Skip to main content

Security Assurance Case and Threat Model

Executive Summary

HVE Core is an enterprise prompt engineering framework for GitHub Copilot consisting of:

  • Markdown-based prompt artifacts (instructions, prompts, agents, skills)
  • PowerShell automation scripts for linting and validation
  • GitHub Actions CI/CD workflows
  • VS Code extension packaging utilities

The repository contains no runtime services, databases, or user data storage. Primary threats target supply chain integrity and developer workflow compromise. Security relies on defense-in-depth with 20+ automated controls validated through CI/CD pipelines.

Security Posture Overview

CategoryStatusControl CountAutomated
Supply Chain SecurityStrong8 controls100%
Code QualityStrong5 controls100%
Access ControlStrong4 controls100%
Vulnerability ManagementStrong3 controls100%
Total20+20100%

Contents

System Description

Components

HVE Core contains four primary component categories:

  1. Prompt Engineering Artifacts (.github/instructions/, .github/prompts/, .github/agents/, .github/skills/)

    • Markdown files with YAML frontmatter
    • Consumed by GitHub Copilot during development sessions
    • No executable code execution within prompts

  2. PowerShell Scripts (scripts/)

    • Linting and validation utilities
    • CI/CD automation support
    • No external network connections except documented tool downloads

  3. GitHub Actions Workflows (.github/workflows/)

    • PR validation pipeline
    • Security scanning (CodeQL, dependency review)
    • Release automation

  4. VS Code Extension (extension/)

    • Packaging configuration
    • Extension manifest
    • No telemetry or data collection

Data Flow

Security Inheritance from GitHub Copilot

HVE Core artifacts are consumed by GitHub Copilot, which provides foundational security:

Inherited ControlProviderHVE Core Responsibility
LLM input/output filteringGitHub CopilotNone; artifacts are Copilot inputs
Token encryption in transitGitHub CopilotNone; handled by Copilot infrastructure
Organization policy enforcementGitHub CopilotDocument compatible policy options
Audit loggingGitHub CopilotNone; uses Copilot audit streams
SOC 2 Type II complianceGitHubNone; infrastructure control

Trust Boundaries

Boundary Diagram

┌──────────────────────────────────────────────────────────────────────────────┐
│                    TRUST BOUNDARY: Repository Contents                       │
│  ┌────────────────────────────────────────────────────────────────────────┐  │
│  │                         Controlled Artifacts                           │  │
│  │  ┌────────────┐  ┌────────────┐  ┌────────────┐  ┌────────────────┐   │  │
│  │  │ Prompts    │  │ Scripts    │  │ Workflows  │  │ Documentation  │   │  │
│  │  │ .md files  │  │ .ps1 files │  │ .yml files │  │ .md files      │   │  │
│  │  └────────────┘  └────────────┘  └────────────┘  └────────────────┘   │  │
│  └────────────────────────────────────────────────────────────────────────┘  │
│                                      │                                       │
│  ┌───────────────────────────────────▼────────────────────────────────────┐  │
│  │                   TRUST BOUNDARY: CI/CD Pipeline                       │  │
│  │  ┌────────────┐  ┌────────────┐  ┌────────────┐  ┌────────────────┐   │  │
│  │  │ PR Valid.  │  │ CodeQL     │  │ Dep Review │  │ Release        │   │  │
│  │  │ Workflow   │  │ Analysis   │  │ Workflow   │  │ Workflow       │   │  │
│  │  └────────────┘  └────────────┘  └────────────┘  └────────────────┘   │  │
│  └────────────────────────────────────────────────────────────────────────┘  │
└──────────────────────────────────────────────────────────────────────────────┘

     ┌─────────────────────────────────┼──────────────────────────────────┐
     │                                 ▼                                  │
     │            TRUST BOUNDARY: External Dependencies                   │
     │  ┌────────────┐  ┌────────────┐  ┌────────────┐  ┌──────────────┐ │
     │  │ npm        │  │ GitHub     │  │ PowerShell │  │ Third-party  │ │
     │  │ Packages   │  │ Actions    │  │ Gallery    │  │ MCP Servers  │ │
     │  └────────────┘  └────────────┘  └────────────┘  └──────────────┘ │
     └────────────────────────────────────────────────────────────────────┘

Boundary Descriptions

BoundaryAssets ProtectedControls Enforced
Repository ContentsSource code, prompts, scriptsCODEOWNERS, branch protection, PR review
CI/CD PipelineBuild artifacts, security scan resultsMinimal permissions, dependency pinning
External Dependenciesnpm packages, Actions, MCP serversDependency review, staleness monitoring
Dev ContainerDevelopment environment, toolingSHA256 verification, first-party features

Threat Model

This section documents threats using STRIDE methodology (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege), supplemented with AI-specific and Responsible AI threat categories.

