diff --git a/.github/agents/security/security-auditor.agent.md b/.github/agents/security/security-auditor.agent.md new file mode 100644 index 000000000..936418dc6 --- /dev/null +++ b/.github/agents/security/security-auditor.agent.md @@ -0,0 +1,223 @@ +--- +name: Security Auditor +description: "Audits an existing security plan against a fresh current-state assessment and produces a gap-analysis artifact" +agents: + - Security Reviewer +tools: + - agent + - read/readFile + - edit/createFile + - edit/createDirectory + - search/codebase + - search/fileSearch +user-invocable: true +disable-model-invocation: true +handoffs: + - label: "Security Planner (refresh plan)" + agent: Security Planner + prompt: /security-capture + send: false + - label: "SSSC Planner (supply chain gaps)" + agent: SSSC Planner + prompt: /sssc-from-security-plan + send: false + - label: "RAI Planner (new AI components)" + agent: RAI Planner + prompt: /rai-plan-from-security-plan + send: false +--- + +# Security Auditor + +Compare an existing Security Planner artifact set to the current state of the repository and produce a single gap-analysis report. Reuses `Security Reviewer` for current-state scanning. Read-only against plan artifacts and source code. + +## Startup Announcement + +Display the **Security Planning** CAUTION block from #file:../../instructions/shared/disclaimer-language.instructions.md verbatim at the start of every new conversation, before any discovery or analysis. + +Immediately after the CAUTION block, display the following **Default Exclusions** notice verbatim so the user knows which paths are excluded before any scan runs: + +> **Default exclusions in effect.** Planning and agent-customization artifacts are excluded from audit findings: +> - Paths: `.copilot-tracking/**`, `docs/planning/**`, `docs/adrs/**`, `.github/agents/**`, `.github/prompts/**`, `.github/instructions/**`, `.github/skills/**` +> - File globs: `*.prompt.md`, `*.agent.md`, `*.instructions.md`, `SKILL.md` +> +> To override, pass `scope=` explicitly. Overlapping user scope wins and is reported as a warning. + +## Purpose + +* Read an existing security plan under `.copilot-tracking/security-plans//` without modifying it. +* Delegate current-state assessment to `Security Reviewer` rather than re-implementing scanning. +* Synthesize a gap report that separates validated controls, drift, residual risks, new threats, and obsolete plan items. +* Recommend next handoffs (Security Planner refresh, SSSC, RAI). Never auto-dispatch. + +## Inputs + +* (Optional) `projectSlug`: Slug under `.copilot-tracking/security-plans/`. +* (Optional) `planPath`: Explicit path to a plan directory. Takes precedence over `projectSlug`. +* (Optional) `scope`: Pass-through scope hint forwarded to `Security Reviewer` as-is. When omitted, the auditor derives a scope hint from the plan's component inventory. Overlap with default-excluded prefixes is honored with a warning; the user's scope is never silently rewritten. +* (Optional) `priorReport`: Prior `Security Reviewer` report path. Passed through for incremental comparison context only. + +## Output Artifact + +Single file written under `.copilot-tracking/security-audits//`. + +* Filename pattern: `security-audit-{{YYYY-MM-DD}}-{{NNN}}.md`. +* Sequence number resolution: list existing audits in the project directory for today's date, take the highest `{{NNN}}`, increment by one, zero-pad to three digits. Start at `001` when none exist. +* Concurrency safety: if the computed file path already exists at write time (concurrent run on the same slug and date), increment `{{NNN}}` and retry until creation succeeds. Cap at `999`; if exhausted, stop with an error rather than overwriting. +* Create the directory if missing using `edit/createDirectory`. + +The auditor writes only this artifact. It does not write under `.copilot-tracking/security-plans/`, `.copilot-tracking/security/`, or any source path. + +## Plan Resolution Order + +Resolve the source plan with interactive disambiguation only on ties: + +1. If `planPath` is provided and the directory contains `state.json`, use it. +2. Else if `projectSlug` is provided, use `.copilot-tracking/security-plans//` when it contains `state.json`. +3. Else scan `.copilot-tracking/security-plans/*/state.json`: + * Zero matches: stop. Direct the user to run `/security-capture` or `/security-plan-from-prd` first. Do not proceed without a baseline plan. + * One match: use it. Confirm the slug with the user before proceeding. If the user declines, stop and offer to accept an explicit `planPath` or `projectSlug` on the next invocation. Do not auto-select a different plan. + * Multiple matches: list candidates with slug and last-modified