Add security-alert-burndown campaign specification

[Copilot]

Implements a campaign that coordinates code-scanning-fixer (30min schedule) and security-fix-pr (4h schedule) to systematically eliminate code security alerts, prioritizing file write vulnerabilities (CWE-73, CWE-22, path traversal).

Campaign Configuration

• ID: security-alert-burndown
• State: Planned
• Risk: Medium
• Tracker: campaign:security-alert-burndown
• Memory: memory/campaigns/security-alert-burndown/**

Key Features

• Alert Clustering: Groups up to 3 related alerts per PR when they share file/module, vulnerability type, or remediation approach
• Shared Cache: Both workflows coordinate via /tmp/gh-aw/cache-memory/fixed-alerts.jsonl to prevent duplicate fixes
• Quality Requirements: All fixes require inline comments, documentation updates, and security best practices references

KPIs

• Primary: Total Security Alerts → 0 (60 days)
• Supporting: Critical Severity Alerts → 0
• Supporting: File Write Vulnerability Alerts → 0

Governance

• Max 3 new items per run
• Max 50 discovery items per run
• Opt-out labels: no-campaign, no-bot, wontfix

Post-Merge

Update project-url field from "https://github.com/orgs/githubnext/projects/TBD" to actual GitHub Project board URL. Configure custom fields: Worker/Workflow, Priority, Status, Start/End Date, Effort.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Campaign: Security Alert Burndown</issue_title>
<issue_description>📊 Project Board: Campaign project created successfully (URL will be available after compilation)

Original Request

Write a campaign that burns down the code security alerts backlog. Focus on file write issues first, cluster alerts if possible (up to 3), and add comments generated code for fixes. Use Claude for codegen, copilot for campaign manager.

---

🎯 Campaign Details

Campaign ID: security-alert-burndown
Campaign Name: Security Alert Burndown
Risk Level: Medium
State: Planned

📋 Workflows

Existing Workflows (Ready to Use)

• code-scanning-fixer: Automatically fixes high severity code scanning alerts by creating pull requests with remediation. Runs every 30 minutes to quickly address security alerts. Uses cache memory to avoid duplicate fixes.
• security-fix-pr: Identifies and automatically fixes code security issues by creating autofixes via GitHub Code Scanning. Can fix up to 5 alerts per run using GitHub's autofix API.

Related Workflows (Available)

• security-compliance: Full campaign workflow for audit-driven security compliance with tracking and reporting
• daily-secrets-analysis: Daily monitoring of secret usage patterns across workflow files

🎯 Goals

• Reduce critical and high severity code scanning alerts to zero
• Prioritize file write vulnerabilities (CWE-73, CWE-22, path traversal, arbitrary file write)
• Cluster related alerts together (up to 3 per PR) for efficient remediation
• Add descriptive comments to all generated code fixes
• Maintain comprehensive audit trail in campaign memory

📊 Key Features

Alert Clustering: Group up to 3 related alerts in a single PR when they share:

• Same file or module
• Same vulnerability type
• Similar remediation approach

Prioritization: File write issues first, then other high/critical severity alerts

Quality Standards:

• All generated code includes inline comments explaining security fixes
• Function/method documentation updates
• Security best practices references

⏱️ Timeline

• Start Date: TBD (after compilation and approval)
• Target Completion: Ongoing until backlog cleared

---

🤖 Instructions for Copilot Coding Agent

The campaign specification file has been created at .github/workflows/security-alert-burndown.campaign.md.

Your task: Run gh aw compile security-alert-burndown to compile the campaign

After compilation:

1. The campaign will be ready to use
2. Create a PR with the compiled campaign files
3. Include the project URL in the PR description (obtained during compilation)
4. The project board needs custom fields configured (Worker/Workflow, Priority, Status, Start Date, End Date, Effort)

Note: This campaign coordinates two workflows:

• code-scanning-fixer (every 30 min) - handles urgent high-severity issues
• security-fix-pr (every 4h) - handles batch processing with autofix API

Both share cache memory to prevent conflicts and track all fixes in campaign memory.</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes githubnext/gh-aw#10362

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.