open/ktg-plugin-marketplace
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity Actions

feat(llm-security-copilot): port llm-security v5.1.0 to GitHub Copilot CLI

Browse source 
Full port of llm-security plugin for internal use on Windows with GitHub
Copilot CLI. Protocol translation layer (copilot-hook-runner.mjs)
normalizes Copilot camelCase I/O to Claude Code snake_case format — all
original hook scripts run unmodified.

- 8 hooks with protocol translation (stdin/stdout/exit code)
- 18 SKILL.md skills (Agent Skills Open Standard)
- 6 .agent.md agent definitions
- 20 scanners + 14 scanner lib modules (unchanged)
- 14 knowledge files (unchanged)
- 39 test files including copilot-port-verify.mjs (17 tests)
- Windows-ready: node:path, os.tmpdir(), process.execPath, no bash

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Kjell Tore Guttormsen 2026-04-09 21:56:10 +02:00
commit f418a8fe08
169 changed files with 37631 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

151
plugins/llm-security-copilot/templates/archive/clean-report.md Normal file
View file

@ -0,0 +1,151 @@
# Security Clean Report — {{TARGET}}
**Date:** {{TIMESTAMP}}
**Mode:** {{MODE}} (live / dry-run)
**Backup:** {{BACKUP_PATH}}
**Duration:** {{DURATION_MS}}ms
---
## Remediation Summary
> [!{{VERDICT_TYPE}}]
> **Pre-clean:** {{PRE_VERDICT}} ({{PRE_RISK_SCORE}}/100) — {{PRE_TOTAL_FINDINGS}} findings
> **Post-clean:** {{POST_VERDICT}} ({{POST_RISK_SCORE}}/100) — {{POST_TOTAL_FINDINGS}} findings
> **Risk reduction:** {{RISK_REDUCTION}}%
| Metric | Before | After | Delta |
|--------|--------|-------|-------|
| Risk Score | {{PRE_RISK_SCORE}} | {{POST_RISK_SCORE}} | {{RISK_DELTA}} |
| Total Findings | {{PRE_TOTAL_FINDINGS}} | {{POST_TOTAL_FINDINGS}} | {{FINDINGS_DELTA}} |
| Critical | {{PRE_CRITICAL}} | {{POST_CRITICAL}} | {{CRITICAL_DELTA}} |
| High | {{PRE_HIGH}} | {{POST_HIGH}} | {{HIGH_DELTA}} |
| Medium | {{PRE_MEDIUM}} | {{POST_MEDIUM}} | {{MEDIUM_DELTA}} |
| Low | {{PRE_LOW}} | {{POST_LOW}} | {{LOW_DELTA}} |
| Info | {{PRE_INFO}} | {{POST_INFO}} | {{INFO_DELTA}} |
---
## Fix Summary
| Category | Count |
|----------|-------|
| Auto-fixes applied | {{AUTO_APPLIED}} |
| Semi-auto approved | {{SEMI_APPROVED}} |
| Semi-auto skipped | {{SEMI_SKIPPED}} |
| LLM-detected auto-fixes | {{LLM_AUTO_APPLIED}} |
| LLM-detected semi-auto approved | {{LLM_SEMI_APPROVED}} |
| Manual (reported only) | {{MANUAL_COUNT}} |
| Skipped (historical) | {{HISTORICAL_COUNT}} |
| Failed | {{FAILED_COUNT}} |
| **Total processed** | **{{TOTAL_PROCESSED}}** |
---
## Auto-Fixes Applied
<!-- Findings removed fully automatically — no user interaction required. -->
| Finding ID | File | Operation | Description |
|------------|------|-----------|-------------|
{{AUTO_FIXES_ROWS}}
> [!TIP]
> Auto-fixes are lossless operations: stripping zero-width characters, removing known-malicious
> strings, or replacing hardcoded secrets with placeholder tokens.
---
## Semi-Auto Fixes Applied
<!-- Findings where the fix was proposed and the user approved the change. -->
| Finding ID | File | Change Description | Rationale |
|------------|----|-------------------|-----------|
{{SEMI_AUTO_APPLIED_ROWS}}
---
## Semi-Auto Fixes Skipped
<!-- Findings where the proposed fix was reviewed but the user chose not to apply it. -->
| Finding ID | Proposed Change | User Decision |
|------------|----------------|---------------|
{{SEMI_AUTO_SKIPPED_ROWS}}
---
## Remaining Manual Findings
<!-- These findings require human judgment or architectural changes and cannot be auto-remediated. -->
| Finding ID | Severity | File | Description | Recommendation |
|------------|----------|------|-------------|----------------|
{{MANUAL_FINDINGS_ROWS}}
> [!CAUTION]
> Manual findings are not reduced by re-running `/security clean`. Address them directly
> in the codebase, then re-run `/security scan` to verify the fix.
---
## Skipped (Historical)
<!-- GIT findings that exist in commit history. They cannot be cleaned without rewriting history. -->
| Finding ID | Severity | Commit | Description |
|------------|----------|--------|-------------|
{{HISTORICAL_ROWS}}
> [!NOTE]
> Historical findings in git history require `git filter-repo` or a force-push to remove.
> Consult your team before rewriting shared history. These findings are listed for awareness only.
---
## File Modification Log
| File Path | Operations | Validation |
|-----------|-----------|------------|
{{FILE_MOD_ROWS}}
---
## Validation Results
Each modified file was validated after changes were applied. Any file that failed validation
was automatically restored from the backup.
| File | Check | Result | Detail |
|------|-------|--------|--------|
{{VALIDATION_ROWS}}
**Validation rules:**
- `.json` files: `JSON.parse()` succeeded
- Frontmatter files (`.md`, `.yaml`): `^---\n` prefix present
- `.mjs` / `.js` files: `node --check` passed
- All other files: character encoding check only
> [!WARNING]
> Files marked `FAIL` in validation were **restored from backup**. The finding they targeted
> is still present and has been moved back to the Manual Findings section above.
---
## Rollback
To restore the original (pre-clean) state:
```bash
rm -rf {{TARGET}}
mv {{BACKUP_PATH}} {{TARGET}}
```
> [!WARNING]
> The backup will be removed when you next run `/security clean` on this target.
> Copy or rename it if you want to preserve it permanently.
---
*Generated by llm-security clean v1.3.0*