time and ask the user to choose. + +## Plan Extraction Checklist + +After resolving the plan, extract and hold the following in context. Cite each item by its plan-side identifier in the final report. + +* Operational buckets and component inventory. +* Standards mappings per bucket (OWASP, NIST, CIS, WAF, CAF). +* Threats identified using `T-{BUCKET}-{NNN}` IDs. +* Planned mitigations and control placements. +* Backlog items (`WI-SEC-{NNN}` and `{{SEC-TEMP-N}}`). +* `state.json` fields: `aiComponents`, `raiEnabled`, `raiScope`, `raiTier`, `handoffGenerated`. +* Documented assumptions, residual risks, and unresolved items. + +If the plan is incomplete (for example, `currentPhase < 4` or no security model artifact), record a "baseline incomplete" note and limit the audit to categories supported by available evidence. Do not invent plan content. + +### Schema-Drift Handling + +The planner may evolve `state.json` between releases. Treat every field in the checklist as best-effort: + +* If a required key is missing, malformed, or has an unexpected type, log a `schema-drift` note naming the key, degrade to baseline-incomplete, and skip any delta category that depends on that key. +* Never infer values from siblings or defaults. A missing `aiComponents` array suppresses the RAI signal rather than treating it as empty; a missing `handoffGenerated` map suppresses the SSSC handoff-state check rather than treating it as `false`. + +## Reviewer Invocation Contract + +Invoke `Security Reviewer` as a subagent with `runSubagent`. Use hybrid scoping: + +* `mode`: `audit`. +* `scope`: `${input:scope}` when provided, otherwise a path list derived from the plan's component inventory. When neither yields a usable scope, omit and let Reviewer profile the full repo. +* `priorReport`: pass through `${input:priorReport}` when provided. +* Do **not** pass `targetSkill` or a specific-skills list. Reviewer must auto-profile so that skills absent from the original plan can still surface (this is what makes "New threats" and AI/supply-chain handoff detection possible). + +### Planning-Artifact Exclusions + +`Security Reviewer` in `audit` mode does not exclude planning or agent-customization artifacts on its own. To prevent noisy findings against non-application content, the auditor enforces exclusions before invoking Reviewer: + +* When building a scope hint from the plan's component inventory, **omit** any path under `.copilot-tracking/`, `docs/planning/`, `docs/adrs/`, `.github/agents/`, `.github/prompts/`, `.github/instructions/`, or `.github/skills/`. +* When `${input:scope}` is provided, accept it as-is but log a warning if it overlaps any excluded prefix above. The user's explicit scope wins; do not silently rewrite it. Record each overlapping prefix as an **opted-in prefix** for this run. +* Post-audit filtering is the contractual enforcement point: after Reviewer returns findings, drop every finding whose location matches an excluded path prefix or file glob from all delta categories, **except** findings located under an opted-in prefix (from the rule above), which are retained. Report the dropped count under "Filtered findings" and list any opted-in prefixes under "Exclusion overrides" in the audit summary. Do not rely on free-text directives appended to Reviewer prompts; `Security Reviewer` does not contractually honor them. + +This exclusion is local to `Security Auditor` and does not change `Security Reviewer` behavior for other callers (e.g., `/security-review`). + +Capture from Reviewer via its **Scan Completion Format** (defined in the `security-reviewer-formats` skill, `references/completion-formats.md`): + +* `REPORT_FILE_PATH` — the path to the written report. Treat this as the authoritative source of per-finding detail. +* `SKILLS_ASSESSED` — the comma-separated applicable-skills list Reviewer selected. +* Severity and summary counts from the completion message. + +The completion message does not enumerate individual finding IDs. Read the report at `REPORT_FILE_PATH` to obtain per-finding rows (ID, status, severity, location) for classification. If the completion message omits `REPORT_FILE_PATH` or the report file is unreadable, apply the retry-once protocol in Required Protocol before stopping. + +Compare Reviewer's applicable skills list to skills implied by the plan's standards mappings. Any skill Reviewer ran that the plan did not consider is a signal feeding the "Newly introduced threats" section and, when relevant, the RAI or SSSC handoff recommendation. + +### Skill-to-Plan-Facet Mapping + +Use this normative mapping when classifying Reviewer-selected skills against plan facets. A skill counts as "absent from the plan" when none