Skip to content

ivproduced/copilot-cli-security

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
agent
agent
 
 
src
src
 
 
.gitignore
.gitignore
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
INSTALL.md
INSTALL.md
 
 
LICENSE
LICENSE
 
 
QUICKSTART.md
QUICKSTART.md
 
 
README.md
README.md
 
 
SECURITY.md
SECURITY.md
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 
tsconfig.json
tsconfig.json
 
 

Repository files navigation

GitHub Copilot CLI Security Extension

AI-powered security analysis for GitHub Copilot CLI that identifies vulnerabilities in code changes and scans dependencies for known security issues.

Ported from gemini-cli-extensions/security to work with GitHub Copilot CLI.

License

Features

  • AI-powered security analysis: Leverages advanced AI capabilities to provide intelligent and context-aware security analysis
  • Focused analysis: Analyzes code changes within pull requests to identify and address vulnerabilities early
  • Comprehensive vulnerability detection: Scans for secrets, injection flaws, access control issues, insecure data handling, authentication problems, LLM safety issues, and privacy violations
  • Dependency scanning: Identifies known vulnerabilities in project dependencies using OSV-Scanner
  • Integrated with Copilot CLI: Seamlessly integrates as a custom agent and skills for GitHub Copilot CLI
  • Expandable scope: Extensible architecture for future vulnerability detection enhancements

Installation

Prerequisites

Install OSV-Scanner (Optional)

For dependency scanning functionality:

macOS/Linux:

brew install osv-scanner

Windows:

winget install Google.OSVScanner

Or download from OSV-Scanner releases.

Install the Security Extension

  1. Clone this repository:

    git clone https://github.com/YOUR_USERNAME/copilot-cli-security.git
cd copilot-cli-security

  2. Install dependencies:

    npm install

  3. Build the MCP server:

    npm run build

  4. Install the agent in Copilot CLI:

    Copy the agent directory to your Copilot CLI agents location:

    # macOS/Linux
mkdir -p ~/.copilot/agents
cp -r agent ~/.copilot/agents/security

# Windows (PowerShell)
New-Item -ItemType Directory -Force -Path "$env:USERPROFILE\.copilot\agents"
Copy-Item -Recurse agent "$env:USERPROFILE\.copilot\agents\security"

  5. Install the skills:

    Copy the skills to your Copilot CLI skills directory:

    # macOS/Linux
mkdir -p ~/.copilot/skills
cp -r .copilot/skills/* ~/.copilot/skills/

# Windows (PowerShell)
New-Item -ItemType Directory -Force -Path "$env:USERPROFILE\.copilot\skills"
Copy-Item -Recurse .copilot\skills\* "$env:USERPROFILE\.copilot\skills\"

  6. Update the agent.json path:

    Edit ~/.copilot/agents/security/agent.json and update the MCP server command path to point to your installation:

    {
  "mcpServers": {
    "copilot-security-mcp": {
      "type": "local",
      "command": "node",
      "args": ["/ABSOLUTE/PATH/TO/copilot-cli-security/dist/index.js"]
    }
  }
}

Usage

Security Analysis

The security extension can be used in several ways within GitHub Copilot CLI:

1. Using the Security Agent

Switch to the security agent for comprehensive analysis:

copilot
> /agent security
> Analyze my code changes for security vulnerabilities

2. Using Skills

Invoke the security analysis skill directly:

copilot
> Use the security-analyze skill to check for vulnerabilities in my recent changes

Or for dependency scanning:

copilot
> Use the security-scan-deps skill to scan for vulnerable dependencies

3. Delegate to Security Agent

From any conversation, delegate security analysis:

copilot
> /delegate security Analyze the changes in src/api/ for security issues

Customize Analysis Scope

By default, the security analysis examines git diff against the default branch. You can customize:

> Analyze all source code in the src/ directory for security vulnerabilities
> Check for security issues in files changed in the last 3 commits
> Scan main.py for hardcoded secrets

Dependency Scanning

To scan your project's dependencies for known vulnerabilities:

copilot
> /agent security
> Scan my project dependencies for vulnerabilities

The agent will:

  1. Locate relevant lock files (package-lock.json, Gemfile.lock, go.mod, etc.)
  2. Run OSV-Scanner to check against OSV.dev vulnerability database
  3. Prioritize findings by severity
  4. Provide remediation guidance

Types of Vulnerabilities Detected

Secrets Management

  • Hardcoded secrets: API keys, private keys, passwords, connection strings embedded in source code

Broken Access Control

  • IDOR: Endpoints accessing resources without ownership verification
  • Missing authorization checks: Sensitive operations without proper authorization
  • Privilege escalation: User-modifiable role/permission fields
  • Path traversal/LFI: Unsafe file path construction from user input

Insecure Data Handling

  • Weak cryptographic algorithms: DES, Triple DES, RC4, ECB mode
  • Logging sensitive information: Passwords, PII, API keys, session tokens in logs
  • PII handling violations: Improper storage/transmission of personally identifiable information
  • Insecure deserialization: Unsafe deserialization of untrusted data

Injection Vulnerabilities

  • Cross-site scripting (XSS): Unsanitized user input rendered in HTML
  • SQL injection (SQLi): Raw user input in database queries
  • Command injection: User input in system commands
  • Server-side request forgery (SSRF): Unvalidated user-provided URLs
  • Server-side template injection (SSTI): User input embedded in templates

Authentication Issues

  • Authentication bypass: Improper session validation
  • Weak session tokens: Predictable tokens, insufficient entropy
  • Insecure password reset: Predictable reset tokens, token leakage

LLM Safety

  • Insecure prompt handling: Prompt injection vulnerabilities
  • Improper output handling: Unsafe use of LLM-generated content (XSS, SQLi, eval)
  • Insecure plugin/tool usage: Overly permissive tools, unsafe data flows

Privacy Violations

  • PII exposure: Sensitive data flowing to external services, logs, analytics without proper protection

Architecture

The extension consists of three main components:

  1. MCP Server (src/index.ts): Provides security-specific tools to Copilot CLI

    • find_line_numbers: Locates exact line numbers of vulnerable code
    • get_audit_scope: Retrieves git diff for analysis
    • run_poc: Executes proof-of-concept code to verify vulnerabilities

  2. Security Agent (agent/): Custom agent with security expertise

    • Implements SAST vulnerability analysis procedures
    • Uses MCP tools to analyze code systematically
    • Generates detailed security reports

  3. Skills (.copilot/skills/): Reusable security analysis workflows

    • security-analyze: Code vulnerability analysis
    • security-scan-deps: Dependency vulnerability scanning

Development

Build

npm run build

Watch Mode

npm run watch

Testing

npm test

Benchmarking

The original Gemini security extension achieved:

  • 90% precision: Of all identified vulnerabilities, 90% were actual security risks
  • 93% recall: Successfully identified 93% of known vulnerabilities

Results based on the OpenSSF CVE Benchmark.

Important Notes

  • This is a first-pass analysis, not a complete security audit
  • Use in combination with other security tools and manual code review
  • The extension is designed for analyzing code changes, not entire codebases
  • Dependency scanning requires OSV-Scanner to be installed separately

Contributing

Contributions are welcome! Please feel free to submit issues or pull requests.

License

Apache License 2.0 - See LICENSE for details.

Credits

Ported from gemini-cli-extensions/security by Google.

Resources

Support

About

No description, website, or topics provided.

Resources

Readme

License

Apache-2.0 license

Contributing

Contributing

Security policy

Security policy
Activity

Stars

2 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages