Awesome/awesome-copilot
1
0
Fork 0
mirror of https://github.com/github/awesome-copilot.git synced 2026-05-01 04:35:55 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
4e1bed268d704dda5d0f865e794ee2e94252ba2f
awesome-copilot/skills/audit-integrity/references/anti-rationalization-guard.md
Vijay Bandi ba16533333 feat: add SAST/SCA Security Analyzer agent and audit-integrity skill (#1458) 
Co-authored-by: Vijay Bandi <vijay.bandi@hp.com>
2026-04-28 11:46:05 +10:00

39 lines
3.9 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Anti-Rationalization Guard
These rationalizations are **never** valid justifications for skipping, omitting, or downgrading findings:
## Universal Rationalizations (All Agents)
| If you think... | Mandatory response |
| ---------------------------------------- | --------------------------------------------------------------------------------------------------------------------------- |
| "No issues/threats found on first pass" | Systematic evaluation across all categories is required before concluding clean. Expand scope and complete the full matrix. |
| "This looks fine, skip deep analysis" | "Looks fine" is not evidence. Evidence = code trace, architecture reference, or rule match. Run checks. |
| "The risk is probably lower in practice" | Risk level is based on impact × likelihood (CVSS/exploitability). Justify any downgrade with explicit evidence. |
| "This is a false positive" | Flag it as a potential false positive but include it — do not silently suppress. Document the rationale for human review. |
| "This is outside scope" | State explicitly why, with a reference to the declared scope or assessment boundary. |
| "No controls/mitigations needed here" | State "No gap identified — rationale: [X]" explicitly. Silence is not assurance. |
## SAST/SCA-Specific
| If you think... | Mandatory response |
| ---------------------------------------- | ----------------------------------------------------------------------------------------------------------------- |
| "SCA CVE isn't exploitable here" | Include the CVE with a documented context note — do not silently suppress. |
| "This phase can be skipped" | All phases are mandatory. Document any phase that genuinely cannot be completed due to missing inputs. |
| "Severity should be lower given context" | Severity is based on CVSS/exploitability. Justify any downgrade with explicit evidence. Document, don't suppress. |
## Code Quality-Specific
| If you think... | Mandatory response |
| ------------------------------------------ | ---------------------------------------------------------------------------------------------------- |
| "The team will refactor this later" | Technical debt still counts toward the debt ratio today. Document it accurately. |
| "Quality Gate failure is a false positive" | Include it as a finding, document the suspected false positive rationale, and mark for human review. |
## Threat Modeling-Specific
| If you think... | Mandatory response |
| ---------------------------------------------- | ---------------------------------------------------------------------------------------------------------------- |
| "This threat is mitigated by the architecture" | Document the specific compensating control and verify it is actually implemented — do not assume. |
| "This category has no applicable threats here" | State "No applicable threats identified — rationale: [X]" explicitly. Do not silently omit. |
| "Lateral movement is unlikely here" | Document the specific architectural control that prevents pivoting and verify it is implemented — do not assume. |
| "This threat actor wouldn't target this" | Document the basis for that exclusion. Insider threats and supply chain actors must always be considered. |
Reference in New Issue View Git Blame Copy Permalink