Skip to content

feat(agents): add Security Auditor for plan-vs-repo gap analysis #1863

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
vdstrizhkova wants to merge 7 commits into
base: main
Choose a base branch
from
Open

feat(agents): add Security Auditor for plan-vs-repo gap analysis #1863

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
8d7eb16
feat(agents): add Security Auditor for plan-vs-repo gap analysis
Jun 4, 2026
26e4b6a
chore(plugins): regenerate plugins for security-auditor agent
Jun 4, 2026
7112f0e
fix(plugins): restore collection markdown intro and refresh activatio…
Jun 4, 2026
79927e6
improving the agents
Jun 4, 2026
16329ce
resolve scope and contract gaps in security-auditor
Jun 4, 2026
5f144c0
style(collections): apply markdown-table-formatter
Jun 9, 2026
96e9814
rebase
Jun 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
223 changes: 223 additions & 0 deletions .github/agents/security/security-auditor.agent.md
View file
Open in desktop

Large diffs are not rendered by default.

40 changes: 40 additions & 0 deletions .github/prompts/security/security-audit-from-plan.prompt.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
---
name: security-audit-from-plan
agent: Security Auditor
description: "Audits an existing security plan against current repo state and produces a gap-analysis artifact"
argument-hint: "[projectSlug=<slug>] [planPath=.copilot-tracking/security-plans/<slug>] [scope=path/to/dir] [priorReport=path]"
---

# Security Audit from Plan

> [!CAUTION]
> **Disclaimer:** This prompt is an assistive tool only. It does not replace professional security review boards, penetration testing teams, compliance auditors, or other qualified human reviewers. The gap analysis it produces consists of suggested observations and considerations to support a user's own internal security review. All findings, drift assessments, and handoff recommendations must be independently reviewed and validated by appropriate security and compliance reviewers before use.

Activate the `Security Auditor` agent to compare an existing security plan to the current state of the repository and emit a gap-analysis artifact. The auditor reuses `Security Reviewer` for current-state scanning, never modifies plan artifacts or source code, and only writes under `.copilot-tracking/security-audits/`.

## Default Exclusions

Planning and agent-customization artifacts are **excluded by default** from audit findings. The auditor announces this before scanning and records it in every report.

* Excluded paths: `.copilot-tracking/**`, `docs/planning/**`, `docs/adrs/**`, `.github/agents/**`, `.github/prompts/**`, `.github/instructions/**`, `.github/skills/**`
* Excluded file globs: `*.prompt.md`, `*.agent.md`, `*.instructions.md`, `SKILL.md`
* To override, pass `${input:scope}` pointing at any of the above. The user-provided scope wins and is reported as a warning.

## Inputs

* `${input:projectSlug}`: (Optional) Slug under `.copilot-tracking/security-plans/`. The agent uses it for plan resolution and audit artifact directory naming.
* `${input:planPath}`: (Optional) Explicit path to a plan directory containing `state.json`. Takes precedence over `projectSlug`.
* `${input:scope}`: (Optional) Pass-through scope hint forwarded to `Security Reviewer` as-is. When omitted, the agent derives a scope hint from the plan's component inventory and lets Reviewer auto-profile. Overlap with default-excluded prefixes is honored and warned; the user's scope is never silently rewritten.
* `${input:priorReport}`: (Optional) Prior `Security Reviewer` report path to provide incremental comparison context.

## Requirements

1. Resolve the source plan using the agent's Plan Resolution Order. When no plan exists, stop and direct the user to run `/security-capture` or `/security-plan-from-prd` first. Never proceed without a baseline plan.
2. Invoke `Security Reviewer` in `audit` mode. Do not pass `targetSkill` or a specific-skills list — Reviewer must auto-profile so that skills absent from the original plan can still surface as newly introduced threats or AI/supply-chain handoff signals.
3. Apply the agent's Comparison Model and write a single gap-analysis report at `.copilot-tracking/security-audits/<project-slug>/security-audit-{{YYYY-MM-DD}}-{{NNN}}.md` using the fixed Report Format sections.
4. Treat `.copilot-tracking/security-plans/**`, `.copilot-tracking/security/**`, and all application source code as read-only.
5. End with a completion block listing the audit path, counts per delta category, baseline-completeness flag, and recommended handoffs. Do not auto-dispatch Security Planner, SSSC Planner, or RAI Planner.

