Add comprehensive threat detection documentation with custom steps and LlamaGuard examples

[Copilot]

The threat detection feature lacked documentation on custom steps/jobs configuration and integration patterns for specialized security tools like LlamaGuard.

Changes

New comprehensive guide (docs/src/content/docs/guides/threat-detection.md)

• Configuration reference: enabled, prompt, engine, steps fields with all supported formats
• Custom detection steps: artifact paths, execution order, tool integration patterns
• Complete LlamaGuard/Ollama example showing installation, service management, and scanning workflow
• Architecture diagram showing security flow from agentic job → detection → safe outputs
• Troubleshooting patterns for common issues (timeouts, false positives, step failures)

Enhanced reference documentation (docs/src/content/docs/reference/safe-outputs.md)

• Added threat-detection configuration section with field descriptions
• Documented artifact access paths for custom steps
• JSON response format specification

Updated security guide (docs/src/content/docs/guides/security.md)

• Enhanced threat detection section with configuration overview
• Added reference to comprehensive guide

Example: Custom Detection with LlamaGuard

safe-outputs:
  create-pull-request:
  threat-detection:
    prompt: "Focus on SQL injection and XSS vulnerabilities"
    engine:
      id: claude
      model: claude-sonnet-4
    steps:
      - name: Ollama LlamaGuard 3 Scan
        uses: actions/github-script@v7
        with:
          script: |
            // Install Ollama, pull llama-guard3:1b model
            // Scan /tmp/gh-aw/threat-detection/agent_output.json
            // Scan /tmp/gh-aw/threat-detection/aw.patch
            // Fail if threats detected

Custom steps access these artifacts:

• /tmp/gh-aw/threat-detection/prompt.txt - Workflow source
• /tmp/gh-aw/threat-detection/agent_output.json - Safe output items
• /tmp/gh-aw/threat-detection/aw.patch - Code changes

Screenshot

Documentation follows GitHub Docs style with runnable examples, clear structure, and proper cross-references.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• telemetry.astro.build
  • Triggering command: node /home/REDACTED/work/gh-aw/gh-aw/docs/node_modules/.bin/astro build (dns block)
  • Triggering command: node /home/REDACTED/work/gh-aw/gh-aw/docs/node_modules/.bin/astro dev (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

Review threat-detection docs, specially custom steps and jobs configuration. See llamaguard as a sample of custom detection

Note

Custom agent used: technical-doc-writer
AI technical documentation writer for GitHub Actions library using Astro Starlight and GitHub Docs voice

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[github-actions]

Agentic Changeset Generator triggered by this pull request.

[Copilot]

Pull Request Overview

This PR adds comprehensive documentation for the threat detection feature, focusing on custom detection steps and specialized tool integration patterns. The documentation addresses a gap in explaining how to configure and extend threat detection beyond the default AI-based analysis.

Key changes:

• New comprehensive threat detection guide with configuration reference, custom steps patterns, and LlamaGuard integration example
• Enhanced safe-outputs reference with detailed threat-detection field documentation
• Updated security guide with configuration overview and cross-references

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File	Description
docs/src/content/docs/guides/threat-detection.md	New comprehensive guide covering configuration, AI detection, custom steps, LlamaGuard example, best practices, and troubleshooting
docs/src/content/docs/reference/safe-outputs.md	Added threat-detection configuration section with field descriptions, artifact paths, and integration examples
docs/src/content/docs/guides/security.md	Enhanced threat detection section with configuration overview and guide cross-reference
pkg/workflow/schemas/github-workflow.json	JSON formatting improvements (enum arrays reformatted to multi-line)

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The exec.exec call is missing await, which could cause the subsequent service readiness check to fail. Add await to ensure the service starts before proceeding to the readiness loop.

Suggested change

	exec.exec('ollama', ['serve'], { detached: true });
	await exec.exec('ollama', ['serve'], { detached: true });

[Copilot]

The safety check logic includes output.includes('s8') without explanation. Document what 's8' represents in the LlamaGuard response format to help users understand this condition.

Suggested change

	// Check if safe
	// Check if safe
	// 's8' is a LlamaGuard response code indicating the output is safe according to its schema.

[Copilot]

The referenced file path .github/workflows/shared/ollama-threat-scan.md may not exist or be accessible to users. Verify this file exists in the repository or update the reference to point to the threat detection guide instead.

Suggested change

	// See .github/workflows/shared/ollama-threat-scan.md for complete example
	// See the Threat Detection Guide for a complete example: https://github.com/gh-aw/guides/threat-detection/