feat(agents): Integrate Code Reviewer Agent for Security Validation During Development

[niksacdev]

Issue Description

Labels: enhancement, agents, security, code-quality, size: large

Epic: #63 - Engineering Agents Integration
Related Issues: Part of breaking down #63 into focused implementation tasks

Epic Context

This issue is part of the larger Engineering Agents Integration epic (#63), which aims to integrate 6 collaborative engineering agents from the engineering-team-agents repository into HVE Core. The epic provides multi-platform support (GitHub Copilot + Claude Code + AGENTS.md) while enhancing the existing research → plan → implement workflow with quality gates at strategic points.

This specific issue focuses on the during-implementation security validation phase, adding the Code Reviewer agent that catches OWASP vulnerabilities early with specific fixes before reaching @pr-review final gate.

Overview

Integrate the Code Reviewer agent to provide OWASP security pattern validation and code quality checks during development, with consideration for integration into existing PR workflows or as a new command.

User Story

As a developer on the HVE Core team, I want security validation during development with specific code fixes, so that I catch OWASP vulnerabilities early when fixes are small rather than during final PR review when context is lost.

Context

• Current Gap: Security issues found too late (during @pr-review = large refactors)
• Problem: Late security discovery = expensive fixes, delayed releases, context loss
• Value Add: 80% faster security fixes, caught early with fresh context
• Integration Point: During implementation, before @pr-review final gate
• Integration Decision: May integrate into existing PR workflow, become new command, or merge with existing command (requires analysis)

Source Repository

• Engineering Team Agents: https://github.com/niksacdev/engineering-team-agents
• Code Reviewer Agent: https://github.com/niksacdev/engineering-team-agents/blob/main/.claude/agents/code-reviewer.md
• Code Review Template: https://github.com/niksacdev/engineering-team-agents/tree/main/docs/templates
• Original Proposal: feat(agents): Engineering Agents Integration #63

Acceptance Criteria

• Code Reviewer agent works in Claude Code (.claude/agents/)
• Code Reviewer agent works in GitHub Copilot (.github/agents/ and .github/chatmodes/)
• AGENTS.md includes agent in universal format
• Agent creates code review reports in docs/code-review/
• Code review report template added to docs/templates/
• Agent applies OWASP Top 10 security patterns
• Agent applies OWASP LLM Top 10 (AI systems)
• Agent applies OWASP ML Security Top 10 (ML systems)
• Agent implements Zero Trust security verification
• Agent provides specific code fixes (not just problems)
• Agent can consult Architecture, DevOps, and Responsible AI
• Integration analysis completed: Command vs PR workflow vs merge with existing
• Agent follows HVE Core conventions
• All existing HVE Core tests pass

Technical Requirements

• Platform Support: Claude Code, GitHub Copilot (native + chatmodes), universal AGENTS.md
• Documentation Structure:
  • docs/code-review/[date]-[component]-review.md
  • docs/templates/code-review-report-template.md
• Security Frameworks:
  • OWASP Top 10 (A01-A10)
  • OWASP LLM Top 10 (LLM01-LLM10)
  • OWASP ML Security Top 10 (ML01-ML10)
  • Zero Trust principles
• Review Categories: Security (priority), Reliability, Performance (>1K users), Maintainability
• Output Format: Specific code fixes with before/after examples, not just problem identification

Implementation Phases

Phase 1: Analysis & Design

1. Analyze existing HVE Core PR workflow and commands
2. Determine optimal integration approach:
   • Option A: New standalone command (@code-review)
   • Option B: Integrate into existing PR workflow
   • Option C: Merge/enhance existing command
3. Document decision rationale (create ADR)

Phase 2: Port Agent

1. Adapt code-reviewer.md from source repository
2. Modify based on integration decision from Phase 1
3. Create Claude version (.claude/agents/)
4. Create GitHub native version (.github/agents/)
5. Create GitHub chatmode version (.github/chatmodes/)
6. Add agent to AGENTS.md

Phase 3: Documentation Setup

1. Create docs/code-review/ directory
2. Port code review report template
3. Add OWASP framework references
4. Add cross-references to existing instructions

Phase 4: Integration & Testing

1. Test agent in Claude Code
2. Test agent in GitHub Copilot
3. Validate code review report workflow
4. Test OWASP pattern detection
5. Test cross-agent collaboration (Code Reviewer → Architecture)
6. Validate backward compatibility
7. Test integration with existing PR workflow/commands

Definition of Done

• Integration approach analyzed and documented (ADR created)
• Agent works in all three formats
• Code review report template functional
• OWASP security checks working (Top 10, LLM, ML)
• Specific code fixes provided (before/after examples)
• Cross-agent collaboration working
• Integration with HVE Core workflow complete
• README.md updated with security workflow
• All existing tests pass
• No breaking changes to existing workflow

