Adds disptach target to deal with security findings#22729
Adds disptach target to deal with security findings#22729
Conversation
pelikhan
left a comment
pelikhan
left a comment
There was a problem hiding this comment.
We should not include this prompt in the general-purpose authoring agent. It does not belong there.
Should this become a separate aw prompt? |
|
Open an issue or char with me |
There was a problem hiding this comment.
Pull request overview
Adds a new security-findings dispatch target and prompt to guide conservative, evidence-based triage of external security reports against the gh-aw threat model and implementation.
Changes:
- Introduces a new security-finding triage prompt at
.github/aw/security-findings.md - Updates the dispatcher agent to route security-finding triage requests to the new prompt
- Expands dispatcher documentation to describe when/how to use the new triage route
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
.github/aw/security-findings.md |
New dedicated prompt defining an evidence-driven workflow for validating external security findings and deciding on escalation vs. doc fixes. |
.github/agents/agentic-workflows.agent.md |
Dispatcher agent updated to advertise and link the new security-findings routing target. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - `.github/aw/github-agentic-workflows.md` | ||
| - `specs/security-architecture-spec.md` | ||
| - `docs/src/content/docs/introduction/architecture.mdx` | ||
| - `docs/src/content/docs/reference/safe-outputs-specification.md` | ||
| - `docs/src/content/docs/reference/threat-detection.md` | ||
| - Relevant implementation files under `pkg/workflow/`, `actions/setup/`, and `.github/workflows/` |
There was a problem hiding this comment.
In the “Preferred Evidence Sources” list, these look like intended in-repo file references, but they’re written as plain code-formatted paths. Elsewhere in gh-aw prompts, local references use the @.github/... form (e.g., .github/aw/debug-agentic-workflow.md:53-55) so the agent can reliably load the files as context. Consider switching these entries to the @`-prefixed form for consistency and better toolability (and do the same for the docs/spec paths if they’re meant to be directly opened).
| - `.github/aw/github-agentic-workflows.md` | |
| - `specs/security-architecture-spec.md` | |
| - `docs/src/content/docs/introduction/architecture.mdx` | |
| - `docs/src/content/docs/reference/safe-outputs-specification.md` | |
| - `docs/src/content/docs/reference/threat-detection.md` | |
| - Relevant implementation files under `pkg/workflow/`, `actions/setup/`, and `.github/workflows/` | |
| - `@.github/aw/github-agentic-workflows.md` | |
| - `@specs/security-architecture-spec.md` | |
| - `@docs/src/content/docs/introduction/architecture.mdx` | |
| - `@docs/src/content/docs/reference/safe-outputs-specification.md` | |
| - `@docs/src/content/docs/reference/threat-detection.md` | |
| - Relevant implementation files under `@pkg/workflow/`, `@actions/setup/`, and `@.github/workflows/` |
| If GitHub CLI is unavailable or unauthenticated in the current environment, use the available GitHub tools instead, but keep GH CLI as the default path whenever possible. | ||
|
|
There was a problem hiding this comment.
The fallback path for when gh is unavailable/unauthenticated says to “use the available GitHub tools”, but it doesn’t name which tools/endpoints to use. For consistency with other prompts (e.g., .github/aw/debug-agentic-workflow.md explicitly names the agentic-workflows tool), consider listing the specific GitHub tools to use for the common cases you mention here (issue/PR/discussion/code scanning), so the instructions are actionable and repeatable.
| If GitHub CLI is unavailable or unauthenticated in the current environment, use the available GitHub tools instead, but keep GH CLI as the default path whenever possible. | |
| If GitHub CLI is unavailable or unauthenticated in the current environment, use the available GitHub tools instead, but keep GH CLI as the default path whenever possible. In that case, prefer: | |
| - `github-issues` for issues and security reports filed as issues. | |
| - `github-pull-requests` for pull requests that contain the finding or relevant code. | |
| - `github-discussions` for findings reported in GitHub Discussions. | |
| - `github-code-scanning` for code scanning alerts and SARIF-based findings. | |
| - `agentic-workflows` for additional workflow context when needed to interpret a finding. |
Summary
Adds a new
security-findingsdispatch target to the agentic workflows dispatcher.This route is designed for triaging external security findings against the gh-aw threat model, security architecture, and implementation before deciding whether a follow-up issue is actually needed.
Changes
security-findingsdispatch target.github/aw/security-findings.mdWhy
This makes security-finding triage more deliberate and conservative, so we only open new issues for clear platform problems and otherwise resolve false positives with targeted documentation updates.