuse to proceed. If the service is trusted, it continues without interruption. The check adds minimal latency and happens transparently.

The GitHub Action

The Fabric Trust GitHub Action brings the same safety checks into your CI/CD pipeline. Add it to any workflow and it scans a list of services (or your project dependencies) against the Trust Index on every push or pull request.

Basic setup

name: Trust Check
on: [push, pull_request]

jobs:
  trust-check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Fabric Trust Check
        uses: fabriclayer/trust-action@v1
        with:
          slugs: openai,anthropic,langchain-core
          min-score: 3.0
        env:
          FABRIC_API_KEY: ${{ secrets.FABRIC_API_KEY }}

The action queries the Trust API for each listed service. If any service scores below your min-score threshold, the step fails and the PR is blocked from merging. The output includes a summary table showing each service, its score, and its status.

Why this matters

Most dependency scanning tools focus on known CVEs. The Fabric Trust Action goes further by checking operational health, maintenance activity, publisher reputation, and transparency. A dependency can have zero CVEs and still be risky if it is abandoned, published by an anonymous account, or has inconsistent operational behaviour. The trust score captures all of that.

How they work together

The MCP server and GitHub Action serve different moments in the development lifecycle. The MCP server protects runtime decisions, when an AI agent is about to call a tool. The GitHub Action protects build time decisions, when new dependencies enter the codebase.

Both use the same underlying API and the same scoring engine. A service that scores 4.5 in Claude Desktop will score 4.5 in your CI pipeline. Consistency across surfaces means you can set a single policy and enforce it everywhere.