Campaign: Security Alert Burndown

[mnkiefer]

Write a campaign that burns down the code security alerts backlog. Focus on file write issues first, cluster alerts if possible (up to 3), and add comments generated code for fixes. Use Claude for codegen, copilot for campaign manager.

---

Campaign setup status

Status: Ready for PR review

What just happened

• Created Project: https://github.com/orgs/githubnext/projects/134 (temporary ID - will be resolved to actual URL after compilation)
• Created standard fields: status, campaign_id, worker_workflow, repository, priority, size, start_date, end_date
• Created views: Campaign Roadmap (roadmap), Task Tracker (table), Progress Board (board)
• Campaign spec already exists: .github/workflows/security-alert-burndown.campaign.md
• Selected workflows: code-scanning-fixer, security-fix-pr

What happens next

1. Copilot Coding Agent will compile the campaign and open a pull request.
2. You review the PR and merge it.
3. After merge, the orchestrator workflow can be run from the Actions tab to begin the campaign.

Copilot Coding Agent handoff

Campaign ID: security-alert-burndown
Project Temporary ID: https://github.com/orgs/githubnext/projects/134
Workflows: code-scanning-fixer, security-fix-pr

Tasks for Copilot Coding Agent

Run the following commands to compile the campaign:

gh aw compile

The campaign spec already exists at .github/workflows/security-alert-burndown.campaign.md. The compilation will generate:

• .github/workflows/security-alert-burndown.campaign.g.md (generated orchestrator workflow)
• .github/workflows/security-alert-burndown.campaign.lock.yml (compiled lock file)

After compilation, update the project-url field in .github/workflows/security-alert-burndown.campaign.md from the old project 130 to the new project URL (resolve the temporary ID https://github.com/orgs/githubnext/projects/134 to the actual GitHub project URL).

Commit and include in the PR:

• .github/workflows/security-alert-burndown.campaign.md (with updated project URL)
• .github/workflows/security-alert-burndown.campaign.g.md (generated)
• .github/workflows/security-alert-burndown.campaign.lock.yml (compiled)

Acceptance checklist

• gh aw compile succeeds without errors
• Orchestrator lock file updated with correct project URL
• Campaign spec updated with new project URL
• PR opened and linked back to this issue (Campaign: Security Alert Burndown #11308)

Documentation

• Getting started: (redacted)
• Flow & lifecycle: (redacted)
• Campaign specs: (redacted)

Campaign Summary

This campaign burns down code security alerts with the following approach:

Focus Areas:

• File write security issues (highest priority)
• Clustering up to 3 related alerts for efficient fixes
• Claude-powered code generation with detailed security comments
• PR-based review process for all fixes

Worker Workflows:

1. code-scanning-fixer (every 30 minutes): Creates PRs for high severity alerts
2. security-fix-pr (every 4 hours): Submits autofixes via GitHub Code Scanning API

Risk Level: High (requires 2 approvals + sponsor)

Success Metrics:

• Critical alerts: 5 → 0
• High-severity alerts: 15 → <5
• Timeline: 5+ weeks (phased approach)

Ahoy! This treasure was crafted by 🏴‍☠️ Agentic Campaign Generator

[github-actions]

✅ Campaign setup complete

Tracking Project created and pull request with generated campaign files is ready.
Next steps: Review + merge the PR, then run the campaign from the Actions tab.

Docs: https://githubnext.github.io/gh-aw/guides/campaigns/getting-started/