feat: Add Security Agent Workflow for automated security assessments

emmanuelknafo · emmanuelknafo · commit 108e9e5b8e72 · 2026-01-28T23:21:03.000-05:00
diff --git a/.github/workflows/security-agent-workflow.yml b/.github/workflows/security-agent-workflow.yml
@@ -0,0 +1,79 @@
+name: Security Agent Workflow
+
+on:
+    workflow_dispatch:
+
+jobs:
+    security-assessment:
+        runs-on: ubuntu-latest
+        timeout-minutes: 15
+        permissions:
+            contents: read
+        steps:
+            - name: Checkout repository
+              uses: actions/checkout@v4
+
+            - name: Setup Node.js
+              uses: actions/setup-node@v4
+              with:
+                  node-version: 22
+
+            - name: Install GitHub Copilot CLI
+              run: npm i -g @github/copilot
+
+            - name: Run Security Agent via Copilot CLI
+              env:
+                  COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
+                  GITHUB_REPOSITORY: ${{ github.repository }}
+              run: |
+                  set -euo pipefail
+                  AGENT_PROMPT=$(cat .github/agents/security-agent.md)
+                  PROMPT="$AGENT_PROMPT"
+                  PROMPT+=$'\n\nContext:\n'
+                  PROMPT+="- Repository: $GITHUB_REPOSITORY"
+                  PROMPT+=$'\n\nTask:\n'
+                  PROMPT+=$"\n- Execute the instructions on the full codebase"
+                  PROMPT+=$'\n- Generate the security report at /security-reports/security-assessment-report.md summarizing findings, severity, and remediation guidance.'
+
+                  copilot --prompt "$PROMPT" --allow-all-tools --allow-all-paths < /dev/null
+
+            - name: Output security report as summary
+              if: always()
+              run: |
+                  set -euo pipefail
+                  REPORT_PATH="security-reports/security-assessment-report.md"
+
+                  if [ ! -f "$REPORT_PATH" ]; then
+                    echo "No security report generated; skipping summary."
+                    exit 0
+                  fi
+
+                  echo "## Security Assessment Report" >> $GITHUB_STEP_SUMMARY
+                  cat "$REPORT_PATH" >> $GITHUB_STEP_SUMMARY
+
+            - name: Upload security report artifact
+              if: always()
+              uses: actions/upload-artifact@v4
+              with:
+                  name: security-assessment-report-${{ github.run_id }}
+                  path: security-reports/security-assessment-report.md
+                  retention-days: 30
+
+            - name: Check for critical vulnerabilities
+              if: always()
+              run: |
+                  set -euo pipefail
+                  REPORT_PATH="security-reports/security-assessment-report.md"
+
+                  if [ ! -f "$REPORT_PATH" ]; then
+                    echo "No security report generated; skipping critical check."
+                    exit 0
+                  fi
+
+                  if grep -q "THIS ASSESSMENT CONTAINS A CRITICAL VULNERABILITY" "$REPORT_PATH"; then
+                    echo "❌ CRITICAL VULNERABILITY DETECTED - Workflow failed"
+                    echo "The security assessment found critical vulnerabilities that must be addressed before proceeding."
+                    exit 1
+                  else
+                    echo "✅ No critical vulnerabilities detected"
+                  fi