Dependencies

• Issue feat(agents): Integrate System Architecture Reviewer for ADR Creation and Technical Decision Documentation #92 (Architecture Reviewer) - for cross-agent consultation
• Existing HVE Core PR workflow analysis

Related Documentation

• Source Repository: https://github.com/niksacdev/engineering-team-agents
• Code Reviewer Agent: https://github.com/niksacdev/engineering-team-agents/blob/main/.claude/agents/code-reviewer.md
• Issue feat(agents): Engineering Agents Integration #63: feat(agents): Engineering Agents Integration #63
• OWASP Top 10: https://owasp.org/www-project-top-ten/
• OWASP LLM Top 10: https://owasp.org/www-project-top-10-for-large-language-model-applications/
• OWASP ML Security: https://owasp.org/www-project-machine-learning-security-top-10/

Notes

• Backward Compatibility: Must not break existing PR review workflow
• Maintainer Consultation: Recommend discussing integration approach in issue comments before implementation

Additional Context

No response

[WilliamBerryiii]

@niksacdev - moved this over to a discussion for now given that we're weighing claude code integration and a shim layer to make that work with the existing migration to skills. I'll have an update on this shortly and I'm going to start laying out how we plan to do persona-based distribution of hve-core components so that we can provide different users different prompt suites. One of the issues I have with SpecKit and Awesome copilot is they have turned into a bit of a grab bag ... and it's hard to sort the cruft from the gold.

[niksacdev]

Thanks @WilliamBerryiii - agree the awesome copilot repo. for Claude Code - I have come up with the approach in my repos where I have a leading AI Assistant like Copilot or Claude Code and then created a sync-coordinator agent that keeps all my agents files (agents.md, claude) and the corresponding agent in sync. Essentially, I create and manage only one AI Assistance profile and they are automatically propogtated for other compatible agents. Further, the sync-coordinator agent is tuned to work for the repo so it is able to make sure all updates and decisions in the repo and applied to all engineering agents across these paltforms to keep them current and relevant. I have the sync-coordinator agent available here and happy to discuss Claude Code integration - https://github.com/niksacdev/engineering-team-agents/blob/main/.claude/agents/sync-coordinator.md

[JasonTheDeveloper]

I would probably expand the security frameworks to include other AI related OWASP top 10s like:

• OWASP Top 10 for Agentic Applications for 2026
• OWASP MCP Top 10

Aside from those two, you may also want to consider adding other non-AI related OWASP top 10s like:

• OWASP Top 10 CI/CD Securtiy Risks
• OWASP Docker Top 10
• OWASP Top 10 Infrastructure Security Risks
• OWASP Mobile Top 10
• OWASP Top 10 Risks for Open Source Software
• OWASP Serverless Top 10

Adding these would cover a wider breath of topics a user may be working on and need reviewing but the agent.

I've gotten a head start of this. I've extracted documentation from OWASP and created skills based on them in this repo https://github.com/JasonTheDeveloper/owasp-skills. You'll also find the source documentation under docs/ as well.

[WilliamBerryiii]

Architectural Proposal: Security Review Agent Composition

I've been thinking through how we might architect the security review agent work and wanted to share a proposal for the community to react to. This isn't set in stone; I'm looking for feedback on the approach before we start building.

The Core Idea

My thinking is that a single monolithic security instruction can't provide meaningful interrogation of a codebase. Each security standard (OWASP Web vs. OWASP LLM vs. STRIDE, for example) asks fundamentally different questions, and trying to cram them all into one file forces you into surface-level pattern matching rather than deep analysis.

I'd like to propose that each security standard gets its own instruction file, and an agent selects the right ones based on what kind of code it's looking at. This same pattern would cover OWASP's 11 frameworks and adjacent standards like Microsoft RAI, STRIDE, MITRE ATLAS, Zero Trust, and NIST AI RMF.

