🛡️ Copilot Security Instructions

A comprehensive toolkit to guide GitHub Copilot toward secure coding practices. This project includes customizable instructions and security-focused prompts to help development teams identify and mitigate security risks effectively.

Designed for security-conscious teams, this configuration ensures Copilot suggests safer code patterns, avoids common vulnerabilities, and reinforces best practices — all without disrupting your workflow.

🔐 What's Inside

This project offers:

Secure-by-default guidance for all languages (e.g., input validation, secret handling, safe logging).
Language-specific secure patterns:
- ☕ Java
- 🟩 Node.js
- 🟦 C#
- 🐍 Python
"Do Not Suggest" lists to block risky Copilot completions (e.g., eval, inline SQL, insecure deserialization).
AI hallucination protections to prevent package spoofing, non-existent APIs, and misinformation risks.
Mentorship-style tips to help newer engineers build secure coding habits.
Custom agents & Agent Skills under agents/ and skills/ for repeatable AppSec workflows inside Copilot.
An MCP server for seamless integration of these prompts into other projects.

🗂️ Prompt Catalogue

Explore the available prompts and their intended use cases:

These prompt files live under prompts/ in this repo and are intended to be copied into a consuming repository’s .github/prompts/.

Recommended workflow: start with the application-security-orchestrator agent (see agents/application-security-orchestrator.agent.md).
It standardizes intake, then hands off to specialist agents (Analyst/Architect/Engineer) depending on whether you want findings, a threat model, or implemented fixes.

Prompt	Description	Intended Use
access-control-and-authorization-architecutre.prompt.md	Review and report on access control / authorization architecture for project.	Perform analysis of the current architecture for access control and authorization within the project.
assess-logging.prompt.md	Identify unsafe logging and exposure of sensitive data.	Audit log output for leaks and recommend safer patterns.
business-logic-review.prompt.md	Analyze overall business logic flow and decision making.	Map application behavior and critique critical logic paths.
check-access-controls.prompt.md	Audit authorization and access control weaknesses.	Ensure RBAC/ABAC enforcement and consistent permission checks.
check-for-secrets.prompt.md	Detect hardcoded secrets and credentials.	Locate embedded keys or tokens and suggest secure storage.
check-for-unvalidated-genai-acceptances.prompt.md	Find unvalidated AI-generated code or hallucinated assets.	Verify that AI suggestions are real, tested, and documented.
add-content-security-policy.prompt.md	Design, implement, and roll out a new Content Security Policy (CSP) safely.	Add CSP to a web app with a deployable policy string, rollout plan, and verification steps.
csp-review.prompt.md	Review a web application’s Content-Security-Policy (CSP) for XSS resistance, safe third-party usage, and deployability.	Evaluate an existing CSP policy and recommend hardening + rollout steps.
dependency-cve-triage.prompt.md	Triage a known CVE against a project's dependency: explain the exploit, assess reachability and configuration, and produce a structured Dependency Tracker report.	Analyze a specific CVE's impact on local code, determine exploitability, and generate a concise triage report.
review-auth-flows.prompt.md	Evaluate authentication logic and session handling.	Review login flows for common risks and best practices.
scan-for-insecure-apis.prompt.md	Spot deprecated or insecure API usage.	Replace risky APIs with modern, safer alternatives.
secure-code-review.prompt.md	Perform a comprehensive security review of the codebase.	Conduct an end-to-end audit for security issues.
threat-model.prompt.md	Produce a lightweight threat model using the 4Q approach with scoped threats, mitigations, and a validation plan.	Threat-model a feature/system or PR diff and generate durable artifacts.
validate-input-handling.prompt.md	Check for missing or unsafe input validation.	Evaluate request handling for validation and sanitization gaps.

🧑‍💻 Agents

Agent	Purpose
application-security-orchestrator	Standardize intake and route to the right specialist.
application-security-analyst	Read-only findings + remediation guidance.
application-security-architect	Threat models + guardrails + ADRs.
application-security-engineer	Implement fixes + tests with minimal diffs.

🧩 Skills

Skill	Intended use
secure-code-review	Repeatable security review workflow + findings template.
authn-authz-review	Review authentication and authorization controls.
input-validation-hardening	Tighten validation boundaries and parsing safety.
dependency-cve-triage	CVE reachability + remediation plan workflow.
secrets-and-logging-hygiene	Prevent secret leaks and add redaction defaults.
genai-acceptance-review	Prevent over-trust and prompt/tool injection risks.
threat-model-lite	Lightweight threat modeling with ranked mitigations.
secure-fix-validation	Prove fixes work and don’t regress behavior.

