Conversation
Co-authored-by: mnkiefer <8320933+mnkiefer@users.noreply.github.com>
- Campaign focuses on burning down security alerts backlog - Prioritizes file write vulnerabilities - Clusters up to 3 related alerts per fix - Uses code-scanning-fixer and security-fix-pr workflows Co-Authored-By: Claude Sonnet 4.5 Co-authored-by: mnkiefer <8320933+mnkiefer@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Add campaign for security alert burndown
Add Security Alert Burndown campaign with alert clustering
Jan 20, 2026
Contributor
|
@copilot Update campaign to account for new security fixes and recompile |
Added security-review workflow to provide PR review capabilities for security fixes Co-authored-by: mnkiefer <8320933+mnkiefer@users.noreply.github.com>
Contributor
Author
…cfc-4ad7-8b35-46c5f7055794
mnkiefer
approved these changes
Jan 20, 2026
Contributor
|
@copilot Recompile campaign |
Added discovery-repos field to specify search scope for worker workflow items Co-authored-by: mnkiefer <8320933+mnkiefer@users.noreply.github.com>
Contributor
Author
mnkiefer
approved these changes
Jan 20, 2026
mnkiefer
deleted the
copilot/burn-down-security-alerts-358ed2f7-2cfc-4ad7-8b35-46c5f7055794
branch
This was referenced Jan 20, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Created campaign orchestrator to systematically burn down code security alerts backlog, prioritizing file write vulnerabilities with intelligent alert clustering.
Campaign Architecture
campaign:security-alert-burndowncode-scanning-fixer(30m) - Creates PRs with high-severity fixes, processes 1 alert per runsecurity-fix-pr(4h) - Submits autofixes to GitHub Code Scanning, processes up to 5 alerts per runsecurity-review(on-demand) - Reviews PRs for security implications via/security-reviewslash commandgithubnext/gh-awrepository for worker workflow itemsGovernance & Clustering
Alert clustering targets same file/type/remediation pattern while maintaining reviewability. Priority hierarchy: file write vulnerabilities → high-severity alerts → other issues.
KPIs
Implementation
Campaign spec:
.github/workflows/security-alert-burndown.campaign.md(174 lines)Compiled workflow:
.github/workflows/security-alert-burndown.campaign.lock.yml(2103 lines)Project URL: https://github.com/orgs/githubnext/projects/122
Original prompt
This section details on the original issue you should resolve
<issue_title>Campaign: Security Alert Burndown</issue_title>
<issue_description>Write a campaign that burns down the code security alerts backlog. Focus on file write issues first, cluster alerts if possible (up to 3), and add comments generated code for fixes. Use Claude for codegen, copilot for campaign manager.
Campaign Created: Security Alert Burndown
A new campaign has been generated to systematically address the code security alerts backlog.
Campaign Details
security-alert-burndownSelected Workflows
Strategy
The campaign uses a multi-pronged approach:
Files Created
.github/workflows/security-alert-burndown.campaign.md- Campaign specificationHandoff to Copilot Coding Agent
Task: Compile and Finalize Campaign
Please compile the campaign specification and prepare it for deployment.
Required Steps
Compile the campaign:
Verify compilation:
.github/workflows/security-alert-burndown.campaign.g.mdwas generated.github/workflows/security-alert-burndown.campaign.lock.ymlwas createdUpdate project URL:
project-urlfield in.github/workflows/security-alert-burndown.campaign.mdhttps://github.com/orgs/githubnext/projects/[NUMBER]Commit the files:
Create pull request:
Acceptance Checklist
gh aw compile security-alert-burndowncompletes successfully.campaign.g.mdfile is generated.campaign.lock.ymlfile is created and validAdditional Context
The campaign specification is located at:
.github/workflows/security-alert-burndown.campaign.mdIt references two existing workflows:
.github/workflows/code-scanning-fixer.md(creates PRs every 30m).github/workflows/security-fix-pr.md(creates autofixes every 4h)Both workflows use cache memory to coordinate and avoid duplicate work.</issue_description>
Comments on the Issue (you are @copilot in this section)
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.