Proposed Architecture: Layered Composition with Shared Specification

Here's how I'm imagining the layers fitting together:

graph TB
    subgraph "Entry Points (Prompts)"
        P1["security-review.prompt.md<br/>(general — agent auto-selects)"]
        P2["security-review-web.prompt.md"]
        P3["security-review-ai.prompt.md"]
        P4["security-review-devops.prompt.md"]
        P5["security-review-compliance.prompt.md"]
    end

    subgraph "Agent Layer"
        A["security-review.agent.md<br/>Codebase Classification<br/>+ Standard Selection"]
    end

    subgraph "Shared Specification"
        SPEC["security-review-planning.instructions.md<br/>Review protocol · Severity taxonomy<br/>Output format · Cross-standard dedup<br/>CWE mapping conventions<br/>(~650–800 lines)"]
    end

    subgraph "OWASP Framework Instructions (11)"
        OW["owasp-web · owasp-llm<br/>owasp-agentic · owasp-mcp<br/>owasp-cicd · owasp-docker<br/>owasp-infrastructure · owasp-mobile<br/>owasp-ml · owasp-oss<br/>owasp-serverless"]
    end

    subgraph "Adjacent Standard Instructions (5)"
        AS1["rai.instructions.md<br/>Microsoft Responsible AI<br/>6 principles + evaluation"]
        AS2["stride.instructions.md<br/>STRIDE threat modeling<br/>protocol"]
        AS3["mitre-atlas.instructions.md<br/>Adversarial ML threat<br/>evaluation"]
        AS4["zero-trust.instructions.md<br/>Zero Trust architecture<br/>assessment"]
        AS5["nist-ai-rmf.instructions.md<br/>NIST AI Risk Mgmt<br/>Framework compliance"]
    end

    subgraph "Skills Layer (on-demand deep reference)"
        SK1["11 OWASP vulnerability skills<br/>(adopted from owasp-skills)"]
        SK2["rai-principles/<br/>Fairness · Reliability · Privacy<br/>Inclusiveness · Transparency<br/>Accountability"]
        SK3["stride-methodology/<br/>Threat modeling patterns<br/>+ data flow analysis"]
        SK4["mitre-atlas-techniques/<br/>Adversarial ML technique<br/>catalog"]
    end

    P1 --> A
    P2 --> A
    P3 --> A
    P4 --> A
    P5 --> A
    A --> SPEC
    A -->|"selects 2-4<br/>standards"| OW
    A -->|"selects"| AS1
    A -->|"selects"| AS2
    A -->|"selects"| AS3
    A -->|"selects"| AS4
    A -->|"selects"| AS5
    SPEC -.->|"shared contract"| OW
    SPEC -.->|"shared contract"| AS1
    SPEC -.->|"shared contract"| AS2
    OW -.->|"deep reference"| SK1
    AS1 -.->|"deep reference"| SK2
    AS2 -.->|"deep reference"| SK3
    AS3 -.->|"deep reference"| SK4

Loading

The key insight is that the agent classifies the codebase first, then pulls in only the 2-4 standards that actually apply. You never load everything at once.

Why Per-Standard Instead of Monolithic?

I considered three approaches and wanted to lay out the tradeoffs transparently so we can discuss:

Approach	Files	Depth per Category	Context per Review	My Take
Per-standard (proposed)	16 instructions	~40-80 lines (deep checklists, scenarios, remediation)	~3,000-9,000 tokens	Preferred: deep enough to be useful
Monolithic	1 file	~15 lines per category (pattern matching only)	~20,000-30,000 tokens	Too shallow to catch real issues
Per-vulnerability	110+ files	Maximum	Classification chicken-and-egg	Impractical: you need to know the vuln to load the file

I think per-standard hits the sweet spot, but I'd love to hear if anyone sees a different balance here.

Standards Coverage

I'm proposing three tiers. The first two tiers get dedicated instruction files; the third tier lives as reference mappings inside the shared specification.

Tier 1: OWASP Frameworks (11 instruction files)

Each framework would get its own instruction with detection checklists, severity guidance, and skill references for all 10 categories within that framework.

Framework	ID Prefix	Relevance
Web Application Security	A01-A10	Web/API projects
LLM Applications	LLM01-LLM10	AI/LLM systems
Agentic Applications	ASI01-ASI10	AI agents, MCP-connected
MCP Top 10	MCP01-MCP10	MCP server/client
CI/CD Security	CICD-SEC-1-10	DevOps pipelines
Docker Top 10	D01-D10	Container security
Infrastructure	INF01-INF10	Cloud/infra
Mobile Top 10	M01-M10	Mobile apps
ML Security	ML01-ML10	ML systems
Open Source Software	OSS01-OSS10	OSS consumption
Serverless Top 10	SLS01-SLS10	Serverless/FaaS

Tier 2: Adjacent Security Standards (5 instruction files)

These complement OWASP's vulnerability focus with methodology, compliance, and ethical dimensions. I think this is where the architecture gets interesting, because vulnerability lists alone don't cover everything a thorough review needs.