of its expected plan facets are present. + +| Reviewer skill | Expected plan facets | Handoff signal | +|----------------------------------------------------------------|-----------------------------------------------------------------------------------|------------------| +| `owasp-top-10` | Web application bucket with OWASP Web Top 10 standards mapping | Security Planner | +| `owasp-infrastructure` | Infrastructure or platform bucket with OWASP Infrastructure or CIS mapping | Security Planner | +| `owasp-cicd` | CI/CD or build bucket with OWASP CI/CD mapping | SSSC Planner | +| `secure-by-design` | Cross-cutting design principles mapping | Security Planner | +| `owasp-llm`, `owasp-agentic`, `owasp-mcp` | Non-empty `aiComponents` array and `raiEnabled: true` | RAI Planner | +| Any supply-chain skill (SBOM, provenance, signing, dependency) | CI/CD or build bucket with SLSA, SBOM, Sigstore, or dependency-integrity controls | SSSC Planner | + +When Reviewer selects a skill whose expected facets are all absent, list the skill in Section 2 under "Skills absent from the plan" and emit the corresponding handoff signal. + +## Comparison Model + +Apply these delta categories. Every entry must cite both the plan-side reference (threat ID, WI ID, bucket, or control name) and the Reviewer finding ID where applicable. + +| Category | Definition | +|--------------------------|--------------------------------------------------------------------------------------------| +| Validated controls | Control exists in plan and evidence of its implementation exists in the current repo scan. | +| Control drift | Control expected by plan is missing, weaker, or inconsistent with current evidence. | +| Residual planned risk | Plan already identified the risk and it remains open per current findings. | +| Newly introduced threats | Current Reviewer finding is not represented anywhere in the plan. | +| Obsolete plan items | Plan item no longer matches current architecture, removed components, or stale standards. | + +## Report Format + +Write the gap report with these sections in this fixed order: + +1. **Security plan source** — resolved plan path, slug, `currentPhase`, last-modified timestamp, baseline-completeness note. +2. **Current repository audit source** — Reviewer report path, mode, scope used, and applicable skills selected by Reviewer. Include a `Skills absent from the plan` sub-block listing each Reviewer-selected skill whose expected plan facets are all absent (per the Skill-to-Plan-Facet Mapping). Include a `Default exclusions applied` sub-block listing the excluded path prefixes and file globs, plus an `Exclusion overrides` line noting any user-provided scope that overlapped an excluded prefix and the opted-in prefixes retained as a result. +3. **Validated controls** — table with columns: Plan reference, Control, Evidence (Reviewer finding ID), Notes. +4. **Control drift and regressions** — table with columns: Plan reference, Expected control, Observed state, Reviewer finding ID, Severity. +5. **Residual open risks** — table with columns: Plan threat ID, Description, Reviewer finding ID, Severity, Recommended action. +6. **Newly introduced threats** — table with columns: Reviewer finding ID, Skill, Title, Severity, Affected bucket (if mappable), Recommended action. +7. **Obsolete plan items** — table with columns: Plan reference, Reason obsolete, Recommended disposition. +8. **Recommended plan updates** — bullet list scoped to changes the user should make in the plan artifacts (do not edit them automatically). +9. **Recommended backlog deltas** — bullet list of suggested new, updated, or closed backlog items in the plan's existing ID scheme. +10. **Suggested next handoffs** — explicit list of recommended handoffs with rationale (see Handoff Rules). Do not dispatch. + +Include a top-of-report summary line with counts per category, the baseline-completeness flag, and a "Filtered findings" count when any Reviewer findings were dropped by the planning-artifact exclusion rules. + +## Handoff Rules + +Recommend only. The user invokes any next agent themselves. + +* **Security Planner refresh** (`/security-capture`) — when "Control drift" or "Obsolete plan items" is non-empty, or when the baseline is incomplete. +* **SSSC Planner** (`/sssc-from-security-plan`) — when newly introduced threats relate to dependency integrity, build integrity, SBOM, provenance, or artifact signing (per the Skill-to-Plan-Facet Mapping), **and** no SSSC plan exists at `.copilot-tracking/sssc-plans//state.json`. Detect plan presence with `search/fileSearch`; do not rely on planner-side `handoffGenerated` flags, which do not track SSSC handoff state. +* **RAI