STRIDE Threats

S-1: Compromised GitHub Action via Tag Substitution

FieldValue
CategorySpoofing
AssetCI/CD pipeline integrity
ThreatAttacker compromises upstream Action repository and replaces tag with malicious code
LikelihoodMedium (documented supply chain attacks exist)
ImpactHigh (full CI/CD compromise, secret exfiltration)
MitigationsDependency pinning for all Actions, staleness monitoring, CodeQL scanning
Residual RiskLow (SHA immutable; requires GitHub infrastructure compromise)
StatusMitigated

S-2: npm Package Substitution Attack

FieldValue
CategorySpoofing
AssetBuild dependencies
ThreatMalicious package published with same name or typosquatting
LikelihoodMedium (common attack vector)
ImpactMedium (limited runtime exposure; primarily build-time)
MitigationsPackage-lock.json integrity, npm audit, dependency review
Residual RiskLow
StatusMitigated

T-1: Unauthorized Modification of Security Controls

FieldValue
CategoryTampering
AssetWorkflow files, security scripts
ThreatAttacker with write access disables security checks
LikelihoodLow (requires compromised maintainer account)
ImpactHigh (security controls bypassed)
MitigationsCODEOWNERS enforcement, branch protection, PR review requirements
Residual RiskLow
StatusMitigated

T-2: Malicious Prompt Injection via PR

FieldValue
CategoryTampering
AssetPrompt artifacts
ThreatContributor submits prompt with hidden malicious instructions
LikelihoodMedium (social engineering possible)
ImpactMedium (affects Copilot behavior for consumers)
MitigationsPR review, CODEOWNERS, frontmatter validation
Residual RiskMedium (semantic analysis not automated)
StatusPartially Mitigated

R-1: Untraceable Configuration Changes

FieldValue
CategoryRepudiation
AssetRepository configuration
ThreatAdmin makes security-impacting changes without audit trail
LikelihoodLow (GitHub provides audit logs)
ImpactMedium (accountability gap)
MitigationsGitHub audit log, branch protection audit events
Residual RiskLow
StatusMitigated

I-1: Secret Exposure in Logs or Artifacts

FieldValue
CategoryInformation Disclosure
AssetRepository secrets, tokens
ThreatSecrets accidentally logged or included in build artifacts
LikelihoodLow (minimal secret usage)
ImpactHigh (credential compromise)
MitigationsGitHub secret masking, GitHub secret scanning, minimal secret usage
Residual RiskLow
StatusMitigated

I-2: Sensitive Information in Prompt Artifacts

FieldValue
CategoryInformation Disclosure
AssetPrompt files, documentation
ThreatInternal URLs, API keys, or proprietary patterns exposed in prompts
LikelihoodLow (review process catches obvious cases)
ImpactMedium (information leakage)
MitigationsPR review, GitHub secret scanning, documentation guidelines
Residual RiskLow
StatusMitigated

D-1: CI/CD Resource Exhaustion

FieldValue
CategoryDenial of Service
AssetGitHub Actions minutes, runner availability
ThreatMalicious PR triggers expensive workflows repeatedly
LikelihoodLow (requires PR creation privileges)
ImpactLow (billing impact, temporary delays)
MitigationsWorkflow approval for first-time contributors, concurrency limits
Residual RiskLow
StatusMitigated

D-2: Dependency Confusion Blocking Builds

FieldValue
CategoryDenial of Service
AssetBuild pipeline
ThreatAttacker publishes conflicting package preventing clean builds
LikelihoodLow
ImpactMedium (build failures)
MitigationsPackage-lock.json, scoped packages
Residual RiskLow
StatusMitigated

E-1: Workflow Token Abuse

FieldValue
CategoryElevation of Privilege
AssetGitHub Actions tokens
ThreatCompromised workflow step uses GITHUB_TOKEN beyond intended scope
LikelihoodLow (minimal permissions declared)
ImpactMedium (depends on token permissions)
MitigationsMinimal permissions pattern, persist-credentials: false, inline comments on elevated permissions
Residual RiskLow
StatusMitigated with Accepted Risk
Accepted Risk: Token-Permissions Alerts

OpenSSF Scorecard Token-Permissions flags security-events: write as overly broad across workflow files. This permission is required for github/codeql-action/upload-sarif and github/codeql-action/analyze to upload SARIF results to the repository Security tab. The security-events scope grants access only to code scanning alert data and cannot modify repository content, settings, or secrets.

Scorecard's own scorecard.yml requires the same permission to publish results, creating a circular dependency in the token-permissions check.

Affected workflow jobs:

WorkflowJob
release-stable.ymldependency-pinning-scan
release-stable.ymlgitleaks-scan
pr-validation.ymldependency-pinning-check
pr-validation.ymlworkflow-permissions-check
pr-validation.ymlgitleaks-scan
pr-validation.ymlcodeql
security-scan.ymlcodeql
weekly-security-maintenance.ymlvalidate-pinning
weekly-security-maintenance.ymlcodeql-analysis

Defense-in-depth controls:

  • All workflows declare job-level permissions, not workflow-level
  • persist-credentials: false set on all checkout steps
  • Inline YAML comments document each security-events: write declaration
  • SARIF upload is the only write operation performed under this permission

E-2: Branch Protection Bypass

FieldValue
CategoryElevation of Privilege
AssetProtected branches
ThreatAdmin bypasses branch protection to merge unauthorized changes
LikelihoodLow (requires admin access and intentional bypass)
ImpactHigh (security controls circumvented)
MitigationsBranch protection rules, audit logging, "Do not allow bypassing"
Residual RiskLow
StatusMitigated

Dev Container Threats

These threats address risks in the development container configuration used for Codespaces and local container development.