Standard	Instruction	What It Adds	When Loaded
Microsoft RAI	rai.instructions.md	6 principles: Fairness, Reliability & Safety, Privacy & Security, Inclusiveness, Transparency, Accountability. Covers the ethical and responsible AI dimensions that OWASP doesn't address.	AI/LLM reviews, compliance reviews
STRIDE	stride.instructions.md	Structured threat modeling methodology (Spoofing, Tampering, Repudiation, Information Disclosure, DoS, Elevation of Privilege). Provides the process for discovering threats rather than checking known lists.	Architecture reviews, new components
MITRE ATLAS	mitre-atlas.instructions.md	Adversarial ML attack techniques (AML.T0043 Craft Adversarial Data, AML.T0048 Evade ML Model, etc.). Covers the attacker perspective that OWASP ML/LLM approach from the defense side.	AI/ML reviews, red team assessments
Zero Trust	zero-trust.instructions.md	Architecture-level evaluation: verify explicitly, least privilege, assume breach. Evaluates identity, device, network, application, data, and infrastructure pillars.	Architecture reviews, infra reviews
NIST AI RMF	nist-ai-rmf.instructions.md	AI Risk Management Framework (NIST AI 100-1): Govern, Map, Measure, Manage. Provides regulatory/compliance alignment and maps to ISO/IEC 42001 and EU AI Act categories.	Compliance reviews, AI governance

If the community sees other standards that should be in this tier, I'm open to expanding it. The pattern is the same regardless of count.

Tier 3: Reference Mappings (in shared specification)

These standards serve as cross-reference taxonomies rather than evaluation protocols, so I'd suggest embedding them in the shared specification rather than giving them dedicated instruction files.

Standard	Integration Point	Purpose
CWE (Common Weakness Enumeration)	Shared specification	Each finding maps to CWE IDs for language-neutral, vendor-neutral identification.
OpenSSF Scorecard	OSS instruction + shared spec	Supply chain security checks for open source dependencies.
CVSS	Shared specification severity taxonomy	Quantifiable severity scoring aligned with CVSS v4 ranges.

How RAI Differs from OWASP

I want to call this out because I think it's worth understanding why both are needed. They ask fundamentally different questions:

OWASP (vulnerability-focused):    RAI (principle-focused):
"Is there a prompt injection?"    "Is the system fair and inclusive?"
"Is output properly sanitized?"   "Can users contest AI decisions?"
"Are secrets exposed?"            "Is there adequate human oversight?"
"Is access control enforced?"     "What's the societal impact?"

A rai.instructions.md instruction would provide a review checklist covering:

• Fairness: biased outputs, exclusionary patterns, accessibility gaps
• Reliability & Safety: output consistency, failure modes, safety boundaries
• Privacy & Security: data handling, context leakage, PII exposure
• Inclusiveness: language, accessibility, cultural sensitivity
• Transparency: explainability, documentation, user understanding
• Accountability: responsibility chains, audit trails, governance

RAI assessments should be included in threat models, like we do here in hve-core. We should consider RAI assessment to me more than just adjacent to core security.

Proposed File Tree

Here's what the file layout could look like. Happy to iterate on naming conventions or organization if people have preferences:

.github/
├── agents/
│   └── security-review.agent.md
├── prompts/
│   ├── security-review.prompt.md              # General (agent auto-selects)
│   ├── security-review-web.prompt.md          # Web + OSS
│   ├── security-review-ai.prompt.md           # LLM + Agentic + MCP + ML + RAI + ATLAS
│   ├── security-review-devops.prompt.md       # CI/CD + Docker + Infra + Zero Trust
│   └── security-review-compliance.prompt.md   # RAI + NIST AI RMF + Zero Trust
├── instructions/
│   └── security/
│       ├── security-review-planning.instructions.md  # Shared spec (~800 lines)
│       ├── owasp-web.instructions.md                 # OWASP Web (A01-A10)
│       ├── owasp-llm.instructions.md                 # OWASP LLM (LLM01-LLM10)
│       ├── owasp-agentic.instructions.md             # OWASP Agentic (ASI01-ASI10)
│       ├── owasp-mcp.instructions.md                 # OWASP MCP (MCP01-MCP10)
│       ├── owasp-cicd.instructions.md                # OWASP CI/CD (CICD-SEC-1-10)
│       ├── owasp-docker.instructions.md              # OWASP Docker (D01-D10)
│       ├── owasp-infrastructure.instructions.md      # OWASP Infrastructure (INF01-INF10)
│       ├── owasp-mobile.instructions.md              # OWASP Mobile (M01-M10)
│       ├── owasp-ml.instructions.md                  # OWASP ML (ML01-ML10)
│       ├── owasp-oss.instructions.md                 # OWASP OSS (OSS01-OSS10)
│       ├── owasp-serverless.instructions.md          # OWASP Serverless (SLS01-SLS10)
│       ├── rai.instructions.md                       # Microsoft Responsible AI
│       ├── stride.instructions.md                    # STRIDE threat modeling
│       ├── mitre-atlas.instructions.md               # MITRE ATLAS adversarial ML
│       ├── zero-trust.instructions.md                # Zero Trust architecture
│       └── nist-ai-rmf.instructions.md               # NIST AI Risk Mgmt Framework
└── skills/
    ├── owasp-web-vulnerabilities/                    # 11 OWASP skills
    ├── owasp-llm-vulnerabilities/                    #   (adopted from owasp-skills)
    ├── ... (9 more OWASP skills)
    ├── rai-principles/                               # RAI deep reference
    │   ├── SKILL.md
    │   └── references/
    ├── stride-methodology/                           # STRIDE patterns + examples
    │   ├── SKILL.md
    │   └── references/
    └── mitre-atlas-techniques/                       # ATLAS technique catalog
        ├── SKILL.md
        └── references/

