[WIP] Create campaign to resolve security alert backlog

[Copilot]

• Create campaign specification file at .github/workflows/security-alert-burndown.campaign.md
• Compile the campaign using gh aw compile security-alert-burndown
• Verify generated files (.campaign.lock.yml)
• Run validation and tests
• Commit all generated files

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Campaign: Security Alert Burndown</issue_title>
<issue_description>📊 Project Board: Created (URL will be available after workflow completion)

Original Request

Write a campaign that burns down the code security alerts backlog. Focus on file write issues first, cluster alerts if possible (up to 3), and add comments generated code for fixes. Use Claude for codegen, copilot for campaign manager.

---

🎯 Campaign Details

Campaign ID: security-alert-burndown
Campaign Name: Security Alert Burndown
Risk Level: Medium
State: Planned

📋 Workflows

Existing Workflows (Ready to Use)

• code-scanning-fixer: Automatically fixes high severity code scanning alerts by creating pull requests with remediation. Runs every 30 minutes to continuously address new and existing alerts. Processes one alert per run with detailed security analysis.

• security-fix-pr: Identifies and creates autofixes for code security issues using GitHub Code Scanning's autofix API. Can fix up to 5 alerts per run, supports both scheduled (every 4h) and manual triggering.

Workflow Coordination

• Claude: Used for advanced codegen and complex security fix reasoning
• Copilot: Serves as campaign manager for workflow orchestration

🎯 Goals

• Eliminate file write vulnerabilities: Prioritize and fix all file write security issues first
• Cluster related alerts: Group up to 3 similar alerts for efficient batch fixing
• Generate documented fixes: Create clear, well-documented code changes with security rationale
• Reduce alert backlog to zero: Systematically work through all open security alerts

📊 Execution Strategy

Phase 1: File Write Vulnerabilities (Priority)

• Path traversal vulnerabilities
• Arbitrary file write/upload issues
• Unsafe file handling

Phase 2: High Severity Alerts

• SQL injection
• Command injection
• XSS vulnerabilities

Phase 3: Medium/Low Priority (Ongoing)

• Systematically work through remaining alerts

⏱️ Timeline

• Start Date: Upon compilation and approval
• Target Completion: Ongoing until backlog reaches zero

📈 Success Metrics

• 100% of file write vulnerabilities resolved within first 2 weeks
• 75% reduction in total alert count within 30 days
• Zero high-severity alerts older than 7 days
• 95%+ of automated fixes accepted without modification

---

🤖 Instructions for Copilot Coding Agent

The campaign specification file has been created at .github/workflows/security-alert-burndown.campaign.md.

Your task: Run gh aw compile security-alert-burndown to compile the campaign.

This will:

1. Generate the compiled campaign workflow files
2. Set up the project tracking infrastructure
3. Enable the campaign workflows to begin execution

After compilation:

1. Commit all generated files (spec + compiled workflows)
2. Create a pull request with your changes
3. Tag @mnkiefer for review and approval</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes githubnext/gh-aw#10321

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.