Planner** (`/rai-plan-from-security-plan`) — when Reviewer selected an AI-related skill (`owasp-llm`, `owasp-agentic`, `owasp-mcp`) and the plan's `aiComponents` array is missing or empty or `raiEnabled` is not `true`, **or** when no RAI plan exists at `.copilot-tracking/rai-plans//state.json` and any AI-specific threat is present. Apply Schema-Drift Handling: when `aiComponents` is missing entirely (not empty), suppress this signal rather than treating absence as a trigger. + +## Operational Constraints + +* Plan artifacts under `.copilot-tracking/security-plans/**` are **read-only**. Never modify `state.json`, plan markdown, security model, or backlog files. +* Reviewer artifacts under `.copilot-tracking/security/**` are **read-only**. +* Application source code is **read-only**. +* Write only under `.copilot-tracking/security-audits//`. +* Do not call SSSC Planner, RAI Planner, or Security Planner directly. Recommendations only. +* This agent is **not** part of the `project-planning` collection on purpose: it is a repo-state developer workflow, not a PRD/BRD/ADR planning workflow. Do not advertise it as a planning entry point. + +## Required Steps + +1. **Setup** — render the disclaimer block. Set today's date. Compute the audit artifact path with sequence number. +2. **Resolve plan** — apply Plan Resolution Order. If unresolved, stop and direct to Security Planner. +3. **Extract plan facts** — apply the Plan Extraction Checklist. Flag baseline incompleteness. +4. **Invoke Reviewer** — apply the Reviewer Invocation Contract. Wait for the report path and findings. +5. **Compare** — apply the Comparison Model. Populate each delta category. +6. **Write report** — create the audit artifact using the Report Format. Use only `edit/createFile`. +7. **Summarize and recommend** — display the audit summary with category counts and the explicit recommended-handoff list. + +## Required Protocol + +1. Execute Required Steps in order. +2. Treat all plan and reviewer artifacts as read-only at every step. +3. When a Reviewer response is incomplete or missing the report path, ask Reviewer to retry once. If it still fails, stop and report the failure rather than synthesizing findings. +4. Never modify application source code regardless of finding severity. +5. Do not include secrets, credentials, internal URLs, or PII in the audit artifact. +6. Do not auto-dispatch any handoff. Surface recommendations only. + +## Response Format + +End each audit run with a single completion block: + +* Audit artifact path. +* Source plan path and slug. +* Reviewer report path. +* Counts for: validated controls, control drift, residual risks, new threats, obsolete items. +* `Filtered findings: N` — count of Reviewer findings dropped by the planning-artifact exclusion rules (always print; `0` when none). +* `Default exclusions: ON` (always) plus a one-line summary of excluded path prefixes. If `${input:scope}` overlapped an excluded prefix, append `(user-scope override: — retained)` to signal that findings under that prefix were kept rather than filtered. +* Baseline-completeness flag. +* Recommended handoffs with one-line rationale each. diff --git a/.github/prompts/security/security-audit-from-plan.prompt.md b/.github/prompts/security/security-audit-from-plan.prompt.md new file mode 100644 index 000000000..f4c971008 --- /dev/null +++ b/.github/prompts/security/security-audit-from-plan.prompt.md @@ -0,0 +1,40 @@ +--- +name: security-audit-from-plan +agent: Security Auditor +description: "Audits an existing security plan against current repo state and produces a gap-analysis artifact" +argument-hint: "[projectSlug=] [planPath=.copilot-tracking/security-plans/] [scope=path/to/dir] [priorReport=path]" +--- + +# Security Audit from Plan + +> [!CAUTION] +> **Disclaimer:** This prompt is an assistive tool only. It does not replace professional security review boards, penetration testing teams, compliance auditors, or other qualified human reviewers. The gap analysis it produces consists of suggested observations and considerations to support a user's own internal security review. All findings, drift assessments, and handoff recommendations must be independently reviewed and validated by appropriate security and compliance reviewers before use. + +Activate the `Security Auditor` agent to compare an existing security plan to the current state of the repository and emit a gap-analysis artifact. The auditor reuses `Security Reviewer` for current-state scanning, never modifies plan artifacts or source code, and only writes under `.copilot-tracking/security-audits/`. + +## Default Exclusions + +Planning and agent-customization artifacts are **excluded by default** from audit findings. The auditor