Campaign: Security Alert Burndown #10114
Description
Original Request
Write a campaign that burns down the code security alerts backlog. Focus on file write issues first, cluster alerts if possible (up to 3), and add comments generated code for fixes. Use Claude for codegen, copilot for campaign manager.
🎯 Campaign Details
Campaign ID: security-alert-burndown
Campaign Name: Security Alert Burndown
Project Board: View Project (will be updated after compilation)
Risk Level: Medium
State: Planned
📋 Workflows
Existing Workflows (Ready to Use)
1. code-scanning-fixer (Agentic)
Automatically fixes high severity code scanning alerts by creating pull requests with remediation. Runs every 30 minutes, uses cache memory to avoid duplicates, and generates secure fixes following security best practices.
Key Features:
- Prioritizes file write vulnerabilities
- Uses Claude for intelligent code generation
- Creates detailed security documentation
- Tracks fixed alerts to prevent duplicate work
2. security-scan (Regular)
Daily security scanning using multiple tools (Gosec, govulncheck, Trivy) to identify new vulnerabilities and upload results to GitHub Security.
Key Features:
- Comprehensive coverage across Go, dependencies, and filesystem
- Runs daily at 6:00 AM UTC
- Creates code scanning alerts for discovered issues
3. codeql (Regular)
Advanced semantic code analysis for Go, JavaScript, and GitHub Actions workflows using CodeQL security-and-quality query suites.
Key Features:
- Deep semantic analysis of code patterns
- Identifies complex security vulnerabilities
- Runs daily at 6:00 AM UTC
🎯 Campaign Goals
Primary Objectives
- Eliminate high-severity alerts: Burn down the backlog of high-severity code security alerts
- Prioritize file write issues: Focus first on file write vulnerabilities (path traversal, unsafe file creation)
- Cluster related alerts: Group up to 3 similar alerts for comprehensive fixes
- Generate documented fixes: All fixes include clear explanations and security best practice guidance
- Reduce manual workload: Automate security remediation while maintaining quality
Success Metrics
- High-severity alert count reduction (target: zero)
- File write vulnerability count (target: zero)
- Average time to fix (from alert creation to PR merge)
- Fix quality (% of PRs merged without changes)
⏱️ Timeline
- Start Date: 2026-01-15
- Initial Burndown Target: 30 days for high-severity backlog
- Ongoing: Continuous security improvement and maintenance
🎨 Campaign Strategy
Alert Prioritization
- P0 - Critical: High severity + file write issues (path traversal, unsafe file creation)
- P1 - High: High severity + other (command injection, SQL injection, XSS)
- P2 - Medium: Medium severity + file write issues
- P3 - Medium: Medium severity + other categories
Clustering Guidelines
- Same vulnerability type (CWE/rule)
- Same file or related module
- Similar fix pattern
- Maximum of 3 alerts per PR
- Document all alert numbers in PR description
AI Configuration
- Claude: Code generation and security analysis
- Copilot: Campaign management and orchestration
- Memory: Persistent learning from fix patterns and review feedback
📊 Project Board Configuration
The project board includes custom fields for tracking:
- Worker/Workflow: Which workflow is handling the alert
- Priority: High/Medium/Low based on severity and type
- Status: Todo → In Progress → Review Required → Done/Closed
- Start/End Date: Timeline tracking
- Effort: Size estimation (Small/Medium/Large)
Three views are configured:
- Campaign Roadmap: Timeline view of all alerts
- Task Tracker: Table view with all fields
- Progress Board: Kanban board by status
🤖 Instructions for Copilot Coding Agent
The campaign specification file has been created at .github/workflows/security-alert-burndown.campaign.md.
Your Task
Compile the campaign using the gh-aw CLI:
gh aw compile security-alert-burndownThis will generate the compiled workflow files based on the campaign specification.
Expected Outputs
After compilation, the following files should be created/updated:
.github/workflows/security-alert-burndown.campaign.md(already exists)- Any generated workflow lock files or compiled configurations
- Updated project board URL in the campaign file
Next Steps
- Run
gh aw compile security-alert-burndown - Review the compiled output files
- Commit all changes (campaign spec + compiled files) with a clear commit message
- Create a pull request titled:
[campaign] Add Security Alert Burndown Campaign - Include a summary of the campaign goals and workflows in the PR description
PR Description Template
# Campaign: Security Alert Burndown
This PR adds a new campaign to systematically address code security alerts in the repository backlog.
## Campaign Overview
- **ID**: security-alert-burndown
- **Risk Level**: Medium
- **Primary Goal**: Eliminate high-severity code security alerts
- **Focus Area**: File write vulnerabilities (path traversal, unsafe file creation)
## Workflows Included
- `code-scanning-fixer`: Automated fix generation (runs every 30m)
- `security-scan`: Daily vulnerability scanning
- `codeql`: Daily semantic code analysis
## Key Features
- Prioritizes file write issues
- Clusters up to 3 related alerts per fix
- Uses Claude for intelligent code generation
- Maintains fix history in campaign memory
- All fixes reviewed by security team
## Testing
- [ ] Campaign compiles successfully
- [ ] Workflow definitions are valid
- [ ] Project board is configured with custom fields
- [ ] Safe outputs are properly restricted
Closes #10114Important Notes
- The project board has been created but needs the final URL updated in the campaign file
- All workflow executions will require approval due to medium risk level
- The code-scanning-fixer workflow will start automatically after merge
- Monitor the project board for progress tracking
Status: Ready for Copilot Coding Agent to compile and create PR