Add high-level overview sections for network isolation, safe outputs, and threat detection to security guide by Copilot · Pull Request #1198 · github/gh-aw

Copilot · 2025-10-03T15:28:13Z

Original prompt

Update security guide with a section on network isolation, safe outputs and threat detection.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

… security guide Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

pelikhan · 2025-10-03T15:38:51Z

+
+See the [Safe Outputs Reference](/gh-aw/reference/safe-outputs/) for complete configuration details.
+
+#### Content Sanitization


@copilot remove section

Removed Content Sanitization section in commit 3734e6c

pelikhan · 2025-10-03T15:39:04Z

+- **Length and Line Limits**: Content truncated if exceeding safety thresholds (0.5MB, 65k lines)
+- **Control Character Removal**: ANSI sequences and non-printable characters stripped
+
+#### Configuration Example


@copilot remove section

Removed Configuration Example section in commit 3734e6c

pelikhan · 2025-10-03T15:39:21Z

+- Each output job receives only the specific write permission it needs
+- Output is validated and sanitized before any GitHub API calls
+
+#### Best Practices


@copilot remove section

Removed Best Practices section (Safe Outputs) in commit 3734e6c

pelikhan · 2025-10-03T15:40:01Z

+- Reduce false positives by considering workflow design
+- Provide more accurate threat assessments
+
+#### Detection Response Format


@copilot remove section

Removed Detection Response Format section in commit 3734e6c

pelikhan · 2025-10-03T15:40:15Z

+- Safe output jobs are blocked from executing
+- Logs and artifacts provide audit trail for review
+
+#### Configuration


@copilot remove section

Removed Configuration section in commit 3734e6c

pelikhan · 2025-10-03T15:40:28Z

+    enabled: false    # Explicitly disable (not recommended)
+```
+
+#### Job Dependencies


@copilot remove section

Removed Job Dependencies section in commit 3734e6c

pelikhan · 2025-10-03T15:40:52Z

+
+This ensures no GitHub API write operations occur until the agent output is verified as safe.
+
+#### Security Guidelines


@copilot remove section

Removed Security Guidelines section in commit 3734e6c

pelikhan · 2025-10-03T15:41:23Z

+- **Err on the side of caution**: When uncertain, treats potential threats seriously
+- **Clear, actionable feedback**: Provides specific reasons for detected threats
+
+#### Monitoring and Debugging


@copilot remove section

Removed Monitoring and Debugging section in commit 3734e6c

pelikhan · 2025-10-03T15:41:35Z

+3. Add custom detection prompt instructions to provide context
+4. In rare cases, disable detection (not recommended for production)
+
+#### Best Practices


@copilot remove section

Removed Best Practices section (Threat Detection) in commit 3734e6c

pelikhan · 2025-10-03T15:42:22Z

+- **Configuration**: Top-level `network.allowed`
+- **Best for**: Controlling engine access to development tools and APIs
+
+#### Security Best Practices


@copilot Remove section

Removed Security Best Practices section (Network Isolation) in commit 3734e6c

pelikhan · 2025-10-03T15:45:57Z

@copilot keep the security guide as an overview and link to other in depth docs. Do not add too much details of the implentation in that page.

…Network Isolation sections Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot · 2025-10-03T15:51:11Z

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

telemetry.astro.build
- Triggering command: node /home/REDACTED/.npm/_npx/aa98e6899c6baff3/node_modules/.bin/astro build (dns block)
- Triggering command: node /home/REDACTED/work/gh-aw/gh-aw/docs/node_modules/.bin/astro build (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Configure Actions setup steps to set up my environment, which run before the firewall is enabled
Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

pelikhan

@copilot reduce details on network section, link to other docs

…s to detailed docs Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot · 2025-10-03T15:56:50Z

@copilot keep the security guide as an overview and link to other in depth docs. Do not add too much details of the implentation in that page.