Token Budget Estimates

One concern I wanted to address head-on is context window cost. Here's my rough estimate of what each review scenario would consume:

Review Scenario	Standards Loaded	Est. Tokens
Web-only	Shared spec + Web	~3,000-4,000
AI/LLM review	Shared spec + LLM + Agentic + MCP + RAI	~9,000-12,000
DevOps review	Shared spec + CI/CD + Docker + Infra + Zero Trust	~9,000-12,000
Compliance review	Shared spec + RAI + NIST AI RMF + Zero Trust	~7,000-9,000
Architecture review	Shared spec + STRIDE + Zero Trust + 1-2 OWASP	~7,000-9,000
Skill deep-dive (1 vuln)	+ 1 reference doc	+1,500-2,500
Monolithic everything	All 16 standards inline	~40,000-50,000

The per-standard approach keeps any single review well within context limits. The monolithic alternative would consume most of the context window before the agent even starts looking at code.

Composition Pattern

The idea is that the agent selects standards based on codebase classification, not manual selection. A developer shouldn't need to know which OWASP framework applies to their code.

Prompt Entry Point	Auto-Selected Standards
security-review.prompt.md	Agent classifies codebase, selects 2-4 relevant standards
security-review-web.prompt.md	Web + OSS
security-review-ai.prompt.md	LLM + Agentic + MCP + ML + RAI + MITRE ATLAS
security-review-devops.prompt.md	CI/CD + Docker + Infrastructure + Zero Trust
security-review-compliance.prompt.md	RAI + NIST AI RMF + Zero Trust

Suggested Implementation Path

I'd suggest phasing this so each phase delivers standalone value. No need to build everything before any of it is useful:

1. Phase 1 (Foundation): Shared specification + Web instruction + agent + general prompt
2. Phase 2 (AI Stack): LLM + Agentic + MCP + RAI + MITRE ATLAS instructions
3. Phase 3 (DevOps Stack): CI/CD + Docker + Infrastructure + Zero Trust instructions
4. Phase 4 (Remaining): Mobile + ML + OSS + Serverless + STRIDE + NIST AI RMF
5. Phase 5 (Skills): Adopt owasp-skills, create RAI/STRIDE/ATLAS skill packages

Thoughts?

A few open questions I'd love the community's input on:

• Does the per-standard granularity feel right, or should some standards be combined?
• Are there standards missing from the Tier 2 list that you'd want to see?
• Does the phasing order make sense for the work you're doing?
• Any concerns about the token budget estimates or the composition approach?

[katriendg]

Love the phased approach and the per-standard modularity — Phase 1 makes total sense as
a starting point. I'd like to propose a slightly different packaging though: skills
instead of instruction files for the security standards.

Why not .instructions.md?

The core issue is that .instructions.md files are architecturally file-centric — they
answer "when editing file type X, what rules apply?" via applyTo glob patterns. Security
standards don't have a natural file type to target:

• No applyTo → non-deterministic loading (relies on description matching, which is
  best-effort)
• applyTo: '**' → 16 standards × ~80 lines = ~1,280 lines injected into every
  single request, regardless of relevance
• Synthetic paths (e.g., .copilot-tracking/security/) → misleading activation that
  depends on file operations happening in the right order

Instructions also lack progressive disclosure — the full body loads on any match — and
they're VS Code/GitHub.com only. Not portable to Copilot CLI, Claude Code, or other
tools supporting the Agent Skills standard.

