Skip to content

feat: ghas-pack — Add Dependabot, CodeQL, and Secret Scanning agent skills#1039

Closed
VeVarunSharma wants to merge 5 commits intogithub:stagedfrom
VeVarunSharma:ghas-pack
Closed

feat: ghas-pack — Add Dependabot, CodeQL, and Secret Scanning agent skills#1039
VeVarunSharma wants to merge 5 commits intogithub:stagedfrom
VeVarunSharma:ghas-pack

Conversation

@VeVarunSharma
Copy link
Contributor

@VeVarunSharma VeVarunSharma commented Mar 17, 2026

Summary

Adds three new agent skills for GitHub Advanced Security (GHAS) as part of the ghas-pack:

New Skills

  • skills/dependabot/ — Guides Copilot to configure and troubleshoot Dependabot version updates and security alerts, with reference docs for dependabot.yml, example configs, and PR commands.
  • skills/codeql/ — Guides Copilot to set up and manage CodeQL code scanning workflows, with reference docs for CLI commands, alert management, SARIF output, compiled language setup, workflow configuration, and troubleshooting.
  • skills/secret-scanning/ — Guides Copilot to configure and manage secret scanning alerts, push protection, and custom patterns, with reference docs for alerts/remediation, custom patterns, and push protection.

Files Added (15 files)

Skill Files
dependabot SKILL.md, references/dependabot-yml-reference.md, references/example-configs.md, references/pr-commands.md
codeql SKILL.md, references/alert-management.md, references/cli-commands.md, references/compiled-languages.md, references/sarif-output.md, references/troubleshooting.md, references/workflow-configuration.md
secret-scanning SKILL.md, references/alerts-and-remediation.md, references/custom-patterns.md, references/push-protection.md

Checklist

  • Each skill folder contains a SKILL.md with proper frontmatter
  • name fields match folder names (lowercase with hyphens)
  • description fields are non-empty and wrapped in single quotes
  • Bundled reference assets are referenced in SKILL.md instructions
  • File names follow lower-case-with-hyphens convention

Copilot AI review requested due to automatic review settings March 17, 2026 04:38
Copilot AI reviewed Mar 17, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds three new Agent Skills under skills/ to support GitHub Advanced Security workflows (Dependabot, CodeQL, and Secret Scanning), each with a core SKILL.md plus bundled reference docs to guide configuration and troubleshooting.

Changes:

  • Introduces new dependabot, codeql, and secret-scanning skills with step-by-step operational guidance.
  • Adds reference documentation covering configuration, commands, and remediation/troubleshooting for each area.
  • Expands the repo’s skill catalog with GHAS-focused content intended for reuse across repositories.

Reviewed changes

Copilot reviewed 15 out of 15 changed files in this pull request and generated 9 comments.

Show a summary per file
File Description
skills/dependabot/SKILL.md Main Dependabot skill guidance (config patterns, grouping, scheduling, PR commands).
skills/dependabot/references/dependabot-yml-reference.md Option-by-option reference for .github/dependabot.yml.
skills/dependabot/references/example-configs.md Sample dependabot.yml configurations for common setups.
skills/dependabot/references/pr-commands.md Reference for @dependabot PR comment commands.
skills/codeql/SKILL.md Main CodeQL skill guidance (Actions workflow + CLI usage).
skills/codeql/references/alert-management.md Reference for triage/dismissal/management of CodeQL alerts.
skills/codeql/references/cli-commands.md Reference for installing and using the CodeQL CLI + SARIF upload.
skills/codeql/references/compiled-languages.md Reference for build modes and requirements for compiled languages.
skills/codeql/references/sarif-output.md Reference for interpreting SARIF output and upload constraints.
skills/codeql/references/troubleshooting.md Troubleshooting guide for common CodeQL workflow/CLI failures.
skills/codeql/references/workflow-configuration.md Reference for configuring CodeQL GitHub Actions workflows.
skills/secret-scanning/SKILL.md Main secret scanning skill guidance (enablement, push protection, remediation).
skills/secret-scanning/references/alerts-and-remediation.md Reference for alert types, remediation workflow, APIs, exclusions.
skills/secret-scanning/references/custom-patterns.md Reference for defining and managing custom secret scanning patterns.
skills/secret-scanning/references/push-protection.md Reference for push protection behavior, bypass flows, delegated bypass.

You can also share your feedback on Copilot code review. Take the survey.

skills/dependabot/references/example-configs.md
Comment on lines +229 to +233
directory: "/"
schedule:
interval: "cron"
cronjob: "0 9 * * 1" # Every Monday at 9:00 AM
timezone: "America/New_York"
skills/dependabot/SKILL.md
Comment on lines +248 to +254
### Cron Expressions

```yaml
schedule:
interval: "cron"
cronjob: "0 9 * * 1" # Every Monday at 9 AM
```
skills/secret-scanning/SKILL.md
@@ -0,0 +1,224 @@
---
name: secret-scanning
description: Guide for configuring and managing GitHub secret scanning, push protection, custom patterns, and secret alert remediation. This skill should be used when users need help enabling secret scanning, setting up push protection, defining custom secret patterns, triaging secret scanning alerts, or resolving blocked pushes.
skills/dependabot/SKILL.md
Comment on lines +3 to +8
description: >-
Comprehensive guide for configuring and managing GitHub Dependabot. Use this skill when
users ask about creating or optimizing dependabot.yml files, managing Dependabot pull requests,
configuring dependency update strategies, setting up grouped updates, monorepo patterns,
multi-ecosystem groups, security update configuration, auto-triage rules, or any GitHub
Advanced Security (GHAS) supply chain security topic related to Dependabot.
skills/dependabot/SKILL.md
Comment on lines +413 to +417
## Resources

- `references/dependabot-yml-reference.md` — Complete YAML options reference
- `references/pr-commands.md` — Full PR comment commands reference
- `references/example-configs.md` — Real-world configuration examples
skills/dependabot/references/dependabot-yml-reference.md
Comment on lines +96 to +100
| `interval` | `daily`, `weekly`, `monthly`, `quarterly`, `semiannually`, `yearly`, `cron` | Required |
| `day` | `monday`–`sunday` | Weekly only |
| `time` | `HH:MM` | UTC by default |
| `timezone` | IANA timezone string | e.g., `America/New_York` |
| `cronjob` | Cron expression | Required when interval is `cron` |
skills/dependabot/references/dependabot-yml-reference.md
schedule:
interval: "weekly"
labels: ["infrastructure"]
assignees: ["@platform-team"]
skills/dependabot/references/example-configs.md
schedule:
interval: "weekly"
labels: ["infrastructure", "dependencies"]
assignees: ["@platform-team"]
@VeVarunSharma VeVarunSharma changed the base branch from main to staged March 17, 2026 04:43
@VeVarunSharma VeVarunSharma requested a review from dvelton as a code owner March 17, 2026 04:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@aaronpowell aaronpowell Awaiting requested review from aaronpowell aaronpowell is a code owner

@dvelton dvelton Awaiting requested review from dvelton dvelton is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@VeVarunSharma