Skip to content

Adds Security Champion chat / agent mode to provide comprehensive security guidance by integrating Microsoft's Security Development Lifecycle (SDL) practices alongside existing OWASP frameworks.#408

Open
obrocki wants to merge 16 commits intomicrosoft:mainfrom
obrocki:feat/security-champion-agent
Open

Conversation

@obrocki
Copy link

@obrocki obrocki commented Feb 4, 2026
edited
Loading

  • Incorporates all 10 Microsoft SDL practices for secure software development
  • Organizes security inspection areas by development lifecycle stage (Design, Code, Build/Deploy, Runtime)
  • Adds guidance for threat modeling, Zero Trust principles, and supply chain security
  • Expands responsibilities to include security design reviews and Secure by Design promotion
  • Maintains existing OWASP Top 10 and OWASP Top 10 for LLM Applications (2025) references

🔒 - Generated by Copilot

Pull Request

Description

Related Issue(s)

#416

Type of Change

Select all that apply:

Code & Documentation:

  • Bug fix (non-breaking change fixing an issue)
  • New feature (non-breaking change adding functionality)
  • Breaking change (fix or feature causing existing functionality to change)
  • Documentation update

Infrastructure & Configuration:

  • GitHub Actions workflow
  • Linting configuration (markdown, PowerShell, etc.)
  • Security configuration
  • DevContainer configuration
  • Dependency update

AI Artifacts:

  • Reviewed contribution with prompt-builder agent and addressed all feedback
  • Copilot instructions (.github/instructions/*.instructions.md)
  • Copilot prompt (.github/prompts/*.prompt.md)
  • Copilot agent (.github/agents/*.agent.md)

Sample Prompts and Usage

image

Checklist

Required Checks

  • Documentation is updated (if applicable)
  • Files follow existing naming conventions
  • Changes are backwards compatible (if applicable)
  • Tests added for new functionality (if applicable)

AI Artifact Contributions

  • Used /prompt-analyze to review contribution
  • Addressed all feedback from prompt-builder review
  • Verified contribution follows common standards and type-specific requirements

Required Automated Checks

The following validation commands must pass before merging:

  • Markdown linting: npm run lint:md
  • Spell checking: npm run spell-check
  • Frontmatter validation: npm run lint:frontmatter
  • Link validation: npm run lint:md-links
  • PowerShell analysis: npm run lint:ps

Security Considerations

  • This PR does not contain any sensitive or NDA information
  • Any new dependencies have been reviewed for security issues
  • Security-related scripts follow the principle of least privilege

Additional Notes

Copilot AI review requested due to automatic review settings February 4, 2026 10:06
@codecov-commenter
Copy link

codecov-commenter commented Feb 4, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 85.34%. Comparing base (adbebe1) to head (4071e05).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main     #408      +/-   ##
==========================================
- Coverage   85.36%   85.34%   -0.03%     
==========================================
  Files          23       23              
  Lines        4475     4475              
==========================================
- Hits         3820     3819       -1     
- Misses        655      656       +1
Flag Coverage Δ
pester 85.34% <ø> (-0.03%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 1 file with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Copilot AI reviewed Feb 4, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds a Security Champion agent and comprehensive OWASP security instruction files to integrate Microsoft's Security Development Lifecycle (SDL) practices alongside existing OWASP frameworks. The PR introduces security guidance across the development lifecycle, from design through runtime, with detailed coding standards for both traditional web applications and LLM-specific security concerns.

Changes:

  • Adds Security Champion conversational agent for security-focused code review and advisory
  • Introduces comprehensive OWASP Top 10 secure coding instructions for web applications
  • Adds OWASP Top 10 for LLM Applications (2025) secure coding instructions for AI/ML security

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 14 comments.

File Description
.github/agents/security-champion.agent.md New conversational agent that serves as a security advisor, integrating Microsoft SDL practices with OWASP frameworks to guide security reviews across all development stages
.github/instructions/owasp-for-web-applications.instructions.md New instruction file providing comprehensive secure coding guidelines based on OWASP Top 10, covering vulnerabilities from access control to SSRF
.github/instructions/owasp-for-llms.instructions.md New instruction file providing LLM-specific security guidelines based on OWASP Top 10 for LLM Applications (2025), covering prompt injection, data leakage, and other AI-specific risks

Copilot AI review requested due to automatic review settings February 4, 2026 14:03
Copilot AI reviewed Feb 4, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.