## Scope Note

This prompt is intentionally **not** part of the `project-planning` collection. It is a repository-state developer workflow that operates on existing planning artifacts, not a planning entry point. Use `/security-capture` or `/security-plan-from-prd` to create or extend a plan.
7 changes: 6 additions & 1 deletion .vscode/settings.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,9 @@
},
"json.schemas": [
{
"fileMatch": [".copilot-tracking/rai-plans/*/state.json"],
"fileMatch": [
".copilot-tracking/rai-plans/*/state.json"
],
"url": "./scripts/linting/schemas/rai-state.schema.json"
},
{
Expand Down Expand Up @@ -88,4 +90,7 @@
"file": ".github/instructions/hve-core/commit-message.instructions.md"
}
],
"chat.tools.terminal.autoApprove": {
"git stash": true
},
}
2 changes: 2 additions & 0 deletions collections/hve-core-all.collection.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,7 @@ Use this edition when you want access to everything without choosing a focused c
| **researcher-subagent** | Research subagent using search, read, web-fetch, GitHub repo, and MCP tools |
| **rpi-agent** | Autonomous RPI orchestrator running Research → Plan → Implement → Review → Discover phases with specialized subagents |
| **rpi-validator** | Validates a Changes Log against the Implementation Plan, Planning Log, and Research Documents for a specific plan phase |
| **security-auditor** | Audits an existing security plan against a fresh current-state assessment and produces a gap-analysis artifact |
| **security-planner** | Phase-based security planner producing security models, standards mappings, and backlog handoffs with AI/ML detection and RAI Planner integration |
| **security-reviewer** | Security skill assessment orchestrator for codebase profiling and vulnerability reporting |
| **skill-assessor** | Assesses a single security skill against the codebase and returns structured findings |
Expand Down Expand Up @@ -132,6 +133,7 @@ Use this edition when you want access to everything without choosing a focused c
| **rai-plan-from-security-plan** | Start responsible AI assessment planning from a completed Security Plan using the RAI Planner agent in from-security-plan mode (recommended) |
| **risk-register** | Create a qualitative risk register using a Probability × Impact (P×I) matrix |
| **rpi** | Autonomous Research-Plan-Implement-Review-Discover workflow for completing tasks |
| **security-audit-from-plan** | Audits an existing security plan against current repo state and produces a gap-analysis artifact |
| **security-capture** | Start security planning from existing notes using the Security Planner agent (capture mode) |
| **security-plan-from-prd** | Start security planning from PRD/BRD artifacts using the Security Planner agent (from-prd mode) |
| **security-review** | Run an OWASP vulnerability assessment against the current codebase |
Expand Down
6 changes: 6 additions & 0 deletions collections/hve-core-all.collection.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,9 @@ items:
- path: .github/agents/rai-planning/rai-planner.agent.md
kind: agent
maturity: experimental
- path: .github/agents/security/security-auditor.agent.md
kind: agent
maturity: experimental
- path: .github/agents/security/security-planner.agent.md
kind: agent
maturity: experimental
Expand Down Expand Up @@ -275,6 +278,9 @@ items:
- path: .github/prompts/security/risk-register.prompt.md
kind: prompt
maturity: experimental
- path: .github/prompts/security/security-audit-from-plan.prompt.md
kind: prompt
maturity: experimental
- path: .github/prompts/security/security-capture.prompt.md
kind: prompt
maturity: experimental
Expand Down
2 changes: 2 additions & 0 deletions collections/security.collection.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ Security review, planning, incident response, risk assessment, vulnerability ana
| **rai-planner** | Responsible AI assessment planner evaluating against NIST AI RMF 1.0, producing an RAI security model, impact assessment, control surface catalog, and backlog handoff |
| **report-generator** | Collates verified security skill findings into a comprehensive vulnerability report |
| **researcher-subagent** | Research subagent using search, read, web-fetch, GitHub repo, and MCP tools |
| **security-auditor** | Audits an existing security plan against a fresh current-state assessment and produces a gap-analysis artifact |
| **security-planner** | Phase-based security planner producing security models, standards mappings, and backlog handoffs with AI/ML detection and RAI Planner integration |
| **security-reviewer** | Security skill assessment orchestrator for codebase profiling and vulnerability reporting |
| **skill-assessor** | Assesses a single security skill against the codebase and returns structured findings |
Expand All @@ -32,6 +33,7 @@ Security review, planning, incident response, risk assessment, vulnerability ana
| **rai-plan-from-prd** | Start responsible AI assessment planning from PRD/BRD artifacts using the RAI Planner agent in from-prd mode |
| **rai-plan-from-security-plan** | Start responsible AI assessment planning from a completed Security Plan using the RAI Planner agent in from-security-plan mode (recommended) |
| **risk-register** | Create a qualitative risk register using a Probability × Impact (P×I) matrix |
| **security-audit-from-plan** | Audits an existing security plan against current repo state and produces a gap-analysis artifact |
| **security-capture** | Start security planning from existing notes using the Security Planner agent (capture mode) |
