HVE Core - Security
Security review, planning, incident response, risk assessment, and vulnerability analysis
Security review, planning, incident response, risk assessment, vulnerability analysis, supply chain security, and responsible AI assessment for cloud and hybrid environments.
[!CAUTION]
The security agents and prompts in this collection are assistive tools only. They do not replace professional security tooling (SAST, DAST, SCA, penetration testing, compliance scanners) or qualified human review. All AI-generated security artifacts must be reviewed and validated by qualified security professionals before use. AI outputs may contain inaccuracies, miss critical threats, or produce recommendations that are incomplete or inappropriate for your environment.
Included Artifacts
Chat Agents
| Name |
Description |
| codebase-profiler |
Scans the repository to build a technology profile and identify which security skills apply to the codebase |
| finding-deep-verifier |
Deep adversarial verification of FAIL and PARTIAL findings for a single security skill |
| rai-planner |
Responsible AI assessment planning agent with 6-phase conversational workflow. Guides planning against NIST AI RMF 1.0 as the default evaluation framework. Prepares RAI security model, impact assessment, control surface catalog, and dual-format backlog handoff. |
| report-generator |
Collates verified security skill assessment findings and generates a comprehensive vulnerability report written to .copilot-tracking/security/ |
| researcher-subagent |
Research subagent using search tools, read tools, fetch web page, github repo, and mcp tools |
| security-planner |
Phase-based security planner that produces security models, standards mappings, and backlog handoff artifacts with AI/ML component detection and RAI Planner integration |
| security-reviewer |
Security skill assessment orchestrator for codebase profiling and vulnerability reporting |
| skill-assessor |
Assesses a single security knowledge skill against the codebase, reading vulnerability references and returning structured findings |
| sssc-planner |
Guides users through a six-phase assessment of their repository's supply chain security posture against OpenSSF Scorecard, SLSA, Sigstore, and SBOM standards, producing a prioritized backlog referencing reusable workflows from hve-core and microsoft/physical-ai-toolchain. |
Prompts
| Name |
Description |
| incident-response |
Incident response workflow for Azure operations scenarios |
| rai-capture |
Initiate responsible AI assessment planning from existing knowledge using the RAI Planner agent in capture mode |
| rai-plan-from-prd |
Initiate responsible AI assessment planning from PRD/BRD artifacts using the RAI Planner agent in from-prd mode |
| rai-plan-from-security-plan |
Initiate responsible AI assessment planning from a completed Security Plan using the RAI Planner agent in from-security-plan mode (recommended) |
| risk-register |
Creates a concise and well-structured qualitative risk register using a Probability × Impact (P×I) risk matrix. |
| security-capture |
Initiate security planning from existing notes or knowledge using the Security Planner agent in capture mode |
| security-plan-from-prd |
Initiate security planning from PRD/BRD artifacts using the Security Planner agent in from-prd mode |
| security-review |
Runs an OWASP vulnerability assessment against the current codebase |
| security-review-llm |
Runs OWASP LLM and Agentic vulnerability assessments with codebase profiling for context |
| security-review-sbd |
Runs a Secure by Design principles assessment based on UK and Australian government guidance |
| security-review-web |
Runs an OWASP Top 10 web vulnerability assessment without codebase profiling |
| sssc-capture |
Start a new SSSC assessment via guided conversation using the SSSC Planner agent in capture mode |
| sssc-from-brd |
Start an SSSC assessment from existing BRD artifacts using the SSSC Planner agent |
| sssc-from-prd |
Start an SSSC assessment from existing PRD artifacts using the SSSC Planner agent |
| sssc-from-security-plan |
Extend a Security Planner assessment with supply chain coverage using the SSSC Planner agent |
Instructions
| Name |
Description |
| rai-planning/rai-backlog-handoff |
RAI review and backlog handoff for Phase 6: review rubric, RAI review summary, dual-format backlog generation |
| rai-planning/rai-capture-coaching |
Exploration-first questioning techniques for RAI capture mode adapted from Design Thinking research methods |
| rai-planning/rai-identity |
RAI Planner identity, 6-phase orchestration, state management, and session recovery |
| rai-planning/rai-impact-assessment |
RAI impact assessment for Phase 5: control surface taxonomy, evidence register, tradeoff documentation, and work item generation |
| rai-planning/rai-risk-classification |
Risk classification screening for Phase 2: prohibited uses gate, risk indicator assessment, and depth tier assignment |
| rai-planning/rai-security-model |
RAI security model analysis for Phase 4: AI STRIDE extensions, dual threat IDs, ML STRIDE matrix, and security model merge protocol |
| rai-planning/rai-standards |
Embedded RAI standards for Phase 3: NIST AI RMF 1.0 trustworthiness characteristics, subcategory mappings, and framework isolation architecture |
| security/backlog-handoff |
