Skip to content

Comments

feat: add governance-audit hook — threat detection for Copilot sessions#756

Merged
aaronpowell merged 2 commits intogithub:mainfrom
imran-siddique:add-governance-audit-hook
Feb 18, 2026
Merged

feat: add governance-audit hook — threat detection for Copilot sessions#756
aaronpowell merged 2 commits intogithub:mainfrom
imran-siddique:add-governance-audit-hook

Conversation

@imran-siddique
Copy link
Contributor

@imran-siddique imran-siddique commented Feb 18, 2026

Summary

Adds governance-audit — a Copilot CLI hook that scans user prompts for threat signals before agent processing. This is the third hook in the collection (after session-auto-commit and session-logger).

What's Included

File Purpose
hooks.json Hook configuration for sessionStart, sessionEnd, userPromptSubmitted events
audit-session-start.sh Logs session start with governance level
audit-session-end.sh Logs session end with threat summary statistics
audit-prompt.sh Main scanner — detects threat signals in prompts
README.md Documentation with installation, configuration, log format

Threat Detection

Scans prompts for 5 threat categories:

Category Examples Severity
data_exfiltration "send all records to external API", "curl -d" 0.7 - 0.95
privilege_escalation "sudo", "chmod 777", "add to sudoers" 0.8 - 0.95
system_destruction "rm -rf /", "drop database" 0.9 - 0.95
prompt_injection "ignore previous instructions" 0.6 - 0.9
credential_exposure Hardcoded API keys, AWS access keys 0.9 - 0.95

Governance Levels

Level Behavior
open Log only
standard Log; block if BLOCK_ON_THREAT=true
strict Log and block all threats
locked Log and block all threats

Privacy

  • Prompts are never logged — only threat signals and metadata
  • All data stays local (no external network calls)
  • Easily disabled with SKIP_GOVERNANCE_AUDIT=true

How It Complements session-logger

session-logger provides general activity logging. governance-audit adds security-specific scanning with threat categorization, severity scoring, and configurable blocking — aimed at enterprise teams that need governance controls on AI coding agents.

@imran-siddique @Copilot
feat: add governance-audit hook — threat detection for Copilot sessions
4a4b934 
Add real-time governance audit hook that scans prompts for threat signals:
- 5 threat categories: data exfiltration, privilege escalation,
  system destruction, prompt injection, credential exposure
- 4 governance levels: open, standard, strict, locked
- Append-only JSON audit trail (logs/copilot/governance/audit.log)
- Session summary with threat counts at session end
- Privacy-aware: logs decisions and metadata, never prompt content

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings February 18, 2026 21:30
@imran-siddique imran-siddique mentioned this pull request Feb 18, 2026
Merged
Copilot AI reviewed Feb 18, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds the governance-audit hook, a security-focused hook that scans user prompts for threat signals before agent processing. It's the third hook in the repository, complementing the existing session-logger and session-auto-commit hooks by adding enterprise-grade governance controls with threat categorization, severity scoring, and configurable blocking.

Changes:

  • Adds governance-audit hook with threat detection for 5 categories (data exfiltration, privilege escalation, system destruction, prompt injection, credential exposure)
  • Implements 4 configurable governance levels (open, standard, strict, locked) with different blocking behaviors
  • Updates hooks documentation index to include the new hook

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 9 comments.

Show a summary per file
File Description
hooks/governance-audit/hooks.json Hook configuration defining event handlers for sessionStart, sessionEnd, and userPromptSubmitted with environment variables for governance level and blocking behavior
hooks/governance-audit/audit-session-start.sh Session start handler that logs governance context and current governance level
hooks/governance-audit/audit-session-end.sh Session end handler that calculates and logs threat summary statistics
hooks/governance-audit/audit-prompt.sh Core threat detection logic with regex-based pattern matching across 5 threat categories and configurable blocking
hooks/governance-audit/README.md Comprehensive documentation including threat categories, governance levels, installation, configuration, and privacy notes
docs/README.hooks.md Updated hooks index table to include governance-audit with description, events, and bundled assets

@imran-siddique @Copilot
fix: address Copilot PR review comments on governance-audit hook
32d8f7f 
- Switch from colon to tab delimiter to handle colons in evidence text
- Base64-encode evidence to prevent parsing issues
- Use MAX_SEVERITY in log output and JSON events
- Narrow regex patterns to reduce false positives:
  - third[_-]?party instead of third.?party
  - Role reassignment scoped to AI terms
  - System prompt injection requires 'you are' context
- Fix session-end stats to scope to current session only
- Update privacy statement to clarify evidence snippets are logged
- Rename credential description to 'Possible hardcoded credential'
- Fix database destruction regex to also match semicolons

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@aaronpowell aaronpowell merged commit 41b70bc into github:main Feb 18, 2026
3 checks passed
@imran-siddique
Copy link
Contributor Author

imran-siddique commented Feb 18, 2026

All 9 review comments addressed in commit 32d8f7f:

Delimiter and encoding: Switched from colon to tab delimiter + base64-encoded evidence to handle colons in evidence text (URLs, YAML keys).

MAX_SEVERITY: Now included in JSON log output and console message.

Regex precision: Narrowed patterns to reduce false positives - scoped role reassignment to AI terms, system prompt injection requires context, DB destruction matches semicolons.

Session-end stats: Now filters events by last session_start timestamp for accurate per-session counts.

Privacy statement: Updated to clarify evidence snippets (not full prompts) are logged.

Credential evidence: Description changed to "Possible hardcoded credential".

This was referenced Feb 18, 2026
Open
Open
Open
Open
Open
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@aaronpowell aaronpowell aaronpowell approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@imran-siddique @aaronpowell