Adds Security Champion chat / agent mode to provide comprehensive security guidance by integrating Microsoft's Security Development Lifecycle (SDL) practices alongside existing OWASP frameworks.

[obrocki]

• Incorporates all 10 Microsoft SDL practices for secure software development
• Organizes security inspection areas by development lifecycle stage (Design, Code, Build/Deploy, Runtime)
• Adds guidance for threat modeling, Zero Trust principles, and supply chain security
• Expands responsibilities to include security design reviews and Secure by Design promotion
• Maintains existing OWASP Top 10 and OWASP Top 10 for LLM Applications (2025) references

🔒 - Generated by Copilot

Pull Request

Description

Related Issue(s)

#416

Type of Change

Select all that apply:

Code & Documentation:

• Bug fix (non-breaking change fixing an issue)
• New feature (non-breaking change adding functionality)
• Breaking change (fix or feature causing existing functionality to change)
• Documentation update

Infrastructure & Configuration:

• GitHub Actions workflow
• Linting configuration (markdown, PowerShell, etc.)
• Security configuration
• DevContainer configuration
• Dependency update

AI Artifacts:

• Reviewed contribution with prompt-builder agent and addressed all feedback
• Copilot instructions (.github/instructions/*.instructions.md)
• Copilot prompt (.github/prompts/*.prompt.md)
• Copilot agent (.github/agents/*.agent.md)

Sample Prompts and Usage

Checklist

Required Checks

• Documentation is updated (if applicable)
• Files follow existing naming conventions
• Changes are backwards compatible (if applicable)
• Tests added for new functionality (if applicable)

AI Artifact Contributions

• Used /prompt-analyze to review contribution
• Addressed all feedback from prompt-builder review
• Verified contribution follows common standards and type-specific requirements

Required Automated Checks

The following validation commands must pass before merging:

• Markdown linting: npm run lint:md
• Spell checking: npm run spell-check
• Frontmatter validation: npm run lint:frontmatter
• Link validation: npm run lint:md-links
• PowerShell analysis: npm run lint:ps

Security Considerations

• This PR does not contain any sensitive or NDA information
• Any new dependencies have been reviewed for security issues
• Security-related scripts follow the principle of least privilege

Additional Notes

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 83.39%. Comparing base (7927db2) to head (d698f0b).

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #408      +/-   ##
==========================================
- Coverage   83.41%   83.39%   -0.03%     
==========================================
  Files          20       20              
  Lines        3510     3510              
==========================================
- Hits         2928     2927       -1     
- Misses        582      583       +1     

Flag	Coverage Δ
pester	83.39% <ø> (-0.03%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 1 file with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull request overview

This PR adds a Security Champion agent and comprehensive OWASP security instruction files to integrate Microsoft's Security Development Lifecycle (SDL) practices alongside existing OWASP frameworks. The PR introduces security guidance across the development lifecycle, from design through runtime, with detailed coding standards for both traditional web applications and LLM-specific security concerns.

Changes:

• Adds Security Champion conversational agent for security-focused code review and advisory
• Introduces comprehensive OWASP Top 10 secure coding instructions for web applications
• Adds OWASP Top 10 for LLM Applications (2025) secure coding instructions for AI/ML security

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 14 comments.

File	Description
.github/agents/security-champion.agent.md	New conversational agent that serves as a security advisor, integrating Microsoft SDL practices with OWASP frameworks to guide security reviews across all development stages
.github/instructions/owasp-for-web-applications.instructions.md	New instruction file providing comprehensive secure coding guidelines based on OWASP Top 10, covering vulnerabilities from access control to SSRF
.github/instructions/owasp-for-llms.instructions.md	New instruction file providing LLM-specific security guidelines based on OWASP Top 10 for LLM Applications (2025), covering prompt injection, data leakage, and other AI-specific risks

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

[WilliamBerryiii]

Hi! A small request: could you update the PR title to include the conventional commit format with scope? This ensures release-please picks it up correctly for the changelog.

Suggested: `feat(agents): add security champion agent with Microsoft SDL practices

Thanks!

[katriendg]

Thanks for your contribution. This is valuable, there are a few optimizations I feel are relevant before we merge.

1. Please re-run the /prompt-analyse or prompt-builder agent again and ensure you add your new files to the context, and ask it to review your three files for recommendations. There are several open recommendations you can still apply before we merge.
2. Evaluate the usage of the .instructions.md files and applyTo. Is it possible to merge into the custom agent instead? Especially for the LLM application instructions we do not want to enforce this upon every single edit of applicable files. Again here the Task-Researcher and/or Prompt Builder agents may help you refactor some of this in an efficient way.
3. ## Required Phases given this agent has specific phases (in your case Stages), you should be able to easily reformat the agent to follow the phases approach. Also prompt-builder may do this for you.

Hope these make sense!

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

[obrocki]

Thanks for your changes, I think this is looking good for an initial inclusion into experimental pre-release so we can have some active testing, see how it behaves when used together with some of the other instructions and agents.
Please review any open comments and close them, either adopt the recommendation or leave a note and close the comment. Some of the Copilot comments are valid, some you may just want to discard, or simply outdated.
Once all comments are closed I will do a final review and expect Approval soon from my side.

Thank you for your feedback and help!

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

[Copilot]

This TypeScript example line has trailing whitespace after the semicolon. It’s minor, but it can cause noisy diffs and formatting churn in copied examples. Remove the trailing spaces in the snippet.

[Copilot]

The examples include credential-shaped strings (for example, a database URL with admin:password@...). Even in comments, these can trip secret scanners and are easy to cargo-cult into real code. Prefer neutral placeholders like postgres://user:REDACTED@db.example/… or POSTGRES_CONNECTION_STRING.

Suggested change

	// System prompt leaks: "You have access to database: postgres://admin:password@..."
	// System prompt leaks: "You have access to database: postgres://user:REDACTED@db.example/..."

[Copilot]

Using #file: to inline two large instruction files (especially the ~500+ line LLM guidance) will significantly increase the agent’s base context and can crowd out user-provided code/context in longer chats. Consider linking to these files by path and summarizing the key rules here, or splitting out a shorter ‘core rules’ file for inlining while keeping the full guidance as reference.

Suggested change

	* #file:../instructions/security/owasp-for-web-applications.instructions.md for web application security
	* #file:../instructions/security/owasp-for-llms.instructions.md for AI/ML security
	* [OWASP for Web Applications](../instructions/security/owasp-for-web-applications.instructions.md): core web application security principles (input validation, authentication, access control, output encoding, and error handling)
	* [OWASP for LLMs](../instructions/security/owasp-for-llms.instructions.md): AI/ML and LLM-specific security guidance (prompt injection, data leakage, model abuse, and safety controls)

[Copilot]

applyTo: '**/*' makes these LLM-specific instructions load for every file in the workspace, even when the user is not working on any LLM integration. That can add a lot of irrelevant guidance and token overhead in unrelated chats. Consider narrowing applyTo (for example, to the directories or file types where LLM code lives) or removing applyTo and relying on explicit inclusion from an agent/prompt when needed.

Suggested change

	applyTo: '**/*'
	applyTo: '.github/**/*.prompt.md|.github/**/*.agent.md|.github/**/*.instructions.md|.github/skills/**/SKILL.md'