The alternative: SKILL.md packages

Each security standard becomes a skill directory under .github/skills/:

.github/skills/
├── owasp-top-10/
│   ├── SKILL.md              # ~80 lines: overview + checklist
│   └── references/
│       ├── REFERENCE.md      # Detailed vulnerability descriptions
│       └── checklist.md      # Assessment template
├── stride-methodology/
│   ├── SKILL.md
│   └── references/
│       └── REFERENCE.md
├── rai-principles/
│   ├── SKILL.md
│   └── references/
│       └── REFERENCE.md
├── owasp-llm/
│   └── SKILL.md
├── owasp-agentic/
│   └── SKILL.md
├── ... (remaining standards)

.github/agents/
├── security-reviewer.agent.md
└── subagents/
    └── security-standard-analyst.agent.md

Skills give us three things instructions can't:

1. Progressive disclosure — only name + description (~100 tokens per skill) load
   at startup. The full body loads only when the task is relevant. 16 standards cost
   ~1,600 tokens baseline vs 25,600 for always-on instructions.
2. Intent-based discovery — the model discovers relevant standards from descriptions
   automatically. No applyTo needed, no #file: wiring.
3. Resource packaging — checklists, scoring matrices, templates, and reference docs
   bundle alongside the skill in references/ and assets/.

Background knowledge skills use user-invokable: false so they're discoverable by the
model but don't clutter the user's slash command menu.

Composition: agent → subagent (not agent → skill)

Rather than having the agent "call" skills directly, the agent orchestrates via subagents
that read skill files as domain knowledge — the same file-reading pattern any research
subagent uses:

graph TD
    A["👤 User: Review security"] --> B["🔍 security-reviewer.agent.md<br/><i>Parent Agent</i>"]

    B --> C["📋 Classify Codebase"]
    C --> D{"Codebase Type?"}

    D -->|"Web / API"| E["📦 owasp-top-10<br/>📦 stride<br/>📦 zero-trust"]
    D -->|"AI / LLM"| F["📦 owasp-llm<br/>📦 owasp-agentic<br/>📦 rai-principles<br/>📦 mitre-atlas"]
    D -->|"DevOps / Infra"| G["📦 owasp-cicd<br/>📦 zero-trust<br/>📦 owasp-docker"]

    E --> H["⚡ Run Parallel Subagents"]
    F --> H
    G --> H

    subgraph "Per-Standard Subagent Execution"
        H -->|"For each standard"| I["🤖 security-standard-analyst<br/><i>Subagent</i>"]
        I -->|"1. Read"| J["📄 SKILL.md + references/"]
        I -->|"2. Analyze"| K["🔎 Codebase Files"]
        I -->|"3. Write"| L["📝 Standard Findings"]
    end

    L --> M["📊 Consolidate Findings"]
    M --> N["📋 Security Review Report<br/><i>Severity • Evidence • Fixes</i>"]

Loading

The security-reviewer.agent.md parent agent:

1. Classifies the codebase (web, API, AI/LLM, DevOps, mobile, etc.)
2. Selects 2-4 relevant standard skills based on classification
3. Runs parallel security-standard-analyst subagents — each reads the assigned
   skill's SKILL.md and references/ for domain knowledge, then applies it against
   the codebase
4. Consolidates subagent findings into a unified security review report with severity,
   evidence, and specific code fixes

The subagent doesn't "call" the skill — it reads the skill's files as context, the same
way researcher-subagent reads any codebase file. This keeps the composition boundary
clean: agents orchestrate subagents, subagents consume files.

Token budget comparison

Approach	Always-loaded	Per standard (on-demand)	4-standard review
Instructions applyTo: '**'	~25,600	0	25,600
Instructions (no applyTo)	0	~1,600	~6,400
Skills (proposed)	~1,600 (metadata)	~1,600	~8,000

Skills add ~1,600 tokens baseline for discovery awareness (the model knows all 16
standards exist) while keeping any single review well within context limits.

Cross-platform portability

SKILL.md follows the open Agent Skills standard, supported
by VS Code, Copilot CLI, Claude Code, and 15+ other AI tools. Instructions are VS Code
and GitHub.com only. For a distributable artifact like this, skills reach the broadest
audience.

On Claude Code specifically, the subagent equivalent can declare skills: [owasp-top-10]
in its frontmatter, which preloads the full skill content at startup — the runtime injects
the domain knowledge automatically.

Phasing (same as proposed, different packaging)

1. Phase 1: OWASP Top 10 + STRIDE + RAI as skills, plus the security reviewer agent
   with subagent composition
2. Phase 2: LLM + Agentic + MCP + ML + MITRE ATLAS skills
3. Phase 3: CI/CD + Docker + Infrastructure + Zero Trust skills
4. Phase 4: Mobile + OSS + Serverless + NIST AI RMF + remaining standards

Same phasing, same per-standard modularity, same token-efficient selective loading —
just packaged as skills rather than instructions for better discovery, portability, and
progressive disclosure.

