open/ktg-plugin-marketplace
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity Actions

feat(llm-security-copilot): port llm-security v5.1.0 to GitHub Copilot CLI

Browse source 
Full port of llm-security plugin for internal use on Windows with GitHub
Copilot CLI. Protocol translation layer (copilot-hook-runner.mjs)
normalizes Copilot camelCase I/O to Claude Code snake_case format — all
original hook scripts run unmodified.

- 8 hooks with protocol translation (stdin/stdout/exit code)
- 18 SKILL.md skills (Agent Skills Open Standard)
- 6 .agent.md agent definitions
- 20 scanners + 14 scanner lib modules (unchanged)
- 14 knowledge files (unchanged)
- 39 test files including copilot-port-verify.mjs (17 tests)
- Windows-ready: node:path, os.tmpdir(), process.execPath, no bash

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Kjell Tore Guttormsen 2026-04-09 21:56:10 +02:00
commit f418a8fe08
169 changed files with 37631 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

38
plugins/llm-security-copilot/skills/pre-deploy/SKILL.md Normal file
View file

@ -0,0 +1,38 @@
---
name: security-pre-deploy
description: Pre-deployment security checklist — verify controls, compliance, and production readiness
---
# Pre-Deploy Checklist
10 automated checks + 3 manual verification questions.
## Automated Checks (PASS/FAIL/WARN/N-A)
Perform these checks using Read, Glob, and Grep:
1. **Deny-first permissions** — Settings contain restrictive default permissions
2. **Secrets hook active** — pre-edit-secrets hook is registered and script exists
3. **Path guard active** — pre-write-pathguard hook is registered and script exists
4. **Destructive command guard** — pre-bash-destructive hook registered and script exists
5. **MCP servers verified** — All configured MCP servers have been audited
6. **No hardcoded secrets** — Grep for API keys, tokens, passwords in source files
7. **Gitignore covers secrets** — .gitignore includes .env, credentials, keys
8. **Security instructions present** — CLAUDE.md or copilot-instructions.md has security section
9. **Sandbox enabled** — No `dangerouslySkipPermissions` or bypass flags
10. **Audit logging** — Post-tool hooks are active for monitoring
## Manual Verification
Ask the user these questions:
1. "Is this running on an Enterprise plan with audit logging?"
2. "Has a Data Protection Impact Assessment (DPIA) been completed?"
3. "Is there an incident response plan for AI security events?"
## Report
Present as checklist table. Verdict by pass count:
- 10/10: Low risk — Ready to deploy
- 7-9: Medium risk — Address gaps first
- 4-6: High risk — Significant exposure
- 0-3: Extreme risk — Do not deploy