Awesome/awesome-copilot
1
0
Fork 0
mirror of https://github.com/github/awesome-copilot.git synced 2026-04-30 12:15:56 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
2f4f41b8bdeae0a96a4370f9d77358eafec4fe8f
awesome-copilot/skills/audit-integrity/references/self-critique-loop.md
Vijay Bandi ba16533333 feat: add SAST/SCA Security Analyzer agent and audit-integrity skill (#1458) 
Co-authored-by: Vijay Bandi <vijay.bandi@hp.com>
2026-04-28 11:46:05 +10:00

2.5 KiB
Raw Blame History

Self-Critique Loop

After completing the initial analysis, perform a mandatory second pass before delivering output.

Universal Checks (All Agents)

  1. Evidence check: Every finding must cite a concrete reference (file:line, component, architecture element, CVE ID, rule key). Remove any finding without supporting evidence.
  2. Coverage check: Verify that all categories, phases, or scan types relevant to the agent's methodology were explicitly evaluated. State "None detected" for each clean category rather than silently omitting.
  3. Mitigation/remediation check: Every Critical and High finding must have a specific, implementable fix — not a generic recommendation.

Domain-Specific Extensions

Each agent adds domain checks to the universal list above:

STRIDE Threat Modeling

  1. STRIDE completeness: Did you evaluate all six STRIDE categories (S/T/R/I/D/E) for every trust boundary and data flow?
  2. Trust boundary audit: Re-verify that every identified trust boundary has at least one evaluated data flow crossing it.

STRIDE-LM (Lateral Movement)

  1. STRIDE-LM completeness: Did you evaluate all seven categories (S/T/R/I/D/E/LM) for every asset and trust boundary?
  2. Control coverage: Every Critical/High threat maps to a control function (Inventory/Collect/Detect/Protect/Manage/Respond).
  3. Lateral movement audit: Re-trace all identified pivot paths. Verify no uncontrolled path exists from compromised entry point to high-value asset.

Code Review Threat Modeling

  1. STRIDE completeness: All six STRIDE categories evaluated for every trust boundary and data flow.
  2. Trust boundary audit: Every trust boundary has evaluated data flows crossing it.

Code Quality (SonarQube-style)

  1. Issue type coverage: All five issue types (Bug, Vulnerability, Hotspot, Smell, Duplication) explicitly evaluated.
  2. Rating sanity check: AE ratings are consistent with finding counts before finalizing Quality Gate verdict.

SAST/SCA

  1. Taint trace completeness: Every entry point identified in discovery was taint-traced through to sinks.
  2. Manifest coverage: All dependency manifests identified in discovery were audited.

Multi-tool Pipeline

  1. Phase coverage: All deliverable files generated and saved.
  2. Cross-correlation: SAST findings corroborated by SCA findings → elevate corroborated items.
  3. Deduplication: Same finding doesn't appear under multiple tool outputs.
  4. Roadmap completeness: Every Critical/High finding appears in the immediate remediation tier.
Reference in New Issue View Git Blame Copy Permalink