feat(agents): add Security Champion agent with SDL and OWASP guidance

[obrocki]

Pull Request

Description

Adds a Security Champion agent, skill, and supporting instructions to provide comprehensive security guidance by integrating Microsoft's Security Development Lifecycle (SDL) practices alongside existing OWASP frameworks.

• Incorporates all 10 Microsoft SDL practices for secure software development
• Organizes security inspection areas by development lifecycle stage (Design, Code, Build/Deploy, Runtime)
• Adds guidance for threat modeling, Zero Trust principles, and supply chain security
• Expands responsibilities to include security design reviews and Secure by Design promotion
• Maintains existing OWASP Top 10 and OWASP Top 10 for LLM Applications (2025) references
• Restructures the security champion agent to eliminate context window overhead by moving OWASP content from always-loaded instruction files (applyTo: '**/*') into an on-demand skill with dedicated reference documents

Related Issue(s)

Closes #416

Type of Change

Select all that apply:

Code & Documentation:

• Bug fix (non-breaking change fixing an issue)
• New feature (non-breaking change adding functionality)
• Breaking change (fix or feature causing existing functionality to change)
• Documentation update

Infrastructure & Configuration:

• GitHub Actions workflow
• Linting configuration (markdown, PowerShell, etc.)
• Security configuration
• DevContainer configuration
• Dependency update

AI Artifacts:

• Reviewed contribution with prompt-builder agent and addressed all feedback
• Copilot instructions (.github/instructions/*.instructions.md)
• Copilot prompt (.github/prompts/*.prompt.md)
• Copilot agent (.github/agents/*.agent.md)
• Copilot skill (.github/skills/*/SKILL.md)

Note for AI Artifact Contributors:

• Agents: Research, indexing/referencing other project (using standard VS Code GitHub Copilot/MCP tools), planning, and general implementation agents likely already exist. Review .github/agents/ before creating new ones.
• Skills: Must include both bash and PowerShell scripts. See Skills.
• Model Versions: Only contributions targeting the latest Anthropic and OpenAI models will be accepted. Older model versions (e.g., GPT-3.5, Claude 3) will be rejected.
• See Agents Not Accepted and Model Version Requirements.

Other:

• Script/automation (.ps1, .sh, .py)
• Other (please describe):

Sample Prompts (for AI Artifact Contributions)

Testing

• Tested prompts against security review scenarios
• Verified agent loads skill content on demand rather than via always-loaded instructions

Checklist

Required Checks

• Documentation is updated (if applicable)
• Files follow existing naming conventions
• Changes are backwards compatible (if applicable)
• Tests added for new functionality (if applicable)

AI Artifact Contributions

• Used /prompt-analyze to review contribution
• Addressed all feedback from prompt-builder review
• Verified contribution follows common standards and type-specific requirements

Required Automated Checks

The following validation commands must pass before merging:

• Markdown linting: npm run lint:md
• Spell checking: npm run spell-check
• Frontmatter validation: npm run lint:frontmatter
• Skill structure validation: npm run validate:skills
• Link validation: npm run lint:md-links
• PowerShell analysis: npm run lint:ps
• Plugin freshness: npm run plugin:generate

Security Considerations

• This PR does not contain any sensitive or NDA information
• Any new dependencies have been reviewed for security issues
• Security-related scripts follow the principle of least privilege

Additional Notes

Reviewed contribution with prompt-builder agent.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 85.37%. Comparing base (8fd1243) to head (368940e).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #408   +/-   ##
=======================================
  Coverage   85.37%   85.37%           
=======================================
  Files          27       27           
  Lines        5073     5073           
=======================================
  Hits         4331     4331           
  Misses        742      742           

Flag	Coverage Δ
pester	85.37% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull request overview

This PR adds a Security Champion agent and comprehensive OWASP security instruction files to integrate Microsoft's Security Development Lifecycle (SDL) practices alongside existing OWASP frameworks. The PR introduces security guidance across the development lifecycle, from design through runtime, with detailed coding standards for both traditional web applications and LLM-specific security concerns.

Changes:

• Adds Security Champion conversational agent for security-focused code review and advisory
• Introduces comprehensive OWASP Top 10 secure coding instructions for web applications
• Adds OWASP Top 10 for LLM Applications (2025) secure coding instructions for AI/ML security

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 14 comments.

File	Description
.github/agents/security-champion.agent.md	New conversational agent that serves as a security advisor, integrating Microsoft SDL practices with OWASP frameworks to guide security reviews across all development stages
.github/instructions/owasp-for-web-applications.instructions.md	New instruction file providing comprehensive secure coding guidelines based on OWASP Top 10, covering vulnerabilities from access control to SSRF
.github/instructions/owasp-for-llms.instructions.md	New instruction file providing LLM-specific security guidelines based on OWASP Top 10 for LLM Applications (2025), covering prompt injection, data leakage, and other AI-specific risks

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

[WilliamBerryiii]

Hi! A small request: could you update the PR title to include the conventional commit format with scope? This ensures release-please picks it up correctly for the changelog.

Suggested: `feat(agents): add security champion agent with Microsoft SDL practices

Thanks!

[katriendg]

Thanks for your contribution. This is valuable, there are a few optimizations I feel are relevant before we merge.

1. Please re-run the /prompt-analyse or prompt-builder agent again and ensure you add your new files to the context, and ask it to review your three files for recommendations. There are several open recommendations you can still apply before we merge.
2. Evaluate the usage of the .instructions.md files and applyTo. Is it possible to merge into the custom agent instead? Especially for the LLM application instructions we do not want to enforce this upon every single edit of applicable files. Again here the Task-Researcher and/or Prompt Builder agents may help you refactor some of this in an efficient way.
3. ## Required Phases given this agent has specific phases (in your case Stages), you should be able to easily reformat the agent to follow the phases approach. Also prompt-builder may do this for you.

Hope these make sense!

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated no new comments.

[katriendg]

Thanks for your changes, I think this is looking good for an initial inclusion into experimental pre-release so we can have some active testing, see how it behaves when used together with some of the other instructions and agents.
Please review any open comments and close them, either adopt the recommendation or leave a note and close the comment. Some of the Copilot comments are valid, some you may just want to discard, or simply outdated.
Once all comments are closed I will do a final review and expect Approval soon from my side.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

[katriendg]

@obrocki thanks for the refactoring.
I believe we still need to address a few things within the skills, as the content in skills is still quite monolithic and may benefit from adding structured output formats, detailed OWASP category validations, more actionable detection guidance, etc.
Knowing you are away I will ping you offline to further discuss, and for now put this PR in draft mode so folks know the status is still in development.

[WilliamBerryiii]

Hey @obrocki — thanks for the Security Champion agent contribution! 🛡️ We've updated the PR title to follow our conventional commits format and restructured the description to align with the current PR template. No action needed on your end.

[WilliamBerryiii]

We've updated the PR description to align with the current pull request template. All original content has been preserved and relocated into the appropriate template sections. No action needed on your end — though you're welcome to review the updated description and fill in any remaining sections (testing details, checklist confirmations, etc.) at your convenience.

[katriendg]

@obrocki closing this one after our offline discussions and the plan for reworking this into the new agent and skills. Looking forward to the reworked contributions.