| **security-plan-from-prd** | Start security planning from PRD/BRD artifacts using the Security Planner agent (from-prd mode) |
| **security-review** | Run an OWASP vulnerability assessment against the current codebase |
Expand Down
7 changes: 7 additions & 0 deletions collections/security.collection.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,9 @@ items:
- path: .github/agents/security/security-reviewer.agent.md
kind: agent
maturity: experimental
- path: .github/agents/security/security-auditor.agent.md
kind: agent
maturity: experimental
- path: .github/agents/security/subagents/codebase-profiler.agent.md
kind: agent
maturity: experimental
Expand Down Expand Up @@ -98,6 +101,10 @@ items:
- path: .github/prompts/security/security-review-sbd.prompt.md
kind: prompt
maturity: experimental
# Security Auditor Prompts
- path: .github/prompts/security/security-audit-from-plan.prompt.md
kind: prompt
maturity: experimental
# SSSC Planner Prompts
- path: .github/prompts/security/sssc-capture.prompt.md
kind: prompt
Expand Down
4 changes: 4 additions & 0 deletions plugins/hve-core-all/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,7 @@ Use this edition when you want access to everything without choosing a focused c
| **researcher-subagent** | Research subagent using search, read, web-fetch, GitHub repo, and MCP tools |
| **rpi-agent** | Autonomous RPI orchestrator running Research → Plan → Implement → Review → Discover phases with specialized subagents |
| **rpi-validator** | Validates a Changes Log against the Implementation Plan, Planning Log, and Research Documents for a specific plan phase |
| **security-auditor** | Audits an existing security plan against a fresh current-state assessment and produces a gap-analysis artifact |
| **security-planner** | Phase-based security planner producing security models, standards mappings, and backlog handoffs with AI/ML detection and RAI Planner integration |
| **security-reviewer** | Security skill assessment orchestrator for codebase profiling and vulnerability reporting |
| **skill-assessor** | Assesses a single security skill against the codebase and returns structured findings |
Expand Down Expand Up @@ -137,6 +138,7 @@ Use this edition when you want access to everything without choosing a focused c
| **rai-plan-from-security-plan** | Start responsible AI assessment planning from a completed Security Plan using the RAI Planner agent in from-security-plan mode (recommended) |
| **risk-register** | Create a qualitative risk register using a Probability × Impact (P×I) matrix |
| **rpi** | Autonomous Research-Plan-Implement-Review-Discover workflow for completing tasks |
| **security-audit-from-plan** | Audits an existing security plan against current repo state and produces a gap-analysis artifact |
| **security-capture** | Start security planning from existing notes using the Security Planner agent (capture mode) |
| **security-plan-from-prd** | Start security planning from PRD/BRD artifacts using the Security Planner agent (from-prd mode) |
| **security-review** | Run an OWASP vulnerability assessment against the current codebase |
Expand Down Expand Up @@ -383,6 +385,7 @@ copilot plugin install hve-core-all@hve-core
| system-architecture-reviewer | System architecture reviewer for design trade-offs, ADR creation, and well-architected alignment |
| ux-ui-designer | UX research specialist for Jobs-to-be-Done analysis, user journey mapping, and accessibility requirements |
| rai-planner | Responsible AI assessment planner evaluating against NIST AI RMF 1.0, producing an RAI security model, impact assessment, control surface catalog, and backlog handoff |
| security-auditor | Audits an existing security plan against a fresh current-state assessment and produces a gap-analysis artifact |
| security-planner | Phase-based security planner producing security models, standards mappings, and backlog handoffs with AI/ML detection and RAI Planner integration |
| security-reviewer | Security skill assessment orchestrator for codebase profiling and vulnerability reporting |
| sssc-planner | Six-phase repository supply chain security assessment against OpenSSF Scorecard, SLSA, Sigstore, and SBOM standards, producing a prioritized backlog of reusable workflows. |
Expand Down Expand Up @@ -456,6 +459,7 @@ copilot plugin install hve-core-all@hve-core
| rai-plan-from-security-plan | Start responsible AI assessment planning from a completed Security Plan using the RAI Planner agent in from-security-plan mode (recommended) |
| incident-response | Run an incident response workflow for Azure operations scenarios |
| risk-register | Create a qualitative risk register using a Probability × Impact (P×I) matrix |
| security-audit-from-plan | Audits an existing security plan against current repo state and produces a gap-analysis artifact |
| security-capture | Start security planning from existing notes using the Security Planner agent (capture mode) |
| security-plan-from-prd | Start security planning from PRD/BRD artifacts using the Security Planner agent (from-prd mode) |
| security-review-llm | Run OWASP LLM and Agentic vulnerability assessments with codebase profiling |
Expand Down
1 change: 1 addition & 0 deletions plugins/hve-core-all/agents/security/security-auditor.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
../../../../.github/agents/security/security-auditor.agent.md
1 change: 1 addition & 0 deletions plugins/hve-core-all/commands/security/security-audit-from-plan.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
../../../../.github/prompts/security/security-audit-from-plan.prompt.md
Loading
Loading