Add Security Skills Toolkit plugin 🤖🤖🤖#2116
Open
harrider wants to merge 21 commits into
Open
Conversation
github-actions
Bot
added
agent
Contributor
🔒 PR Risk Scan ResultsScanned 26 changed file(s).
|
github-actions
Bot
added
the
skill-check-warning
Contributor
🔍 Skill Validator Results
Summary
Full validator output |
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a new security-skills-toolkit plugin to the Awesome Copilot marketplace, centered around an orchestrator agent that routes developers to specialized security modernization skills (managed identity/secretless-auth migrations, MSAL.js upgrade hops, and a general SFI-guided helper).
Changes:
- Introduces the
security-skills-toolkitplugin (manifest + README) and lists it in the marketplace + generated docs. - Adds the
sst-security-skills-orchestratoragent as the plugin entrypoint. - Adds the
sst-*skill set (secretless-auth migrations + MSAL.js migration router and hop skills).
Reviewed changes
Copilot reviewed 26 out of 26 changed files in this pull request and generated 21 comments.
Show a summary per file
| File | Description |
|---|---|
.github/plugin/marketplace.json |
Registers the new plugin in the generated marketplace index. |
agents/sst-security-skills-orchestrator.agent.md |
Adds the orchestrator agent definition and routing instructions. |
docs/README.agents.md |
Adds the orchestrator agent to generated agent documentation. |
docs/README.plugins.md |
Adds the plugin to generated plugin documentation. |
docs/README.skills.md |
Adds the new sst-* skills to generated skill documentation. |
plugins/security-skills-toolkit/.github/plugin/plugin.json |
Defines plugin metadata and references the agent + skills included in the plugin. |
plugins/security-skills-toolkit/README.md |
Provides installation and usage docs for the plugin and its capabilities. |
skills/sst-cognitive-secretless-auth/SKILL.md |
Skill for migrating Azure Cognitive/AI Services from API keys to Entra/managed identity. |
skills/sst-container-vulnerability-patching/SKILL.md |
Skill for container base-image vulnerability patching guidance grounded in public docs. |
skills/sst-cosmosdb-secretless-auth/SKILL.md |
Skill for migrating Cosmos DB from keys to Entra/managed identity auth. |
skills/sst-eventhub-secretless-auth/SKILL.md |
Skill for migrating Event Hubs from SAS/connection strings to Entra/managed identity. |
skills/sst-general-security-helper/SKILL.md |
General SFI-guided helper skill for concerns without a dedicated specialist skill. |
skills/sst-msaljs-migration/SKILL.md |
Router/orchestrator skill for MSAL.js migrations across package/version hops. |
skills/sst-msaljs-migration-angular-v2-to-v3/SKILL.md |
MSAL Angular v2→v3 hop guidance skill. |
skills/sst-msaljs-migration-angular-v3-to-v4/SKILL.md |
MSAL Angular v3→v4 hop guidance skill. |
skills/sst-msaljs-migration-angular-v4-to-v5/SKILL.md |
MSAL Angular v4→v5 hop guidance skill. |
skills/sst-msaljs-migration-browser-v2-to-v3/SKILL.md |
MSAL Browser v2→v3 hop guidance skill. |
skills/sst-msaljs-migration-browser-v3-to-v4/SKILL.md |
MSAL Browser v3→v4 hop guidance skill. |
skills/sst-msaljs-migration-browser-v4-to-v5/SKILL.md |
MSAL Browser v4→v5 hop guidance skill. |
skills/sst-msaljs-migration-node-v2-to-v3/SKILL.md |
MSAL Node v2→v3 hop guidance skill. |
skills/sst-msaljs-migration-node-v3-to-v5/SKILL.md |
MSAL Node v3→v5 hop guidance skill. |
skills/sst-msaljs-migration-react-v3-to-v5/SKILL.md |
MSAL React v3→v5 hop guidance skill. |
skills/sst-redis-secretless-auth/SKILL.md |
Skill for migrating Azure Cache for Redis from access keys to Entra/managed identity. |
skills/sst-servicebus-secretless-auth/SKILL.md |
Skill for migrating Azure Service Bus from SAS/connection strings to Entra/managed identity. |
skills/sst-sql-secretless-auth/SKILL.md |
Skill for migrating Azure SQL from SQL auth to Entra/managed identity. |
skills/sst-storage-secretless-auth/SKILL.md |
Skill for migrating Azure Storage from shared keys to Entra/managed identity. |
…github.com/harrider/awesome-copilot into harrider/skill/add-security-skills-toolkit
aaronpowell
removed
targets-main
aaronpowell
reviewed
Jun 30, 2026
Comment on lines
+7
to
+25
| ## Welcome Banner | ||
|
|
||
| When a developer first interacts with you, display this welcome: | ||
|
|
||
| ``` | ||
| 🛡️ Security Skills Toolkit | ||
|
|
||
| Security guidance for Azure Cloud based applications — dedicated skills for Azure managed identity migration, container security, and MSAL.js JavaScript auth library updates. Other Azure security topics are covered by a generic guidance skill. | ||
|
|
||
| Non-Azure clouds (AWS, GCP) are out of scope, but I can share general principles. | ||
|
|
||
| Describe your security concern or tell me what you're working on. | ||
|
|
||
| ⚠️ You own the final review — verify all changes before merging to production. | ||
| ``` | ||
|
|
||
| After displaying the banner, respond naturally to whatever the developer said or asked. Do not use a scripted introduction — let your first real response demonstrate your capabilities. Do not look up or display a version number; the version is not part of the greeting. | ||
|
|
||
| --- |
Contributor
There was a problem hiding this comment.