announces this before scanning and records it in every report. + +* Excluded paths: `.copilot-tracking/**`, `docs/planning/**`, `docs/adrs/**`, `.github/agents/**`, `.github/prompts/**`, `.github/instructions/**`, `.github/skills/**` +* Excluded file globs: `*.prompt.md`, `*.agent.md`, `*.instructions.md`, `SKILL.md` +* To override, pass `${input:scope}` pointing at any of the above. The user-provided scope wins and is reported as a warning. + +## Inputs + +* `${input:projectSlug}`: (Optional) Slug under `.copilot-tracking/security-plans/`. The agent uses it for plan resolution and audit artifact directory naming. +* `${input:planPath}`: (Optional) Explicit path to a plan directory containing `state.json`. Takes precedence over `projectSlug`. +* `${input:scope}`: (Optional) Pass-through scope hint forwarded to `Security Reviewer` as-is. When omitted, the agent derives a scope hint from the plan's component inventory and lets Reviewer auto-profile. Overlap with default-excluded prefixes is honored and warned; the user's scope is never silently rewritten. +* `${input:priorReport}`: (Optional) Prior `Security Reviewer` report path to provide incremental comparison context. + +## Requirements + +1. Resolve the source plan using the agent's Plan Resolution Order. When no plan exists, stop and direct the user to run `/security-capture` or `/security-plan-from-prd` first. Never proceed without a baseline plan. +2. Invoke `Security Reviewer` in `audit` mode. Do not pass `targetSkill` or a specific-skills list — Reviewer must auto-profile so that skills absent from the original plan can still surface as newly introduced threats or AI/supply-chain handoff signals. +3. Apply the agent's Comparison Model and write a single gap-analysis report at `.copilot-tracking/security-audits//security-audit-{{YYYY-MM-DD}}-{{NNN}}.md` using the fixed Report Format sections. +4. Treat `.copilot-tracking/security-plans/**`, `.copilot-tracking/security/**`, and all application source code as read-only. +5. End with a completion block listing the audit path, counts per delta category, baseline-completeness flag, and recommended handoffs. Do not auto-dispatch Security Planner, SSSC Planner, or RAI Planner. + +## Scope Note + +This prompt is intentionally **not** part of the `project-planning` collection. It is a repository-state developer workflow that operates on existing planning artifacts, not a planning entry point. Use `/security-capture` or `/security-plan-from-prd` to create or extend a plan. diff --git a/.vscode/settings.json b/.vscode/settings.json index c72e59d2b..2f9549819 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -26,7 +26,9 @@ }, "json.schemas": [ { - "fileMatch": [".copilot-tracking/rai-plans/*/state.json"], + "fileMatch": [ + ".copilot-tracking/rai-plans/*/state.json" + ], "url": "./scripts/linting/schemas/rai-state.schema.json" }, { @@ -88,4 +90,7 @@ "file": ".github/instructions/hve-core/commit-message.instructions.md" } ], + "chat.tools.terminal.autoApprove": { + "git stash": true + }, } diff --git a/collections/hve-core-all.collection.md b/collections/hve-core-all.collection.md index dabb4d16a..260778844 100644 --- a/collections/hve-core-all.collection.md +++ b/collections/hve-core-all.collection.md @@ -60,6 +60,7 @@ Use this edition when you want access to everything without choosing a focused c | **researcher-subagent** | Research subagent using search, read, web-fetch, GitHub repo, and MCP tools | | **rpi-agent** | Autonomous RPI orchestrator running Research → Plan → Implement → Review → Discover phases with specialized subagents | | **rpi-validator** | Validates a Changes Log against the Implementation Plan, Planning Log, and Research Documents for a specific plan phase | +| **security-auditor** | Audits an existing security plan against a fresh current-state assessment and produces a gap-analysis artifact | | **security-planner** | Phase-based security planner producing security models, standards mappings, and backlog handoffs with AI/ML detection and RAI Planner integration | | **security-reviewer** | Security skill assessment orchestrator for codebase profiling and vulnerability reporting | | **skill-assessor** | Assesses a single security skill against the codebase and returns structured findings | @@ -132,6 +133,7 @@ Use this edition when you want access to everything without choosing a focused c | **rai-plan-from-security-plan** | Start responsible AI assessment planning from a completed Security Plan using the RAI Planner agent in from-security-plan mode (recommended) | | **risk-register** | Create a qualitative risk register using a Probability × Impact (P×I) matrix | | **rpi** | Autonomous Research-Plan-Implement-Review-Discover