Dual-format backlog handoff for ADO and GitHub with content sanitization, autonomy tiers, and work item templates |
| security/identity |
Security Planner identity, six-phase orchestration, state management, and session recovery protocols |
| security/operational-buckets |
Operational bucket definitions with component classification guidance and cross-cutting security concerns |
| security/security-model |
STRIDE-based security model analysis per operational bucket with threat table format and data flow analysis |
| security/sssc-assessment |
Phase 2 supply chain assessment protocol with the 27 combined capabilities inventory for SSSC Planner. |
| security/sssc-backlog |
Phase 5 dual-format work item generation with templates and priority derivation for SSSC Planner. |
| security/sssc-gap-analysis |
Phase 4 gap comparison, adoption categorization, and effort sizing for SSSC Planner. |
| security/sssc-handoff |
Phase 6 backlog handoff protocol with Scorecard projections and dual-format output for SSSC Planner. |
| security/sssc-identity |
Identity and orchestration instructions for the SSSC Planner agent. Contains six-phase workflow, state.json schema, session recovery, and question cadence. |
| security/sssc-standards |
Phase 3 OpenSSF Scorecard, SLSA, Best Practices Badge, Sigstore, and SBOM standards mapping for SSSC Planner. |
| security/standards-mapping |
Embedded OWASP and NIST security standards with researcher subagent delegation for CIS, WAF, CAF, and other runtime lookups |
| shared/disclaimer-language |
Centralized disclaimer language for AI-assisted planning agents requiring professional review acknowledgment |
| shared/hve-core-location |
Important: hve-core is the repository containing this instruction file; Guidance: if a referenced prompt, instructions, agent, or script is missing in the current directory, fall back to this hve-core location by walking up this file's directory tree. |
Skills
| Name |
Description |
| owasp-agentic |
OWASP Agentic Security Top 10 vulnerability knowledge base for identifying, assessing, and remediating security risks in AI agent systems - Brought to you by microsoft/hve-core. |
| owasp-cicd |
OWASP CI/CD Top 10 vulnerability knowledge base for identifying, assessing, and remediating security risks in continuous integration and continuous delivery environments - Brought to you by microsoft/hve-core. |
| owasp-infrastructure |
OWASP Infrastructure Top 10 vulnerability knowledge base for identifying, assessing, and remediating security risks in internal IT infrastructure environments - Brought to you by microsoft/hve-core. |
| owasp-llm |
OWASP Top 10 for LLM Applications (2025) vulnerability knowledge base for identifying, assessing, and remediating security risks in large language model systems - Brought to you by microsoft/hve-core. |
| owasp-mcp |
OWASP MCP Top 10 vulnerability knowledge base for identifying, assessing, and remediating security risks in Model Context Protocol environments - Brought to you by microsoft/hve-core. |
| owasp-top-10 |
OWASP Top 10 for Web Applications (2025) vulnerability knowledge base for identifying, assessing, and remediating security risks in web application environments - Brought to you by microsoft/hve-core. |
| pr-reference |
Generates PR reference XML containing commit history and unified diffs between branches with extension and path filtering. Includes utilities to list changed files by type and read diff chunks. Use when creating pull request descriptions, preparing code reviews, analyzing branch changes, discovering work items from diffs, or generating structured diff summaries. |
| secure-by-design |
Secure by Design principles knowledge base for assessing adherence to security-first design, development, and deployment practices across the software lifecycle - Brought to you by microsoft/hve-core. |
| security-reviewer-formats |
Format specifications and data contracts for the security reviewer orchestrator and its subagents - Brought to you by microsoft/hve-core. |
Getting Started
After installing this extension, the chat agents are available in GitHub Copilot Chat:
- Use custom agents by selecting the custom agent from the agent picker drop-down list in Copilot Chat
- Apply prompts through the Copilot Chat interface
- Reference instructions: they are automatically applied based on file patterns
Post-Installation Setup
Some chat agents create workflow artifacts in your project directory. See the installation guide for recommended .gitignore configuration and other setup details.
Browse All Collections
This extension is part of the HVE ecosystem.
See the full list of available collections and capabilities:
Browse Extension Collections
Pre-release Channel
HVE Core offers two installation channels:
| Channel |
Description |
Maturity Levels |
| Stable |
Production-ready artifacts only |
stable |
| Pre-release |
Early access to new features and experimental artifacts |
stable, preview, experimental |
To install the pre-release version, select Install Pre-Release Version from the extension page in VS Code.
Full Edition
Looking for more agents covering additional domains? Check out the full HVE Core extension.
Requirements
- VS Code version 1.106.1 or higher
- GitHub Copilot extension
License
MIT License - see LICENSE for details
Support
For issues, questions, or contributions, visit the GitHub repository.
Brought to you by Microsoft ISE HVE Essentials
| |