This isn't really useful to include, it's a lot of tokens that are going to pollute the context window of the agent and add cost to the interaction with no real value.
Comment on lines
+10
to
+15
| "keywords": [ | ||
| "security", | ||
| "secretless-auth", | ||
| "managed-identity", | ||
| "toolkit" | ||
| ], |
Contributor
There was a problem hiding this comment.
Should Azure be in here?
|
|
||
| --- | ||
|
|
||
| ## Step 1: Update Angular If Needed |
Contributor
There was a problem hiding this comment.
it might be worth pulling this out to a file in the references folder rather than having it embedded in the skill, same with the rxjs dependency.
This allows the agent to pull in the info only as required, avoiding overloading the context window.
|
|
||
| ### Phase 2 — Migrate clients to Entra | ||
|
|
||
| #### .NET (C#) |
Contributor
There was a problem hiding this comment.
It'd be better to use references for this, that way it would be avoiding adding context when it's not needed, but also make it easier to introduce other languages in the future without having to force out to the docs.
| - [Microsoft.Azure.StackExchangeRedis NuGet package](https://www.nuget.org/packages/Microsoft.Azure.StackExchangeRedis) | ||
| - [Adopt standard SDKs for identity (SFI)](https://learn.microsoft.com/security/zero-trust/sfi/adopt-standard-sdk-identity) | ||
|
|
||
| --- |
Contributor
There was a problem hiding this comment.
Suggested change
| --- |
Not needed
|
|
||
| --- | ||
|
|
||
| ### Step 3: Update Application Code |
Contributor
There was a problem hiding this comment.
It'd be better to have separate reference files for each of the languages so that the agent only brings in the right code sample based on the language needed, avoiding context overload.
|
|
||
| --- | ||
|
|
||
| ## Step 5: Update programmatic connections (client code) |
Contributor
There was a problem hiding this comment.
It'd be better to have separate reference files for each of the languages so that the agent only brings in the right code sample based on the language needed, avoiding context overload.
|
|
||
| --- | ||
|
|
||
| ## Step 3: Migrate Client Code to Managed Identity |
Contributor
There was a problem hiding this comment.
It'd be better to have separate reference files for each of the languages so that the agent only brings in the right code sample based on the language needed, avoiding context overload.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull Request Checklist
npm startand verified thatREADME.mdis up to date.stagedbranch for this pull request.Description
Adds the security-skills-toolkit plugin — an AI-powered helper for developers modernizing the security posture of Azure-based applications. A developer describes a security concern in plain language, and an orchestrator agent routes to a specialist skill that pulls relevant public Microsoft documentation and helps plan/apply changes, with the developer in control throughout.
The plugin ships 1 agent + 19 skills (all prefixed
sst-):sst-security-skills-orchestrator— classifies a concern and routes to the right skill.sst-storage-secretless-auth,sst-sql-secretless-auth,sst-cosmosdb-secretless-auth,sst-redis-secretless-auth,sst-eventhub-secretless-auth,sst-servicebus-secretless-auth,sst-cognitive-secretless-auth— move from keys/SAS/passwords to Microsoft Entra managed identity.sst-msaljs-migrationrouter plus 9 version-hop skills (browser/Angular/Node/React).sst-container-vulnerability-patching.sst-general-security-helperfor concerns without a dedicated skill.All guidance is grounded in publicly available Microsoft documentation (Entra/managed identity, MSAL.js, SFI/Zero Trust).
Type of Contribution
Additional Notes
staged: the plugin folder contains only.github/plugin/plugin.json+README.md; the agent lives in top-levelagents/and the 19 skills in top-levelskills/, referenced declaratively fromplugin.json(CI materializes them on publish)..github/plugin/marketplace.jsonanddocs/README.{agents,plugins,skills}.md(npm run buildproduces no further diff).npm run plugin:validate→security-skills-toolkit is valid; all 19sst-*skills passnpm run skill:validate.copilot plugin install): the orchestrator agent is discoverable/selectable and routes correctly to thesst-skills (tested MSAL.js migration and storage secretless-auth).author: "Awesome Copilot Community".