Pull Request Checklist

• I have read and followed the CONTRIBUTING.md guidelines.
• I have read and followed the Guidance for submissions involving paid services.
• My contribution adds a new instruction, prompt, agent, skill, or workflow file in the correct directory.
• The file follows the required naming convention.
• The content is clearly structured and follows the example format.
• I have tested my instructions, prompt, agent, skill, or workflow with GitHub Copilot.
• I have run npm start and verified that README.md is up to date.

Description

• Add GitHub Security Skills: CodeQL, Dependabot, Secret Scanning

Why

Getting GitHub Advanced Security (GHAS) configured correctly is one of the biggest friction points for teams adopting it. The docs are spread across dozens of pages, the configuration surface is wide (YAML schemas, API flags, CLI tools), and common patterns — monorepo setups, grouped updates, custom secret patterns — require stitching together knowledge from multiple sources.

Today, when someone asks Copilot "set up CodeQL for my Java/TypeScript monorepo" or "configure Dependabot with grouped updates," the agent has to guess or produce generic boilerplate. These skills give it the full picture — correct option names, supported ecosystems, build modes, troubleshooting steps — so it can produce production-ready configs on the first try.

What's included

Three new agent skills, each with a SKILL.md and bundled reference docs:

codeql — Covers the full CodeQL setup lifecycle — Actions workflows and CLI usage:

• Default vs. advanced setup, workflow triggers, permissions, language matrix
• Build modes (none, autobuild, manual) per compiled language
• Monorepo configuration with per-component SARIF categories
• Custom query packs, dependency caching, model packs
• Alert severity, Copilot Autofix, PR triage
• Troubleshooting table for the most common failures
• Hardware requirements for self-hosted runners
• Reference docs: workflow-configuration.md, cli-commands.md, sarif-output.md, compiled-languages.md, troubleshooting.md, alert-management.md

dependabot — Covers all three Dependabot capabilities (alerts, security updates, version updates):

• Ecosystem detection across 20+ package managers
• Monorepo strategies with glob-based directories and cross-directory grouping
• Dependency grouping by type, name pattern, and security scope
• Multi-ecosystem groups for infrastructure-as-code bundles
• Schedule optimization with cooldown periods and cron expressions
• PR customization (labels, commit prefixes, assignees, milestones)
• Private registry configuration and @dependabot PR comment commands
• Ignore/allow rules and versioning strategies
• Reference docs: dependabot-yml-reference.md, example-configs.md, pr-commands.md

secret-scanning — Covers detection, prevention, and remediation:

• Enabling secret scanning and push protection at repo and org level
• Resolving blocked pushes (remove, bypass, request delegated bypass)
• Custom pattern creation with regex, dry runs, and Copilot-assisted generation
• Non-provider patterns, AI-powered generic detection, validity checks
• Alert types (user, partner, push protection) and remediation priority
• Path exclusions via secret_scanning.yml
• Reference docs: push-protection.md, custom-patterns.md, alerts-and-remediation.md

How this helps teams

• Faster onboarding — Teams rolling out GHAS can ask Copilot to generate correct, production-ready configs instead of manually reading through docs and examples.
• Better defaults — The skills encode best practices (least-privilege permissions, grouped updates to reduce PR noise, cooldown periods, monorepo patterns) so teams get optimized setups out of the box.
• Fewer support tickets — Common issues like "CodeQL autobuild is failing for my C# project" or "Dependabot is opening too many PRs" are covered with specific troubleshooting guidance the agent can surface immediately.
• Self-contained — All reference material is bundled, so the agent doesn't need web access or tool calls to answer detailed questions about config schemas, CLI flags, or edge cases.

Structure

skills/
├── codeql/
│ ├── SKILL.md
│ └── references/
│ ├── alert-management.md
│ ├── cli-commands.md
│ ├── compiled-languages.md
│ ├── sarif-output.md
│ ├── troubleshooting.md
│ └── workflow-configuration.md
├── dependabot/
│ ├── SKILL.md
│ └── references/
│ ├── dependabot-yml-reference.md
│ ├── example-configs.md
│ └── pr-commands.md
└── secret-scanning/
├── SKILL.md
└── references/
├── alerts-and-remediation.md
├── custom-patterns.md
└── push-protection.md

Type of Contribution

• New instruction file.
• New prompt file.
• New agent file.
• New plugin.
• New skill file.
• New agentic workflow.
• Update to existing instruction, prompt, agent, plugin, skill, or workflow.
• Other (please specify):

Additional Notes

• All three skills follow the Agent Skills specification (https://agentskills.io/specification) with proper SKILL.md frontmatter (name, description).
• Reference docs are bundled so the agent gets full context in a single fetch — no web lookups needed.
• These skills are purely additive - no existing files were modified.->

By submitting this pull request, I confirm that my contribution abides by the Code of Conduct and will be licensed under the MIT License.