Skip to content

[WIP] Add campaign for security alert burndown #10094

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Copilot wants to merge 3 commits into from
Closed

[WIP] Add campaign for security alert burndown #10094

Copilot wants to merge 3 commits into from

Conversation

Copy link
Contributor

Copilot AI commented Jan 15, 2026
edited
Loading

Security Alert Burndown Campaign Implementation

Completed Tasks

  • Understand campaign architecture and existing patterns
  • Review security alert workflows (code-scanning-fixer.md)
  • Create campaign spec file (security-alert-burndown.campaign.md)
  • Define worker workflow for the campaign (security-alert-fixer-clustered.md)
  • Test campaign compilation - both workflows compile successfully
  • Validate workflow schemas and properties
  • Run formatting checks - all pass
  • Update documentation

Implementation Complete ✅

Created a comprehensive Security Alert Burndown campaign that systematically addresses code security alerts with all required features:

Campaign Spec (security-alert-burndown.campaign.md)

  • Engine: Copilot (for campaign orchestration as required)
  • Focus: File write vulnerabilities (CWE-22, CWE-73, CWE-434, CWE-732)
  • Clustering: Supports up to 3 related alerts per fix
  • KPIs: Tracks file write alerts fixed and overall alert reduction
  • Governance: Limits 3 new items per run to maintain review capacity
  • Project Integration: Configures GitHub Projects board for tracking

Worker Workflow (security-alert-fixer-clustered.md)

  • Engine: Claude (for superior code generation as required)
  • Alert Prioritization: Focuses on file write vulnerabilities first
  • Intelligent Clustering: Groups related alerts using 4 strategies:
    1. Same file (multiple issues in one file)
    2. Same directory (related files)
    3. Same CWE type (similar vulnerabilities)
    4. Same component (logical module grouping)
  • Comprehensive Comments: All fixes include detailed inline comments explaining:
    • What vulnerability is being fixed (with alert number and CWE reference)
    • Why the fix is secure
    • What security principles are applied
    • References to relevant CWE entries and security standards
  • Cache Management: Tracks fixed alert clusters to avoid duplicates
  • Pull Request Quality: Generates detailed PR descriptions with:
    • Executive summary of fixes
    • Vulnerability descriptions for each alert
    • Clustering rationale
    • Security best practices applied
    • Testing considerations
    • Risk assessment

Key Features Delivered

File Write Priority: CWE-22, CWE-73, CWE-434, CWE-732 prioritized as requested
Clustering: Up to 3 alerts per PR using intelligent grouping strategies
Commented Code: Every fix includes comprehensive inline security comments
Claude for Codegen: Worker workflow uses Claude engine for superior security reasoning
Copilot for Management: Campaign orchestrator uses Copilot engine

Files Created

  • .github/workflows/security-alert-burndown.campaign.md - Campaign specification (5.2 KB)
  • .github/workflows/security-alert-burndown.campaign.lock.yml - Compiled campaign orchestrator (94 KB)
  • .github/workflows/security-alert-fixer-clustered.md - Worker workflow (15.2 KB)
  • .github/workflows/security-alert-fixer-clustered.lock.yml - Compiled worker workflow (80 KB)

Compilation & Validation Status

✅ All workflows compiled successfully (0 errors, 1 warning about schedule time)
✅ Code formatting validated
✅ JSON/JavaScript linting passed
✅ Documentation updated (specs/artifacts.md)

How To Use

  1. Activate Campaign: Merge this PR to activate the campaign orchestrator
  2. Automatic Runs: Orchestrator runs daily at 18:00 UTC to discover alerts
  3. Manual Trigger: Can manually dispatch the worker workflow with specific alert numbers
  4. Monitor Progress: Track via the campaign's GitHub Project board
  5. Review PRs: Worker creates labeled PRs for review: [security-fix] with campaign:security-alert-burndown label

Quality Standards

Every fix meets these quality standards:

  • Correctness: Actually resolves the security vulnerability
  • Completeness: All alerts in cluster are addressed
  • Documentation: Comprehensive inline comments and PR description
  • Testing: Clear testing guidance provided
  • Maintainability: Code remains readable and maintainable
  • No Regressions: Changes don't introduce new security issues
Original prompt

This section details on the original issue you should resolve

<issue_title>Campaign: Security Alert Burndown</issue_title>
<issue_description>Write a campaign that burns down the code security alerts backlog. Focus on file write issues first, cluster alerts if possible (up to 3), and add comments generated code for fixes. Use Claude for codegen, copilot for campaign manager.</issue_description>

Comments on the Issue (you are @copilot in this section)

  • Fixes githubnext/gh-aw#10090

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI and others added 2 commits January 15, 2026 15:18
@mnkiefer
Add Security Alert Burndown campaign with clustered worker workflow
92701b3 
Co-authored-by: mnkiefer <8320933+mnkiefer@users.noreply.github.com>
@mnkiefer
Update artifacts documentation with new security workflows
4eacc5a 
Co-authored-by: mnkiefer <8320933+mnkiefer@users.noreply.github.com>
@mnkiefer mnkiefer closed this Jan 15, 2026
@github-actions github-actions bot mentioned this pull request Jan 15, 2026
Merged
33 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@mnkiefer mnkiefer

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mnkiefer