Simplified all three sections to high-level overviews with links to detailed reference documentation in commit b7f6d65. Removed implementation details, code examples, comparison tables, and troubleshooting sections. Each section now provides a concise overview and directs users to the appropriate reference docs for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

telemetry.astro.build
- Triggering command: node /home/REDACTED/work/gh-aw/gh-aw/docs/node_modules/.bin/astro build (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Configure Actions setup steps to set up my environment, which run before the firewall is enabled
Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

… details Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot · 2025-10-03T16:03:05Z

@copilot reduce details on network section, link to other docs

Reduced Network Isolation section to minimal overview in commit d34eba0. Removed technical implementation details (Docker containers, proxy, iptables, ecosystem identifiers) and kept only the core concepts with links to detailed documentation.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

telemetry.astro.build
- Triggering command: node /home/REDACTED/.npm/_npx/aa98e6899c6baff3/node_modules/.bin/astro build (dns block)
- Triggering command: node /home/REDACTED/work/gh-aw/gh-aw/docs/node_modules/.bin/astro build (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Configure Actions setup steps to set up my environment, which run before the firewall is enabled
Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Initial plan

a2c0096

Copilot AI assigned Copilot and pelikhan Oct 3, 2025

Copilot started work on behalf of pelikhan October 3, 2025 15:28 View session

Copilot AI and others added 2 commits October 3, 2025 15:31

Initial plan for security guide update

19fe304

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Add network isolation, safe outputs, and threat detection sections to…

cdd6c95

… security guide Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot AI changed the title ~~[WIP] Update security guide with network isolation and threat detection~~ Update security guide with sections on network isolation, safe outputs, and threat detection Oct 3, 2025

Copilot AI requested a review from pelikhan October 3, 2025 15:39

Copilot finished work on behalf of pelikhan October 3, 2025 15:39

pelikhan reviewed Oct 3, 2025

View reviewed changes

Copilot started work on behalf of pelikhan October 3, 2025 15:43 View session

Remove detailed subsections from Safe Outputs, Threat Detection, and …

3734e6c

…Network Isolation sections Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot AI requested a review from pelikhan October 3, 2025 15:51

Copilot finished work on behalf of pelikhan October 3, 2025 15:51

Copilot started work on behalf of pelikhan October 3, 2025 15:51 View session

pelikhan reviewed Oct 3, 2025

View reviewed changes

Simplify security guide sections to be high-level overviews with link…

b7f6d65

…s to detailed docs Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot AI changed the title ~~Update security guide with sections on network isolation, safe outputs, and threat detection~~ Add high-level overview sections for network isolation, safe outputs, and threat detection to security guide Oct 3, 2025

Copilot AI requested a review from pelikhan October 3, 2025 15:57

Copilot finished work on behalf of pelikhan October 3, 2025 15:57

Copilot started work on behalf of pelikhan October 3, 2025 15:58 View session

Further simplify Network Isolation section by removing implementation…

d34eba0

… details Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot finished work on behalf of pelikhan October 3, 2025 16:03

pelikhan approved these changes Oct 3, 2025

View reviewed changes

pelikhan marked this pull request as ready for review October 3, 2025 16:05

pelikhan merged commit 426824b into main Oct 3, 2025

pelikhan deleted the copilot/update-security-guide-network-isolation branch October 3, 2025 16:06


		See the [Safe Outputs Reference](/gh-aw/reference/safe-outputs/) for complete configuration details.

		#### Content Sanitization


		This ensures no GitHub API write operations occur until the agent output is verified as safe.

		#### Security Guidelines

Conversation

Copilot AI commented Oct 3, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Copilot AI Oct 3, 2025

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Copilot AI Oct 3, 2025

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Copilot AI Oct 3, 2025

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Copilot AI Oct 3, 2025

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Copilot AI Oct 3, 2025

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Copilot AI Oct 3, 2025

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Copilot AI Oct 3, 2025

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Copilot AI Oct 3, 2025

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Copilot AI Oct 3, 2025

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Copilot AI Oct 3, 2025

Choose a reason for hiding this comment

Uh oh!

pelikhan commented Oct 3, 2025

Uh oh!

Copilot AI commented Oct 3, 2025

I tried to connect to the following addresses, but was blocked by firewall rules:

Uh oh!

pelikhan left a comment

Choose a reason for hiding this comment

Uh oh!

Copilot AI commented Oct 3, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

I tried to connect to the following addresses, but was blocked by firewall rules:

Uh oh!

Copilot AI commented Oct 3, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

I tried to connect to the following addresses, but was blocked by firewall rules:

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Copilot AI commented Oct 3, 2025 •

edited

Loading

Copilot AI commented Oct 3, 2025 •

edited

Loading

Copilot AI commented Oct 3, 2025 •

edited

Loading