Add security alert burndown campaign with clustering and Claude codegen

[Copilot]

Implements a campaign to systematically eliminate code security alerts, prioritizing file write vulnerabilities with intelligent clustering (up to 3 related alerts per fix) and comprehensive inline documentation.

Architecture

Campaign Specification (security-alert-burndown.campaign.md)

• 3 KPIs: File Write Alerts (10→0), Total Alerts (25→5), Cluster Efficiency (1→2.5 avg)
• 90-day timeline, daily orchestration schedule
• Governance: max 10 project updates per run, bounded discovery

Worker Workflow (security-alert-cluster-fixer.md)

• Engine: Claude for code generation
• Clustering: Groups alerts by file location, vulnerability type, or root cause
• Filter: file-write, path-injection, tainted-path vulnerabilities
• Output: PRs with inline comments explaining vulnerability, fix approach, and security best practices
• Cache: JSONL tracking to prevent duplicate fixes

Orchestrator (security-alert-burndown-orchestrator.md)

• Engine: Copilot for coordination
• Executes workers, discovers outputs via tracker labels
• Updates GitHub Project board, generates status reports with KPI velocity
• Imports campaign spec and orchestration instructions via runtime-import

Clustering Strategy

Reduces PR volume while maintaining context:

# Instead of 3 separate PRs for related path injection issues
PR #1: Fix path injection in pkg/cli/file_handler.go (line 45)
PR #2: Fix path injection in pkg/cli/file_handler.go (line 89)  
PR #3: Fix path injection in pkg/cli/path_utils.go (line 23)

# Creates single clustered PR:
PR: Fix 3 path injection alerts in CLI file operations

Code Comments

All fixes include security context:

// SECURITY FIX (Alert #123, #124):
// Previous: user input used directly in file operations (CWE-22)
// Fix: path.resolve() + validation prevents directory traversal
const safePath = path.resolve(baseDir, path.normalize(userInput));
if (!safePath.startsWith(baseDir)) {
  throw new Error('Invalid path: directory traversal detected');
}

Dual Engine Rationale

• Claude: Superior security reasoning and code quality for fix generation
• Copilot: Efficient orchestration and workflow coordination

Original prompt

Security Alert Burndown

Write a campaign that burns down the code security alerts backlog. Focus on file write issues first, cluster alerts if possible (up to 3), and add comments generated code for fixes. Use Claude for codegen, copilot for campaign manager.

Custom agent used: agentic-campaigns
GitHub Agentic Campaigns - Create and manage multi-workflow campaigns for coordinated automation at scale

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.