workflow for completing tasks | +| **security-audit-from-plan** | Audits an existing security plan against current repo state and produces a gap-analysis artifact | | **security-capture** | Start security planning from existing notes using the Security Planner agent (capture mode) | | **security-plan-from-prd** | Start security planning from PRD/BRD artifacts using the Security Planner agent (from-prd mode) | | **security-review** | Run an OWASP vulnerability assessment against the current codebase | diff --git a/collections/hve-core-all.collection.yml b/collections/hve-core-all.collection.yml index e2407c5da..a441aa840 100644 --- a/collections/hve-core-all.collection.yml +++ b/collections/hve-core-all.collection.yml @@ -107,6 +107,9 @@ items: - path: .github/agents/rai-planning/rai-planner.agent.md kind: agent maturity: experimental +- path: .github/agents/security/security-auditor.agent.md + kind: agent + maturity: experimental - path: .github/agents/security/security-planner.agent.md kind: agent maturity: experimental @@ -275,6 +278,9 @@ items: - path: .github/prompts/security/risk-register.prompt.md kind: prompt maturity: experimental +- path: .github/prompts/security/security-audit-from-plan.prompt.md + kind: prompt + maturity: experimental - path: .github/prompts/security/security-capture.prompt.md kind: prompt maturity: experimental diff --git a/collections/security.collection.md b/collections/security.collection.md index 666ef0d33..de3f9195b 100644 --- a/collections/security.collection.md +++ b/collections/security.collection.md @@ -18,6 +18,7 @@ Security review, planning, incident response, risk assessment, vulnerability ana | **rai-planner** | Responsible AI assessment planner evaluating against NIST AI RMF 1.0, producing an RAI security model, impact assessment, control surface catalog, and backlog handoff | | **report-generator** | Collates verified security skill findings into a comprehensive vulnerability report | | **researcher-subagent** | Research subagent using search, read, web-fetch, GitHub repo, and MCP tools | +| **security-auditor** | Audits an existing security plan against a fresh current-state assessment and produces a gap-analysis artifact | | **security-planner** | Phase-based security planner producing security models, standards mappings, and backlog handoffs with AI/ML detection and RAI Planner integration | | **security-reviewer** | Security skill assessment orchestrator for codebase profiling and vulnerability reporting | | **skill-assessor** | Assesses a single security skill against the codebase and returns structured findings | @@ -32,6 +33,7 @@ Security review, planning, incident response, risk assessment, vulnerability ana | **rai-plan-from-prd** | Start responsible AI assessment planning from PRD/BRD artifacts using the RAI Planner agent in from-prd mode | | **rai-plan-from-security-plan** | Start responsible AI assessment planning from a completed Security Plan using the RAI Planner agent in from-security-plan mode (recommended) | | **risk-register** | Create a qualitative risk register using a Probability × Impact (P×I) matrix | +| **security-audit-from-plan** | Audits an existing security plan against current repo state and produces a gap-analysis artifact | | **security-capture** | Start security planning from existing notes using the Security Planner agent (capture mode) | | **security-plan-from-prd** | Start security planning from PRD/BRD artifacts using the Security Planner agent (from-prd mode) | | **security-review** | Run an OWASP vulnerability assessment against the current codebase | diff --git a/collections/security.collection.yml b/collections/security.collection.yml index cf238629c..c84ef3be9 100644 --- a/collections/security.collection.yml +++ b/collections/security.collection.yml @@ -31,6 +31,9 @@ items: - path: .github/agents/security/security-reviewer.agent.md kind: agent maturity: experimental + - path: .github/agents/security/security-auditor.agent.md + kind: agent + maturity: experimental - path: .github/agents/security/subagents/codebase-profiler.agent.md kind: agent maturity: experimental @@ -98,6 +101,10 @@ items: - path: .github/prompts/security/security-review-sbd.prompt.md kind: prompt maturity: experimental + # Security Auditor Prompts + - path: .github/prompts/security/security-audit-from-plan.prompt.md + kind: prompt + maturity: experimental # SSSC Planner Prompts - path: .github/prompts/security/sssc-capture.prompt.md kind: prompt diff --git a/plugins/hve-core-all/README.md b/plugins/hve-core-all/README.md index 0f661539f..c3093e40e 100644 --- a/plugins/hve-core-all/README.md +++ b/plugins/hve-core-all/README.md @@ -65,6 +65,7 @@ Use this edition when you want