GHAS Pack - Agent Skills for GitHub Advanced Security - Includes Dependabot, CodeQL, and Secret Scanning

[VeVarunSharma]

Pull Request Checklist

• I have read and followed the CONTRIBUTING.md guidelines.
• I have read and followed the Guidance for submissions involving paid services.
• My contribution adds a new instruction, prompt, agent, skill, or workflow file in the correct directory.
• The file follows the required naming convention.
• The content is clearly structured and follows the example format.
• I have tested my instructions, prompt, agent, skill, or workflow with GitHub Copilot.
• I have run npm start and verified that README.md is up to date.

---

Description

• Add GitHub Security Skills: CodeQL, Dependabot, Secret Scanning

Why

Getting GitHub Advanced Security (GHAS) configured correctly is one of the biggest friction points for teams adopting it. The docs are spread across dozens of pages, the configuration surface is wide (YAML schemas, API flags, CLI tools), and common patterns — monorepo setups, grouped updates, custom secret patterns — require stitching together knowledge from multiple sources.

Today, when someone asks Copilot "set up CodeQL for my Java/TypeScript monorepo" or "configure Dependabot with grouped updates," the agent has to guess or produce generic boilerplate. These skills give it the full picture — correct option names, supported ecosystems, build modes, troubleshooting steps — so it can produce production-ready configs on the first try.

What's included

Three new agent skills, each with a SKILL.md and bundled reference docs:

codeql — Covers the full CodeQL setup lifecycle — Actions workflows and CLI usage:

• Default vs. advanced setup, workflow triggers, permissions, language matrix
• Build modes (none, autobuild, manual) per compiled language
• Monorepo configuration with per-component SARIF categories
• Custom query packs, dependency caching, model packs
• Alert severity, Copilot Autofix, PR triage
• Troubleshooting table for the most common failures
• Hardware requirements for self-hosted runners
• Reference docs: workflow-configuration.md, cli-commands.md, sarif-output.md, compiled-languages.md, troubleshooting.md, alert-management.md

dependabot — Covers all three Dependabot capabilities (alerts, security updates, version updates):

• Ecosystem detection across 20+ package managers
• Monorepo strategies with glob-based directories and cross-directory grouping
• Dependency grouping by type, name pattern, and security scope
• Multi-ecosystem groups for infrastructure-as-code bundles
• Schedule optimization with cooldown periods and cron expressions
• PR customization (labels, commit prefixes, assignees, milestones)
• Private registry configuration and @dependabot PR comment commands
• Ignore/allow rules and versioning strategies
• Reference docs: dependabot-yml-reference.md, example-configs.md, pr-commands.md

secret-scanning — Covers detection, prevention, and remediation:

• Enabling secret scanning and push protection at repo and org level
• Resolving blocked pushes (remove, bypass, request delegated bypass)
• Custom pattern creation with regex, dry runs, and Copilot-assisted generation
• Non-provider patterns, AI-powered generic detection, validity checks
• Alert types (user, partner, push protection) and remediation priority
• Path exclusions via secret_scanning.yml
• Reference docs: push-protection.md, custom-patterns.md, alerts-and-remediation.md

How this helps teams

• Faster onboarding — Teams rolling out GHAS can ask Copilot to generate correct, production-ready configs instead of manually reading through docs and examples.
• Better defaults — The skills encode best practices (least-privilege permissions, grouped updates to reduce PR noise, cooldown periods, monorepo patterns) so teams get optimized setups out of the box.
• Fewer support tickets — Common issues like "CodeQL autobuild is failing for my C# project" or "Dependabot is opening too many PRs" are covered with specific troubleshooting guidance the agent can surface immediately.
• Self-contained — All reference material is bundled, so the agent doesn't need web access or tool calls to answer detailed questions about config schemas, CLI flags, or edge cases.

