feat: add security review workflow with Copilot CLI

Agent-Logs-Url: https://github.com/sitoader/agentic-workflows-copilot-cli/sessions/f3bb15c7-5d78-4d7b-8903-f1e902534f07

Co-authored-by: sitoader <62118837+sitoader@users.noreply.github.com>

Author: Copilot

.github/prompts/analyze-for-security.prompt.md

@@ -0,0 +1,115 @@
+# Analyze Commit for Security Issues
+
+Analyze commit `{COMMIT_SHA}` in repository `{REPOSITORY}` using the GitHub MCP server to identify security vulnerabilities, insecure coding patterns, or exposed secrets.
+
+## Your Task
+
+1. **Examine the commit** using MCP to access:
+   - Commit diff and all changed files
+   - Existing codebase context
+   - Project structure and dependencies
+
+2. **Identify security concerns** - Look for:
+   - Hardcoded secrets, API keys, tokens, or passwords
+   - SQL injection or NoSQL injection vulnerabilities
+   - Cross-site scripting (XSS) vulnerabilities
+   - Insecure deserialization
+   - Missing input validation or sanitization
+   - Exposed sensitive data in logs or responses
+   - Insecure direct object references (IDOR)
+   - Missing or weak authentication/authorization checks
+   - Use of known-vulnerable libraries or functions
+   - Insecure cryptographic practices (weak algorithms, hardcoded IVs/salts)
+   - Path traversal or directory traversal vulnerabilities
+   - Command injection or OS command execution risks
+   - Insecure file uploads
+   - Missing rate limiting on sensitive endpoints
+   - CORS misconfiguration
+   - Insecure dependencies introduced (if lockfile or manifest changed)
+
+3. **Evaluate each finding** using a severity scale:
+
+   | Severity | Description |
+   |----------|-------------|
+   | 🔴 Critical | Immediate exploitation risk (e.g., exposed credentials, RCE) |
+   | 🟠 High | Likely exploitable (e.g., SQL injection, auth bypass) |
+   | 🟡 Medium | Exploitable under certain conditions (e.g., XSS, IDOR) |
+   | 🔵 Low | Best-practice violation with limited impact |
+
+4. **Calculate a confidence score** (0-100) for whether a security issue requires attention:
+   - 80-100: Critical or high-severity findings — immediate action required
+   - 60-79: Medium-severity findings — action recommended
+   - 40-59: Low-severity findings — action optional
+   - 0-39: No meaningful security concerns detected
+
+   ### ✅ Flag These:
+   - Any hardcoded credential or secret value
+   - User-controlled data passed to queries, shell commands, or file paths without sanitization
+   - Authentication or authorization logic that could be bypassed
+   - New dependencies with known CVEs
+   - Sensitive data returned to clients without redaction
+   - Security-relevant configuration that is weakened (e.g., disabling TLS verification)
+
+   ### ❌ Skip These:
+   - Pure documentation or comment changes
+   - Test files using clearly fake/mock credentials
+   - Formatting or whitespace changes
+   - Changes that are entirely unrelated to security
+
+5. **If security concerns are found (score >= 60):**
+
+   Create a GitHub issue using MCP with:
+
+   **Title:** `🔒 Security review needed for: [brief description of changes]`
+
+   **Body should include:**
+   ```markdown
+   ## Security Review Analysis
+
+   **Commit:** {COMMIT_SHA}
+   **Confidence Score:** [X]/100
+
+   ### Findings
+
+   | Severity | File | Line(s) | Description |
+   |----------|------|---------|-------------|
+   | 🔴 Critical | `path/to/file.ext` | 42 | Hardcoded API key detected |
+   | 🟠 High | `path/to/file.ext` | 87-92 | Unsanitized user input passed to query |
+
+   ### Detailed Findings
+
+   #### Finding 1 – [Short Title]
+
+   **Severity:** [Critical / High / Medium / Low]
+   **File:** `path/to/file.ext` (line [N])
+
+   **Issue:**
+   [Describe what the problem is and why it is a security risk.]
+
+   **Recommendation:**
+   [Describe the fix or mitigation needed.]
+
+   ---
+
+   ### Why This Needs Attention
+
+   [Summarize the overall risk introduced by these changes.]
+
+   ---
+   *Auto-generated by security review workflow*
+   ```
+
+   - Add labels: `security`, `automated`
+   - Use assign_copilot_to_issue tool to assign @copilot to the issue
+
+6. **If no security concerns are found (score < 60):**
+   - Provide a brief explanation of why no action is needed
+   - No issue creation required
+
+## Important Guidelines
+
+- Be language-agnostic — detect the language from file extensions
+- Do NOT flag test fixtures or mock data that use clearly fake values (e.g., `password: "test123"` inside a unit test helper)
+- Prioritize real, exploitable vulnerabilities over theoretical or highly unlikely ones
+- Include the specific line or code snippet in your finding description where possible
+- Be specific about WHAT should be fixed and HOW, not just that something looks risky