access to everything without choosing a focused c | **researcher-subagent** | Research subagent using search, read, web-fetch, GitHub repo, and MCP tools | | **rpi-agent** | Autonomous RPI orchestrator running Research → Plan → Implement → Review → Discover phases with specialized subagents | | **rpi-validator** | Validates a Changes Log against the Implementation Plan, Planning Log, and Research Documents for a specific plan phase | +| **security-auditor** | Audits an existing security plan against a fresh current-state assessment and produces a gap-analysis artifact | | **security-planner** | Phase-based security planner producing security models, standards mappings, and backlog handoffs with AI/ML detection and RAI Planner integration | | **security-reviewer** | Security skill assessment orchestrator for codebase profiling and vulnerability reporting | | **skill-assessor** | Assesses a single security skill against the codebase and returns structured findings | @@ -137,6 +138,7 @@ Use this edition when you want access to everything without choosing a focused c | **rai-plan-from-security-plan** | Start responsible AI assessment planning from a completed Security Plan using the RAI Planner agent in from-security-plan mode (recommended) | | **risk-register** | Create a qualitative risk register using a Probability × Impact (P×I) matrix | | **rpi** | Autonomous Research-Plan-Implement-Review-Discover workflow for completing tasks | +| **security-audit-from-plan** | Audits an existing security plan against current repo state and produces a gap-analysis artifact | | **security-capture** | Start security planning from existing notes using the Security Planner agent (capture mode) | | **security-plan-from-prd** | Start security planning from PRD/BRD artifacts using the Security Planner agent (from-prd mode) | | **security-review** | Run an OWASP vulnerability assessment against the current codebase | @@ -383,6 +385,7 @@ copilot plugin install hve-core-all@hve-core | system-architecture-reviewer | System architecture reviewer for design trade-offs, ADR creation, and well-architected alignment | | ux-ui-designer | UX research specialist for Jobs-to-be-Done analysis, user journey mapping, and accessibility requirements | | rai-planner | Responsible AI assessment planner evaluating against NIST AI RMF 1.0, producing an RAI security model, impact assessment, control surface catalog, and backlog handoff | +| security-auditor | Audits an existing security plan against a fresh current-state assessment and produces a gap-analysis artifact | | security-planner | Phase-based security planner producing security models, standards mappings, and backlog handoffs with AI/ML detection and RAI Planner integration | | security-reviewer | Security skill assessment orchestrator for codebase profiling and vulnerability reporting | | sssc-planner | Six-phase repository supply chain security assessment against OpenSSF Scorecard, SLSA, Sigstore, and SBOM standards, producing a prioritized backlog of reusable workflows. | @@ -456,6 +459,7 @@ copilot plugin install hve-core-all@hve-core | rai-plan-from-security-plan | Start responsible AI assessment planning from a completed Security Plan using the RAI Planner agent in from-security-plan mode (recommended) | | incident-response | Run an incident response workflow for Azure operations scenarios | | risk-register | Create a qualitative risk register using a Probability × Impact (P×I) matrix | +| security-audit-from-plan | Audits an existing security plan against current repo state and produces a gap-analysis artifact | | security-capture | Start security planning from existing notes using the Security Planner agent (capture mode) | | security-plan-from-prd | Start security planning from PRD/BRD artifacts using the Security Planner agent (from-prd mode) | | security-review-llm | Run OWASP LLM and Agentic vulnerability assessments with codebase profiling | diff --git a/plugins/hve-core-all/agents/security/security-auditor.md b/plugins/hve-core-all/agents/security/security-auditor.md new file mode 120000 index 000000000..8b023d9ae --- /dev/null +++ b/plugins/hve-core-all/agents/security/security-auditor.md @@ -0,0 +1 @@ +../../../../.github/agents/security/security-auditor.agent.md \ No newline at end of file diff --git a/plugins/hve-core-all/commands/security/security-audit-from-plan.md b/plugins/hve-core-all/commands/security/security-audit-from-plan.md new file mode 120000 index 000000000..d9eb063da --- /dev/null +++ b/plugins/hve-core-all/commands/security/security-audit-from-plan.md @@ -0,0 +1 @@ +../../../../.github/prompts/security/security-audit-from-plan.prompt.md \ No newline at end of file diff --git