Tagging @agreaves-ms for insights into SKILLs usage and experience.
And @obrocki for joining with his initial work on a Security champion agent and skills.

Thoughts?

[JasonTheDeveloper]

I was actually thinking about something similar funnily enough. I created an agent based off my skills that would pick which skills to use based on the code base. The agent would then load each skill and go through everything in the same context window (no subagents). The results looked good but the context window blew out massively.

I switched to using subagents but rather than grouping skills like the way you've described it (web/api, ai/llm, devops/infra), my skills are broken into individual OWASP top 10 skills and I've created a subagent for each individual skill. That way each subagent can focus on one set of vulnerabilities (e.g. mobile). As a result, it appears the agents are going more in depth and are able to point out more vulnerabilities than the non-subagent approach.

No Subagents	Subagents

The overall context window dropped down from 93% to 71%.

If you're interested here's my agent: vulnerability-scanner.agent.md

[katriendg]

Thanks so much for sharing this progress @JasonTheDeveloper. We are now also experimenting more with Skills, and I love that you were able to get them to run as subagents, which is exactly the direction I would hope skills run mostly anyways.

For the extent of this work, it can also be relevant to look into a thin main agent layer and having a few subagents (next to skills). @agreaves-ms has been refactoring some of our agents (like RPI) into dedicated subagents (non user invocable so they also don't appear in the Agent picker), and the results are quite fascinating. See https://github.com/microsoft/hve-core/tree/main/.github/agents/hve-core/subagents folder and parent.

Very nice work with the agent! The difference in your first vs second test is quite big.

[frtibble]

Adding another +1 to the per-standard approach, and a +1 to the use of skills.

One of the ideas @JasonTheDeveloper had was around adding an evaluation piece for skills. For each of the different standards we could create a golden data set of example code snippets and evaluate how effective the skill is at identifying vulnerabilities in them. The benefit being that we can track regressions and compare different versions of a skill over time. I wondered if there is any existing capability in HVE-core that would support this? Or if that was functionality that would need to be designed? And then finally, and the reason for raising it here, is where might that fit in the phased approach (if it does)?

Another point, is that I feel the RAI topic is a big one. I don't know everyone's backgrounds here, but it would be good to include input from RAI champ(s) to help shape that.

[JasonTheDeveloper]

@willvelida you mentioned you were keen to contribute STRIDE related content. See above.

[obrocki]

Had a sync with @katriendg and @JasonTheDeveloper this week. We converged on OWASP Web/API as the MVP — start narrow, deliver value, iterate. Security is a minefield and trying to land all 16 standards at once will stall us.

Where PR #408 fits:
PR #408 was my initial cut at a security champion agent with SDL + OWASP. After reviewing @katriendg's architectural direction in this discussion — skills over instructions, subagent composition, per-standard granularity — it's clear #408 needs to be reshaped to align with the composition model.

@katriendg's analysis identified the key gaps: the monolithic skill needs splitting into per-standard packages, the agent needs subagent delegation, we need pre-built prompts for domain-specific reviews, and hardcoded paths should give way to semantic discovery. All agreed.

Proposed MVP (Phase 1) scope:
Building on @katriendg's proposed structure, I'd suggest Phase 1 be scoped to OWASP Top 10 (Web) only, plus the foundational agent/subagent/prompt skeleton:

.github/
├── agents/security-planning/
│   ├── security-reviewer.agent.md              # Parent orchestrator
│   └── subagents/
│       └── security-standard-analyst.agent.md  # Reusable per-standard subagent
├── prompts/security-planning/
│   ├── security-review.prompt.md               # General (agent auto-selects)
│   └── security-review-web.prompt.md           # Web-focused
└── skills/security-planning/
    └── owasp-top-10/                           # MVP: Web only
        ├── SKILL.md
        └── references/

STRIDE, RAI, Secure by Design and the remaining OWASP frameworks slot into Phase 2+ once the skeleton is proven. The foundation matters more than completeness — tooling will evolve anyway, so the value is in the composition pattern, not coverage breadth.

Next steps:
I'll rework #408 to align with this architecture
We should create tracking issues for the MVP deliverables
@JasonTheDeveloper's owasp-skills reference content can feed directly into the owasp-top-10/ skill
Happy to pick up the MVP implementation once we agree on scope.

[katriendg]

Thanks @obrocki - can we please hold off implementing before @JasonTheDeveloper can supply his feedback and we align with some of my input?