.github/workflows/security-review.yml

@@ -0,0 +1,50 @@
+name: Security Review with Copilot
+
+on:
+  push:
+    paths-ignore:
+      - 'docs/**'
+      - '**.md'
+      - '.github/workflows/**'
+      - '.gitignore'
+      - 'LICENSE'
+
+jobs:
+  security-review:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install GitHub Copilot CLI
+        env:
+          GH_TOKEN: ${{ secrets.COPILOT_CLI_TOKEN }}
+        run: |
+          curl -fsSL https://gh.io/copilot-install | bash
+          echo "Installed Copilot CLI version:"
+          copilot --version
+
+      - name: Analyze and review security with Copilot
+        env:
+          GH_TOKEN: ${{ secrets.COPILOT_CLI_TOKEN }}
+        run: |
+          echo "Analyzing commit ${{ github.sha }} for security issues..."
+          echo ""
+
+          # Load the prompt template
+          PROMPT=$(cat .github/prompts/analyze-for-security.prompt.md)
+          PROMPT="${PROMPT//\{COMMIT_SHA\}/${{ github.sha }}}"
+          PROMPT="${PROMPT//\{REPOSITORY\}/${{ github.repository }}}"
+
+          echo "Delegating to GitHub Copilot for security analysis..."
+          echo "- Copilot will examine the commit diff"
+          echo "- Copilot will check for security vulnerabilities and risky patterns"
+          echo "- Copilot will create an issue if security concerns are found"
+          echo ""
+
+          copilot -p "$PROMPT" --enable-all-github-mcp-tools --allow-all-tools --no-ask-user

README.md

@@ -8,6 +8,7 @@ Agentic workflows with GitHub Actions & Copilot: generate-docs, generate-tests,
 |----------|---------|-------------|
 | [Generate Docs](docs/workflows/generate-docs.md) | Push | Analyzes commits and creates documentation issues |
 | [Generate Tests](docs/workflows/generate-tests.md) | Push | Identifies missing unit tests and creates issues |
+| [Security Review](docs/workflows/security-review.md) | Push | Scans commits for vulnerabilities and creates issues |
 
