feat(llm-security-copilot): port llm-security v5.1.0 to GitHub Copilot CLI
Full port of llm-security plugin for internal use on Windows with GitHub Copilot CLI. Protocol translation layer (copilot-hook-runner.mjs) normalizes Copilot camelCase I/O to Claude Code snake_case format — all original hook scripts run unmodified. - 8 hooks with protocol translation (stdin/stdout/exit code) - 18 SKILL.md skills (Agent Skills Open Standard) - 6 .agent.md agent definitions - 20 scanners + 14 scanner lib modules (unchanged) - 14 knowledge files (unchanged) - 39 test files including copilot-port-verify.mjs (17 tests) - Windows-ready: node:path, os.tmpdir(), process.execPath, no bash Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Kjell Tore Guttormsen
parent
901bf0ae12
commit
f418a8fe08
169 changed files with 37631 additions and 0 deletions
58
plugins/llm-security-copilot/skills/clean/SKILL.md
Normal file
58
plugins/llm-security-copilot/skills/clean/SKILL.md
Normal file
|
|
@ -0,0 +1,58 @@
|
|||
---
|
||||
name: security-clean
|
||||
description: Scan and remediate security findings — auto-fixes deterministic issues, confirms semi-auto with user, reports manual findings
|
||||
---
|
||||
|
||||
# Security Clean
|
||||
|
||||
Scan, classify, and remediate security findings with user confirmation.
|
||||
|
||||
## Step 1: Parse Arguments
|
||||
|
||||
- Target path = `$ARGUMENTS` or current working directory
|
||||
- `--dry-run` flag = report only, no changes
|
||||
|
||||
## Step 2: Create Backup
|
||||
|
||||
```bash
|
||||
node <plugin-root>/scanners/lib/fs-utils.mjs backup "<target>"
|
||||
```
|
||||
|
||||
## Step 3: Run Scan
|
||||
|
||||
```bash
|
||||
node <plugin-root>/scanners/lib/fs-utils.mjs tmppath clean-findings.json
|
||||
node <plugin-root>/scanners/scan-orchestrator.mjs "<target>" --output-file "<findings_file>"
|
||||
```
|
||||
|
||||
Show banner with verdict, risk score, finding counts.
|
||||
|
||||
## Step 4: Auto-fix Deterministic Issues
|
||||
|
||||
```bash
|
||||
node <plugin-root>/scanners/auto-cleaner.mjs "<target>" --findings "<findings_file>" [--dry-run]
|
||||
```
|
||||
|
||||
Report: Applied, Skipped, Failed counts.
|
||||
|
||||
## Step 5: Semi-auto Remediation
|
||||
|
||||
For findings classified as semi-auto (entropy strings, permission mismatches, typosquatted deps, ghost hooks, suspicious URLs, credential access, hidden MCP directives, homoglyphs):
|
||||
|
||||
1. Read the referenced files and understand the surrounding context
|
||||
2. Propose specific, minimal changes grouped by fix type
|
||||
3. Present each proposal to the user for confirmation before applying
|
||||
4. Apply confirmed changes via Edit tool
|
||||
|
||||
## Step 6: LLM Threat Scan
|
||||
|
||||
Read `<plugin-root>/knowledge/skill-threat-patterns.md`. Scan modified files for remaining threats. Report manual findings that require human judgment.
|
||||
|
||||
## Step 7: Validate and Report
|
||||
|
||||
Re-scan to verify fixes didn't introduce new issues. If validation fails, offer to restore from backup:
|
||||
```bash
|
||||
node <plugin-root>/scanners/lib/fs-utils.mjs restore "<target>"
|
||||
```
|
||||
|
||||
Final report: pre/post comparison, fix summaries, remaining manual findings, rollback instructions.
|
||||
Loading…
Add table
Add a link
Reference in a new issue