There are a few things in the above approach that still need reflection: one of the key things is we need to address the collection packaging of any existing (security-plann-creator.agent.md) into this new delivery mechanism, which part of the thin agent to create, integrate subagent & temporary .copilot-tracking report files creation, which initial skills, etc.

The next steps are:

1. Alignement: on approach for MVP (what is part of MVP, agent, skills, directory structure, collection experimental maturity setup, other key decisions, ...). Allow time for feedback from folks involved in this thread.
2. Creation of detailed backlog issues where we can separate out tasks and dependencies so several folks can pick-up issues and progress in parallel for this MVP).
3. Do the work based on issues assigned to folks.

I fully understand you are eager to get stuff implemented but by the breadth and complexity of this topic, but having a few more iterations, and fully planning the work first, will result in better and higher quality deliverables.

[obrocki]

Absolutely, sounds good! 👍

[JasonTheDeveloper]

Looks good. I would suggest maybe also introducing the following topics in addition to web/API:

• OWASP Top 10 for LLM Applications 2025
• OWASP Top 10 for Agentic Applications for 2026

A lot of our work nowadays revolve around agentic applications and using LLMs so I'm thinking it might be good to cover these as part of phase 1 as well. Happy to park it for a later phase also.

Thoughts @obrocki / @katriendg ?

[katriendg]

Here's our current thinking for MVP @JasonTheDeveloper @obrocki - we start planning this in the backlog.

Security Reviewer — MVP Scope & Phased Approach

Based on our discussion consensus, here's the proposed MVP and phased roadmap.

Key Approach

Skills-first, agent-thin. OWASP domain knowledge lives entirely in self-contained skills (SKILL.md + reference files). A single thin orchestrator agent classifies the codebase, selects relevant skills, and delegates per-skill reviews via inline subagent prompts — adopting @JasonTheDeveloper's proven vulnerability-scanner pattern from owasp-skills. No OWASP knowledge lives in the agent body itself.

Output is structured and consistent: a two-layer taxonomy (assessment status: PASS/FAIL/PARTIAL/NOT_ASSESSED × severity: CRITICAL/HIGH/MEDIUM/LOW) with findings written to .copilot-tracking/security/ as ephemeral tracking files.

MVP (Phase 1)

Deliverable	Description
Collection rename	security-planning → security (broader scope, preserves existing artifacts)
3 initial skills	owasp-top-10 (Web), owasp-llm (LLM), owasp-agentic (Agentic) — adapted from @JasonTheDeveloper's owasp-skills reference content
Thin agent	security-reviewer.agent.md — 4-step flow: classify codebase → select skills → delegate via subagent prompts → consolidate report
3 prompts	security-review.prompt.md (general) + security-review-web.prompt.md (web-focused) + security-review-llm.prompt.md
Output format	Standardized severity/status taxonomy, sub-agent output contract, final report template
Documentation	Updated collection docs, CAUTION disclaimers, maturity: experimental

The 3 skills were chosen because Web covers the most common case, and LLM + Agentic directly align with the team's daily work building AI-integrated systems.

Taking this approach in MVP form with a limited set allows for testing in experimental mode, collecting value and adatping before iterating for all other skills.

Depending on success rates, subagents may be created in addition to skills. Testing feedback and evolution of tooling will play a role.

Phase 2: AI + Methodology Skills

• Port MCP, ML, MITRE ATLAS skills from owasp-skills
• Author STRIDE methodology skill
• Author RAI principles skill (needs RAI champion input)
• Design full shared specification with multi-layer taxonomy (confidence, priority, remediation status)
• Domain-specific AI prompt + lifecycle prompts (plan, progress tracking)

Phase 3: DevOps + Infrastructure

• Port CI/CD, Docker, Infrastructure, Zero Trust skills
• DevOps and compliance-focused prompts

Phase 4: Remaining Standards + Evaluation

• Mobile, OSS, Serverless, NIST AI RMF skills
• Evaluation framework with golden datasets

Implementation Order

#	Issue	Depends On
1	Rename security-planning collection → security	None
2	Create owasp-top-10 skill	1
3	Create owasp-llm skill	1
4	Create owasp-agentic skill	1
5	Create security-reviewer.agent.md	1
6	Create security-review and security-review-web prompts	5
7	Update collection manifest with new artifacts	2–6
8	End-to-end validation	1–7

Issues 2–4 (skills) can run in parallel after the collection rename (1). The agent (5) can start in parallel with skills (references skill paths, content can be stubbed). Prompts (6) depend on the agent. 7 and 8 are final integration steps.

Full research document with detailed agent frontmatter, skill adaptation tables, output format templates, and subagent prompt templates is available for reference internally.

[JasonTheDeveloper]

LGTM!