📦 How to Use in a Real Project

Tip for contributors: when adding a file under prompts/, update the Prompt Catalogue table.

Leveraging Static Files

Copy the copilot-instructions.md file into your repo under:
.github/copilot-instructions.md
Drop the prompts you want into:
.github/prompts/
Open the prompt you wish to run within your IDE
Click the Run Prompt button to the top-right of the file

ℹ️ Note: If you don't see the run prompt button; check to make sure the Chat: Prompt Files functionality is enabled in your settings

Leveraging the MCP Server

The MCP server simplifies the integration of secure coding prompts into your workflow. Follow these steps:

Run MCP from source

Install dependencies
```
npm install
```

Setup environment

cp .env.example .env

The MCP server reads configuration from a .env file. Customize the following variables as needed:

Variable Description Default

server.port Port the MCP server listens on. 8080

server.ssl Whether to use ssl for express server false

server.ssl.pfx Path to pfx file localhost.pfx

server.ssl.pfx.passphrase Passphrase for pfx file PFX_PASSPHRASE

server.hostname Hostname the server binds to. localhost

logger.transports.console.enabled Enable console logging output. false

logger.transports.console.level Log level for console output. info

logger.transports.amqp.enabled Enable AMQP-based logging. false

logger.transports.amqp.level Log level for AMQP transport. http

logger.transports.amqp.hostname Hostname of the AMQP broker. localhost

logger.transports.amqp.port Port for the AMQP broker. 5672

logger.transports.amqp.username Username for AMQP authentication. guest

logger.transports.amqp.password Password for AMQP authentication. guest

logger.transports.amqp.exchange Exchange name used for AMQP logging. logs

logger.transports.amqp.vhost Virtual host for AMQP logging. /logs

logger.transports.amqp.heartbeat Heartbeat interval in seconds. 60

logger.transports.amqp.locale Locale for the AMQP connection. en_US

logger.transports.amqp.type AMQP exchange type. direct

logger.transports.amqp.durable Whether the AMQP exchange is durable. false

Start the server
```
npm start
```

Run MCP in Docker

Build docker container
```
docker build -t copilot-security-mcp .
```

Run docker container

docker run -d -p 8080:8080 copilot-security-mcp

Configuring VSCode for MCP

Open VSCode and run the MCP: Open User Configuration command.

Add the following JSON configuration:

{
   "servers": {
      "copilot-instructions-mcp": {
         "url": "http://localhost:8080/mcp"
      }
   }
}

Save the configuration.
Navigate to the Extensions menu in VSCode.
Locate the copilot-instructions-mcp server, click the settings cog, and select start server.

Using MCP with GitHub Copilot

Open GitHub Copilot Chat.
Ask it to run any of the prompts against your repository or specific files.

Example: Please get and run the secure code review prompt.

📚 Languages Supported

☕ Java — Spring, Jakarta, JDBC, OWASP Encoder
🟩 Node.js — Express, pg, mongoose, helmet, ajv, zod
🟦 C# — ASP.NET Core, Razor, ADO.NET, Entity Framework
🐍 Python — Flask, Django, SQLAlchemy, pydantic, Jinja2, bcrypt, cryptography

🛠️ Development

Use these npm scripts to work on the project:

Command	Description
`npm start`	Launches the MCP server on `http://localhost:8080/mcp`.
`npm run dev`	Starts the server with live reload via `nodemon`.
`npm run lint`	Runs ESLint and Markdownlint to verify code and docs.
`npm run lint:fix`	Attempts to automatically fix linting issues.

Recommended workflow: Run npm run lint (and npm run lint:fix if needed) before committing or opening a PR.

📣 Feedback & Contributions

This project is community-friendly and designed for continuous improvement.
If you have suggestions, feedback, or language rules to contribute — feel free to open an issue or PR.

Let’s make Copilot safer, one suggestion at a time. 🛠️

Disclaimer

This repository, including all instructions, prompts, agents, examples, and related application content,
is provided “AS IS”, without warranties or conditions of any kind, express or implied, including without
limitation warranties of merchantability, fitness for a particular purpose, noninfringement, security,
accuracy, completeness, or regulatory compliance.

Use of this repository is at your own risk. Robotti and its contributors shall not be liable for any claims,
damages, losses, or other liability arising from or related to the use, misuse, or inability to use this
repository or any outputs produced from it.

copilot-security-instructions