Structure

skills/
├── codeql/
│ ├── SKILL.md
│ └── references/
│ ├── alert-management.md
│ ├── cli-commands.md
│ ├── compiled-languages.md
│ ├── sarif-output.md
│ ├── troubleshooting.md
│ └── workflow-configuration.md
├── dependabot/
│ ├── SKILL.md
│ └── references/
│ ├── dependabot-yml-reference.md
│ ├── example-configs.md
│ └── pr-commands.md
└── secret-scanning/
├── SKILL.md
└── references/
├── alerts-and-remediation.md
├── custom-patterns.md
└── push-protection.md

---

Type of Contribution

• New instruction file.
• New prompt file.
• New agent file.
• New plugin.
• New skill file.
• New agentic workflow.
• Update to existing instruction, prompt, agent, plugin, skill, or workflow.
• Other (please specify):

---

Additional Notes

• All three skills follow the Agent Skills specification (https://agentskills.io/specification) with proper SKILL.md frontmatter (name, description).
• Reference docs are bundled so the agent gets full context in a single fetch — no web lookups needed.
• These skills are purely additive - no existing files were modified.->

---

By submitting this pull request, I confirm that my contribution abides by the Code of Conduct and will be licensed under the MIT License.

[Copilot]

Pull request overview

Adds a “GHAS Pack” of new Agent Skills to help Copilot generate accurate, production-ready GitHub Advanced Security configurations and operational guidance for CodeQL, Dependabot, and Secret Scanning.

Changes:

• Introduces 3 new skills (codeql, dependabot, secret-scanning) with procedural guidance in SKILL.md.
• Adds bundled reference documentation for each skill (workflows/CLI/SARIF/troubleshooting for CodeQL; YAML/examples/PR commands for Dependabot; push protection/custom patterns/alerts for Secret Scanning).
• Registers the new skills in docs/README.skills.md.

Reviewed changes

Copilot reviewed 16 out of 16 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
skills/secret-scanning/references/push-protection.md	Adds push protection mechanics, bypass and delegated bypass guidance.
skills/secret-scanning/references/custom-patterns.md	Adds custom secret pattern creation/dry-run/publishing reference.
skills/secret-scanning/references/alerts-and-remediation.md	Adds alert types, remediation workflow, API details, and exclusions reference.
skills/secret-scanning/SKILL.md	Introduces the Secret Scanning skill routing + usage guidance.
skills/dependabot/references/pr-commands.md	Adds Dependabot PR comment commands reference and examples.
skills/dependabot/references/example-configs.md	Adds real-world dependabot.yml configuration examples.
skills/dependabot/references/dependabot-yml-reference.md	Adds a YAML options reference for .github/dependabot.yml.
skills/dependabot/SKILL.md	Introduces the Dependabot skill routing + usage guidance.
skills/codeql/references/workflow-configuration.md	Adds detailed CodeQL Actions workflow configuration reference.
skills/codeql/references/troubleshooting.md	Adds a CodeQL troubleshooting guide.
skills/codeql/references/sarif-output.md	Adds SARIF output structure/limits reference for CodeQL.
skills/codeql/references/compiled-languages.md	Adds build-mode guidance for compiled languages + runner requirements.
skills/codeql/references/cli-commands.md	Adds CodeQL CLI installation/database/analyze/upload reference.
skills/codeql/references/alert-management.md	Adds CodeQL alert triage/dismissal/autofix reference.
skills/codeql/SKILL.md	Introduces the CodeQL skill routing + usage guidance.
docs/README.skills.md	Adds the three new skills to the skills index table.

---

You can also share your feedback on Copilot code review. Take the survey.

[aaronpowell]

#codeowner

[github-actions]

Pull request created: #1055

Generated by Codeowner Update Agent

[github-actions]

👋 @VeVarunSharma — A CODEOWNERS update PR has been created to assign you ownership of the GHAS skills you contributed in this PR.

New entries added:

• /skills/codeql/ @VeVarunSharma
• /skills/dependabot/ @VeVarunSharma
• /skills/secret-scanning/ @VeVarunSharma

Once the CODEOWNERS PR is merged, you'll be automatically requested as a reviewer for future changes to these skill directories. 🎉

Generated by Codeowner Update Agent for issue #1049 · ◷