Copilot AI review requested due to automatic review settings February 4, 2026 14:54
Copilot AI reviewed Feb 4, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

@obrocki obrocki marked this pull request as ready for review February 4, 2026 16:24
@obrocki obrocki requested a review from a team as a code owner February 4, 2026 16:24
Copilot AI review requested due to automatic review settings February 4, 2026 16:54
Copilot AI reviewed Feb 4, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

@obrocki obrocki mentioned this pull request Feb 4, 2026
Open
WilliamBerryiii
WilliamBerryiii reviewed Feb 4, 2026
View reviewed changes
WilliamBerryiii
WilliamBerryiii reviewed Feb 4, 2026
View reviewed changes
@WilliamBerryiii
Copy link
Member

WilliamBerryiii commented Feb 4, 2026
edited
Loading

Hi! A small request: could you update the PR title to include the conventional commit format with scope? This ensures release-please picks it up correctly for the changelog.

Suggested: `feat(agents): add security champion agent with Microsoft SDL practices

Thanks!

@WilliamBerryiii WilliamBerryiii added this to the v2.2.0 milestone Feb 5, 2026
katriendg
katriendg requested changes Feb 5, 2026
View reviewed changes
Copy link
Contributor

@katriendg katriendg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your contribution. This is valuable, there are a few optimizations I feel are relevant before we merge.

  1. Please re-run the /prompt-analyse or prompt-builder agent again and ensure you add your new files to the context, and ask it to review your three files for recommendations. There are several open recommendations you can still apply before we merge.
  2. Evaluate the usage of the .instructions.md files and applyTo. Is it possible to merge into the custom agent instead? Especially for the LLM application instructions we do not want to enforce this upon every single edit of applicable files. Again here the Task-Researcher and/or Prompt Builder agents may help you refactor some of this in an efficient way.
  3. ## Required Phases given this agent has specific phases (in your case Stages), you should be able to easily reformat the agent to follow the phases approach. Also prompt-builder may do this for you.

Hope these make sense!

Copilot AI review requested due to automatic review settings February 5, 2026 14:52
Copilot AI reviewed Feb 5, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

Copilot AI review requested due to automatic review settings February 5, 2026 19:48
@obrocki obrocki requested a review from katriendg February 5, 2026 19:49
Copilot AI reviewed Feb 5, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated no new comments.

@katriendg
Copy link
Contributor

katriendg commented Feb 6, 2026

Thanks for your changes, I think this is looking good for an initial inclusion into experimental pre-release so we can have some active testing, see how it behaves when used together with some of the other instructions and agents.
Please review any open comments and close them, either adopt the recommendation or leave a note and close the comment. Some of the Copilot comments are valid, some you may just want to discard, or simply outdated.
Once all comments are closed I will do a final review and expect Approval soon from my side.

Copilot AI review requested due to automatic review settings February 6, 2026 13:28
Copilot AI reviewed Feb 13, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

Copilot AI review requested due to automatic review settings February 13, 2026 13:53
Copilot AI reviewed Feb 13, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

Copilot AI review requested due to automatic review settings February 13, 2026 16:16
Copilot AI reviewed Feb 13, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

obrocki and others added 15 commits February 13, 2026 16:56
@obrocki
feat(instructions): add comprehensive secure coding guidelines for LL…
40e3540 
…M applications

- include OWASP Top 10 for LLM Applications (2025) security practices
- outline responsibilities and areas to inspect during development stages
- emphasize security champion mindset and ongoing threat awareness

🔒 - Generated by Copilot
@obrocki
feat(security-identity): update Security Champion agent description a…
deaf261 
…nd tools list

🔒 - Generated by Copilot
@obrocki
docs(instructions): refine secure coding guidelines for LLM applications
cdb3856 
- clarify the directive for secure coding practices
- emphasize the importance of a security-first mindset
- enhance instructions for code reviews and security education

🔒 - Generated by Copilot
@obrocki
Update .github/instructions/owasp-for-web-applications.instructions.md
7d53070 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@obrocki
style(security-identity): fix link formatting for Microsoft SDL in se…
bb77c14 
…curity champion agent documentation

🔒 - Generated by Copilot
@obrocki
style(security-identity): refine language and structure in security c…
88cf9b5 
…hampion agent documentation

🔒 - Generated by Copilot
@obrocki
docs(instructions): update OWASP guidelines for LLM and web applications
310929c 
- enhance clarity and structure of security instructions
- add maturity status to both documents
- improve emphasis on security principles and practices
- refine sections for better readability and understanding

🔒 - Generated by Copilot
@obrocki
chore(instructions): update maturity status to experimental for OWASP…
211597a 
… guidelines