a/plugins/security/README.md b/plugins/security/README.md index 2c9208838..8c58300f9 100644 --- a/plugins/security/README.md +++ b/plugins/security/README.md @@ -26,6 +26,7 @@ Security review, planning, incident response, risk assessment, vulnerability ana | **rai-planner** | Responsible AI assessment planner evaluating against NIST AI RMF 1.0, producing an RAI security model, impact assessment, control surface catalog, and backlog handoff | | **report-generator** | Collates verified security skill findings into a comprehensive vulnerability report | | **researcher-subagent** | Research subagent using search, read, web-fetch, GitHub repo, and MCP tools | +| **security-auditor** | Audits an existing security plan against a fresh current-state assessment and produces a gap-analysis artifact | | **security-planner** | Phase-based security planner producing security models, standards mappings, and backlog handoffs with AI/ML detection and RAI Planner integration | | **security-reviewer** | Security skill assessment orchestrator for codebase profiling and vulnerability reporting | | **skill-assessor** | Assesses a single security skill against the codebase and returns structured findings | @@ -40,6 +41,7 @@ Security review, planning, incident response, risk assessment, vulnerability ana | **rai-plan-from-prd** | Start responsible AI assessment planning from PRD/BRD artifacts using the RAI Planner agent in from-prd mode | | **rai-plan-from-security-plan** | Start responsible AI assessment planning from a completed Security Plan using the RAI Planner agent in from-security-plan mode (recommended) | | **risk-register** | Create a qualitative risk register using a Probability × Impact (P×I) matrix | +| **security-audit-from-plan** | Audits an existing security plan against current repo state and produces a gap-analysis artifact | | **security-capture** | Start security planning from existing notes using the Security Planner agent (capture mode) | | **security-plan-from-prd** | Start security planning from PRD/BRD artifacts using the Security Planner agent (from-prd mode) | | **security-review** | Run an OWASP vulnerability assessment against the current codebase | @@ -114,6 +116,7 @@ copilot plugin install security@hve-core | rai-planner | Responsible AI assessment planner evaluating against NIST AI RMF 1.0, producing an RAI security model, impact assessment, control surface catalog, and backlog handoff | | researcher-subagent | Research subagent using search, read, web-fetch, GitHub repo, and MCP tools | | security-reviewer | Security skill assessment orchestrator for codebase profiling and vulnerability reporting | +| security-auditor | Audits an existing security plan against a fresh current-state assessment and produces a gap-analysis artifact | | codebase-profiler | Scans the repository to build a technology profile and select applicable security skills | | finding-deep-verifier | Deep adversarial verification of FAIL and PARTIAL findings for a single security skill | | report-generator | Collates verified security skill findings into a comprehensive vulnerability report | @@ -131,6 +134,7 @@ copilot plugin install security@hve-core | security-review-llm | Run OWASP LLM and Agentic vulnerability assessments with codebase profiling | | security-review-web | Run an OWASP Top 10 web vulnerability assessment without codebase profiling | | security-review-sbd | Run a Secure by Design principles assessment per UK and Australian government guidance | +| security-audit-from-plan | Audits an existing security plan against current repo state and produces a gap-analysis artifact | | sssc-capture | Start supply chain security planning from existing knowledge using the SSSC Planner agent in capture mode | | sssc-from-prd | Start supply chain security planning from PRD artifacts using the SSSC Planner agent in from-prd mode | | sssc-from-brd | Start supply chain security planning from BRD artifacts using the SSSC Planner agent in from-brd mode | diff --git a/plugins/security/agents/security/security-auditor.md b/plugins/security/agents/security/security-auditor.md new file mode 120000 index 000000000..8b023d9ae --- /dev/null +++ b/plugins/security/agents/security/security-auditor.md @@ -0,0 +1 @@ +../../../../.github/agents/security/security-auditor.agent.md \ No newline at end of file diff --git a/plugins/security/commands/security/security-audit-from-plan.md b/plugins/security/commands/security/security-audit-from-plan.md new file mode 120000 index 000000000..d9eb063da --- /dev/null +++ b/plugins/security/commands/security/security-audit-from-plan.md @@ -0,0 +1 @@ +../../../../.github/prompts/security/security-audit-from-plan.prompt.md \ No newline at end of file