 ---
 

docs/workflows/security-review.md

@@ -0,0 +1,154 @@
+# Security Review Workflow
+
+**Workflow File**: [`.github/workflows/security-review.yml`](../../.github/workflows/security-review.yml)
+
+This workflow analyzes commits for security vulnerabilities, insecure coding patterns, and exposed secrets, then automatically creates issues for Copilot to remediate.
+
+
+## Overview
+
+The Security Review workflow uses GitHub Copilot CLI to examine code changes and identify security concerns before they reach production. By automating security analysis on every push, teams can catch vulnerabilities early without relying solely on manual code review or scheduled scans.
+
+
+## How It Works
+
+```mermaid
+flowchart TD
+    A[Push to Repository] --> B{Source files changed?}
+    B -->|No| C[Skip workflow]
+    B -->|Yes| D[Install Copilot CLI]
+    D --> E[Load analyze-security prompt]
+    E --> F[Copilot analyzes commit diff]
+    F --> G{Security issues found?}
+    G -->|No| H[Exit - No concerns found]
+    G -->|Yes| I[Create GitHub Issue]
+    I --> J[Assign Copilot Coding Agent]
+    J --> K[Agent implements fixes]
+    K --> L[PR created with remediations]
+```
+
+### Step-by-Step Process
+
+1. **Triggers on every push** (excluding docs, markdown, and workflow files)
+2. **Installs Copilot CLI** in the GitHub Actions runner
+3. **Loads the analyze-for-security prompt** from [`.github/prompts/analyze-for-security.prompt.md`](../../.github/prompts/analyze-for-security.prompt.md)
+4. **Copilot examines the commit diff** using MCP tools
+5. **If security concerns are found** → Creates a GitHub issue and assigns Copilot
+6. **Copilot Coding Agent** then implements the remediations
+
+
+## Criteria for Security Review
+
+### ✅ Issues ARE Flagged
+
+| Category | Examples |
+|----------|---------|
+| Exposed Credentials | Hardcoded API keys, tokens, passwords |
+| Injection Vulnerabilities | SQL injection, command injection, path traversal |
+| Insecure Input Handling | Missing validation/sanitization on user input |
+| Auth/Authz Weaknesses | Missing auth checks, privilege escalation risks |
+| Insecure Cryptography | Weak algorithms, hardcoded IVs or salts |
+| Sensitive Data Exposure | Logging PII, returning secrets in API responses |
+| Dependency Risks | New dependencies with known CVEs |
+| Configuration Weaknesses | Disabled TLS verification, permissive CORS |
+
+### ❌ Issues NOT Flagged
+
+| Category | Examples |
+|----------|---------|
+| Documentation Only | README, comments, JSDoc |
+| Mock/Fake Credentials in Tests | `password: "fake-test-value"` in test helpers |
+| Formatting Changes | Whitespace, linting fixes |
+| Unrelated Logic Changes | UI tweaks, dependency version bumps with no CVE |
+
+
+## Configuration
+
+### Trigger Configuration
+
+The workflow runs on source code changes:
+
+```yaml
+on:
+  push:
+    paths-ignore:
+      - 'docs/**'
+      - '**.md'
+      - '.github/workflows/**'
+      - '.gitignore'
+      - 'LICENSE'
+```
+
+### Required Secrets
+
+| Secret | Description |
+|--------|-------------|
+| `COPILOT_CLI_TOKEN` | Personal Access Token with Copilot permissions |
+
+
+## Prompt File
+
+The workflow uses a specialized prompt to guide Copilot's security analysis:
+
+**Location**: [`.github/prompts/analyze-for-security.prompt.md`](../../.github/prompts/analyze-for-security.prompt.md)
+
+This prompt instructs Copilot to:
+- Analyze the git diff for security anti-patterns and vulnerabilities
+- Assign a severity level (Critical / High / Medium / Low) to each finding
+- Calculate a confidence score to filter out low-signal noise
+- Create a structured issue with actionable remediation guidance
+
+
+## Example Issue Created
+
+When the workflow detects security concerns, it creates an issue like:
+
+```markdown
+## 🔒 Security Review Analysis
+
+**Commit**: abc1234
+**Confidence Score**: 92/100
+
+### Findings
+
+| Severity | File | Line(s) | Description |
+|----------|------|---------|-------------|
+| 🔴 Critical | `src/config.ts` | 12 | Hardcoded AWS secret key |
+| 🟠 High | `src/routes/user.ts` | 55-60 | Unsanitized user ID passed to SQL query |
+
+### Detailed Findings
+
+#### Finding 1 – Hardcoded AWS Secret Key
+
+**Severity:** Critical
+**File:** `src/config.ts` (line 12)
+
+**Issue:**
+An AWS secret access key is committed in plain text, exposing the credential to anyone with repository access.
+
+**Recommendation:**
+Remove the hardcoded value, rotate the exposed key immediately, and load it from an environment variable or secrets manager.
+
+---
+*Auto-generated by security review workflow*
+```
+
+
+## Troubleshooting
+
+### Workflow Not Triggering
+
+- Verify the push includes files outside the `paths-ignore` patterns
+- Check that the workflow file exists in the default branch
+
+### Copilot Not Creating Issues
+
+- Ensure `COPILOT_CLI_TOKEN` secret is configured
+- Verify the token has `Copilot Requests` permission
+- Check workflow logs for authentication errors
+
+### Agent Not Implementing Fixes
+
+- Confirm Copilot Coding Agent is enabled in repository settings
+- Verify the issue is properly assigned to `@copilot`
+- Review the issue body to ensure findings are clearly described