🔒 - Generated by Copilot
@obrocki
feat(security-identity): enhance security champion agent with detaile…
92f131c 
…d guidance and handoffs

- add security-focused code review purpose and workflow
- include core frameworks and areas covered for security champion agent
- remove maturity status from OWASP instructions for LLM and web applications

🔒 - Generated by Copilot
@obrocki
feat(security-identity): update security champion agent phases for cl…
b650ad8 
…arity and structure

- redefine inspection areas as required phases
- clarify flow through development lifecycle phases
- enhance guidance for security reviews and reporting

🔒 - Generated by Copilot
@obrocki
fix(agents): address PR review comments for security champion
f568acb 
- Remove tools frontmatter to let users choose available tools
- Elaborate agent description for Extension UI visibility
- Add #file: references for OWASP instructions so Copilot follows paths
- Add maturity: experimental to both OWASP instruction files
- Convert bolded-prefix list items to plain text in LLM instructions
- Convert embedding inversion defense list to prose
@obrocki
feat(instructions): add OWASP guidelines for LLM applications and res…
16fd15a 
…tore web applications guidelines

- introduce OWASP Top 10 for LLM Applications with detailed security measures
- restore comprehensive secure coding instructions for web applications
- ensure clear communication of security practices and principles

🔒 - Generated by Copilot
@obrocki
Update .github/instructions/security/owasp-for-web-applications.instr…
5492b4d 
…uctions.md

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@obrocki
Update .github/instructions/security/owasp-for-llms.instructions.md
b7f9260 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@obrocki
Update .github/instructions/security/owasp-for-web-applications.instr…
c8e2456 
…uctions.md

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings February 13, 2026 16:56
@obrocki obrocki force-pushed the feat/security-champion-agent branch from 673ade6 to c8e2456 Compare February 13, 2026 16:56
Copilot AI reviewed Feb 13, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.

.github/instructions/security/owasp-for-web-applications.instructions.md
@@ -0,0 +1,226 @@
---
description: "Comprehensive secure coding instructions for all languages and frameworks, based on OWASP Top 10 and industry best practices. Give clear and concise feedback and points of improvement."
maturity: experimental
Copy link

Copilot AI Feb 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The frontmatter includes a maturity field, which is not allowed according to the instruction-frontmatter.schema.json schema. The schema defines additionalProperties: false and only allows description, name, and applyTo fields. Maturity is tracked in collection manifest items (collections/*.collection.yml), not in individual artifact frontmatter. Remove the maturity field from this frontmatter and instead add this file to an appropriate collection manifest with the maturity specified there.

Suggested change
maturity: experimental

Copilot uses AI. Check for mistakes.
.github/instructions/security/owasp-for-llms.instructions.md
---
description: "When generating, reviewing, or refactoring code that interacts with Large Language Models (LLMs), read and follow these OWASP Top 10 for LLM Applications (2025) secure coding guidelines to protect against prompt injection, data leakage, and LLM-specific vulnerabilities. Apply these instructions to any LLM integration, agent framework, RAG pipeline, or AI-powered feature. Provide clear and concise security feedback and points of improvement."
applyTo: '**/*'
maturity: experimental
Copy link

Copilot AI Feb 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The frontmatter includes a maturity field, which is not allowed according to the instruction-frontmatter.schema.json schema. The schema defines additionalProperties: false and only allows description, name, and applyTo fields. Maturity is tracked in collection manifest items (collections/*.collection.yml), not in individual artifact frontmatter. Remove the maturity field from this frontmatter and instead add this file to an appropriate collection manifest with the maturity specified there.

Suggested change
maturity: experimental

Copilot uses AI. Check for mistakes.
@WilliamBerryiii WilliamBerryiii modified the milestones: v2.3.0, v2.4.0 Feb 13, 2026
@obrocki
feat(instructions): add experimental OWASP security guidelines for we…
4071e05 
…b applications and LLMs

🔒 - Generated by Copilot
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@WilliamBerryiii WilliamBerryiii WilliamBerryiii left review comments

@agreaves-ms agreaves-ms agreaves-ms left review comments

Copilot code review Copilot Copilot left review comments

@auyidi1 auyidi1 auyidi1 approved these changes

@katriendg katriendg Awaiting requested review from katriendg

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

v2.4.0

Development

Successfully merging this pull request may close these issues.

6 participants

@obrocki @codecov-commenter @WilliamBerryiii @katriendg @auyidi1 @agreaves-ms