diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md index acfaccf..65b7b06 100644 --- a/.github/copilot-instructions.md +++ b/.github/copilot-instructions.md @@ -98,7 +98,6 @@ These instructions guide GitHub Copilot to suggest secure, intentional code patt - Do not use insecure hash functions like `md5` or `sha1` for password storage — use a modern password hashing lib. - Do not commit `.env` files or hardcode secrets — use secrets management infrastructure. - --- ## 🧠 4. AI-Generated Code Safety diff --git a/.github/prompts/secure-code-review.prompt.md b/.github/prompts/secure-code-review.prompt.md new file mode 100644 index 0000000..ececc12 --- /dev/null +++ b/.github/prompts/secure-code-review.prompt.md @@ -0,0 +1,74 @@ +# 🛡️ Prompt: Secure Code Review + +You are a senior software engineer performing a **comprehensive secure code review**. + +--- + +## ✅ Context Instructions + +- Start from a **fresh analysis context**. +- Disregard any previously seen reviews, summaries, or cached content. +- Re-scan the **entire current codebase** visible in this workspace. + +--- + +## 🔍 Step 1: Project Mapping + +- List all visible files and folders. +- For each, briefly describe its purpose or domain (e.g., "core logic," "auth," "logging utilities"). + +--- + +## 🧭 Step 2: Subsystem Discovery + +- Identify the key **subsystems or functional domains** in this project. +- Explain what role each plays (e.g., request routing, encryption, config parsing). + +--- + +🛡️ **Step 3: Deep Review by Subsystem** +For each subsystem: + +- Highlight strengths +- Identify security observations + - Show file paths + relevant code +- Note code quality or maintainability issues + +Quote relevant code snippets or describe logic where needed. + +--- + +## 📄 Final Output Format + +Generate a single Markdown file named `REVIEW.MD` with the following structure: + +```markdown +# 📋 Project Secure Code Review + +## ✅ Strengths +- ... + +## 🛡️ Security Observations +### [filename/path] +- **Issue**: ... +- **Impact**: ... +- **Recommendation**: ... + +## 🔍 Code Quality Notes +- ... + +## 🧭 Suggested Next Steps +- ... +``` + +## ⚠️ Important + +Pay close attention to logic around: + +- input validation +- secrets or config handling +- logger redaction (e.g. loggerENVCheck, loggerStackCheck) +- access control +- environment-specific behavior + +Respond only after completing a fresh read of the codebase. diff --git a/README.md b/README.md index f07e206..9086e86 100644 --- a/README.md +++ b/README.md @@ -44,14 +44,14 @@ Copilot will scan the file using the selected prompt and return flagged issues, The `tests/` folder contains small, focused files designed to trigger specific security prompts: -| File | Targets | -|--------------------------------|------------------------------------------| -| `secret-hardcode.js` | check-for-secrets.md | -| `unvalidated-input.java` | validate-input-handling.md | -| `insecure-api.cs` | scan-for-insecure-apis.md | -| `logs-sensitive-data.go` | assess-logging.md | -| `weak-auth-flow.ts` | review-auth-flows.md | -| `overtrusted-genai-snippet.js` | unvalidated-genai-acceptances.md | +| File | Targets | +|--------------------------------|-----------------------------------| +| `secret-hardcode.js` | check-for-secrets.md | +| `unvalidated-input.java` | validate-input-handling.md | +| `insecure-api.cs` | scan-for-insecure-apis.md | +| `logs-sensitive-data.go` | assess-logging.md | +| `weak-auth-flow.ts` | review-auth-flows.md | +| `overtrusted-genai-snippet.js` | unvalidated-genai-acceptances.md | To run a test: diff --git a/copilot-instructions.md b/copilot-instructions.md index acfaccf..65b7b06 100644 --- a/copilot-instructions.md +++ b/copilot-instructions.md @@ -98,7 +98,6 @@ These instructions guide GitHub Copilot to suggest secure, intentional code patt - Do not use insecure hash functions like `md5` or `sha1` for password storage — use a modern password hashing lib. - Do not commit `.env` files or hardcode secrets — use secrets management infrastructure. - --- ## 🧠 4. AI-Generated Code Safety diff --git a/package-lock.json b/package-lock.json index 8c35f88..7164d43 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,5 +1,5 @@ { - "name": "CoPilot-Security-Instructions", + "name": "copilot-security-instructions", "lockfileVersion": 3, "requires": true, "packages": { diff --git a/prompts/secure-code-review.prompt.md b/prompts/secure-code-review.prompt.md new file mode 100644 index 0000000..ececc12 --- /dev/null +++ b/prompts/secure-code-review.prompt.md @@ -0,0 +1,74 @@ +# 🛡️ Prompt: Secure Code Review + +You are a senior software engineer performing a **comprehensive secure code review**. + +--- + +## ✅ Context Instructions + +- Start from a **fresh analysis context**. +- Disregard any previously seen reviews, summaries, or cached content. +- Re-scan the **entire current codebase** visible in this workspace. + +--- + +## 🔍 Step 1: Project Mapping + +- List all visible files and folders. +- For each, briefly describe its purpose or domain (e.g., "core logic," "auth," "logging utilities"). + +--- + +## 🧭 Step 2: Subsystem Discovery + +- Identify the key **subsystems or functional domains** in this project. +- Explain what role each plays (e.g., request routing, encryption, config parsing). + +--- + +🛡️ **Step 3: Deep Review by Subsystem** +For each subsystem: + +- Highlight strengths +- Identify security observations + - Show file paths + relevant code +- Note code quality or maintainability issues + +Quote relevant code snippets or describe logic where needed. + +--- + +## 📄 Final Output Format + +Generate a single Markdown file named `REVIEW.MD` with the following structure: + +```markdown +# 📋 Project Secure Code Review + +## ✅ Strengths +- ... + +## 🛡️ Security Observations +### [filename/path] +- **Issue**: ... +- **Impact**: ... +- **Recommendation**: ... + +## 🔍 Code Quality Notes +- ... + +## 🧭 Suggested Next Steps +- ... +``` + +## ⚠️ Important + +Pay close attention to logic around: + +- input validation +- secrets or config handling +- logger redaction (e.g. loggerENVCheck, loggerStackCheck) +- access control +- environment-specific behavior + +Respond only after completing a fresh read of the codebase.