DC-1: Feature Tag Substitution Attack

FieldValue
CategorySpoofing
AssetDev container configuration
ThreatMalicious update to a feature version tag introduces compromised tooling
LikelihoodLow (first-party Microsoft features only)
ImpactMedium (development environment compromise)
MitigationsFirst-party features only, PR review of devcontainer.json changes
Residual RiskLow (Microsoft-maintained features with release controls)
StatusMitigated

DC-2: Lifecycle Script Tampering

FieldValue
CategoryTampering
AssetContainer initialization scripts
ThreatAttacker modifies on-create.sh or post-create.sh to inject code
LikelihoodLow (requires PR approval, CODEOWNERS protection)
ImpactHigh (arbitrary code execution in dev environment)
MitigationsCODEOWNERS, PR review, branch protection
Residual RiskLow
StatusMitigated

DC-3: External Binary Download Compromise

FieldValue
CategorySpoofing
AssetExternal tools (gitleaks, shellcheck)
ThreatCompromised download source serves malicious binary
LikelihoodVery Low (SHA256 verification enforced)
ImpactHigh (malicious tooling in dev environment)
MitigationsSHA256 checksum verification in on-create.sh
Residual RiskVery Low (cryptographic verification prevents substitution)
StatusMitigated

AI-Specific Threats

These threats address risks specific to AI/ML systems as documented by OWASP LLM Top 10 and MITRE ATLAS.

AI-1: Prompt Injection via Artifact Content

FieldValue
CategoryLLM01: Prompt Injection (OWASP)
AssetCopilot behavior, downstream code generation
ThreatMalicious instructions embedded in prompt artifacts manipulate Copilot
LikelihoodMedium
ImpactMedium (affects code generation quality and safety)
MitigationsPR review, CODEOWNERS, clear artifact structure guidelines
Residual RiskMedium (inherent to prompt-based systems)
StatusPartially Mitigated

AI-2: Insecure Output Handling

FieldValue
CategoryLLM02: Insecure Output Handling (OWASP)
AssetGenerated code
ThreatCopilot generates insecure code patterns based on prompt guidance
LikelihoodMedium
ImpactVariable (depends on consumer's review practices)
MitigationsSecurity-focused prompts, consumer code review responsibility
Residual RiskMedium (HVE Core provides guidance, not enforcement)
StatusAccepted with Documentation

AI-3: Training Data Poisoning (Indirect)

FieldValue
CategoryLLM03: Training Data Poisoning (OWASP)
AssetCopilot model behavior
ThreatMalicious patterns in HVE Core influence Copilot training
LikelihoodVery Low (Copilot training controlled by GitHub)
ImpactLow (HVE Core is small input to large training corpus)
MitigationsOut of scope; GitHub controls training pipeline
Residual RiskVery Low
StatusAccepted (Outside Control)

AI-4: Model Denial of Service

FieldValue
CategoryLLM04: Model Denial of Service (OWASP)
AssetCopilot availability
ThreatCrafted prompts cause excessive resource consumption in Copilot
LikelihoodVery Low
ImpactLow (Copilot has rate limiting)
MitigationsCopilot's built-in rate limiting and resource management
Residual RiskVery Low
StatusAccepted (Outside Control)

AI-5: Supply Chain Vulnerabilities (LLM-Specific)

FieldValue
CategoryLLM05: Supply-Chain Vulnerabilities (OWASP)
AssetMCP server integrations
ThreatCompromised MCP server provides malicious context to Copilot
LikelihoodLow (first-party servers) to Medium (third-party)
ImpactMedium (affects code generation context)
MitigationsMCP server trust analysis, documentation of trust levels
Residual RiskLow to Medium depending on server
StatusMitigated with Documentation

AI-6: Sensitive Information Disclosure

FieldValue
CategoryLLM06: Sensitive Information Disclosure (OWASP)
AssetUser context, code patterns
ThreatPrompt artifacts cause Copilot to expose sensitive patterns
LikelihoodLow
ImpactMedium
MitigationsConsumer responsibility; prompt guidelines discourage sensitive data
Residual RiskLow
StatusMitigated with Documentation

AI-7: Insecure Plugin Design

FieldValue
CategoryLLM07: Insecure Plugin Design (OWASP)
AssetMCP server integrations, VS Code extension
ThreatExtension or MCP server allows unauthorized operations
LikelihoodLow (extension has no sensitive operations)
ImpactLow to Medium
MitigationsMinimal extension functionality, MCP server trust documentation
Residual RiskLow
StatusMitigated

AI-8: Excessive Agency

FieldValue
CategoryLLM08: Excessive Agency (OWASP)
AssetAutonomous Copilot operations
ThreatPrompts grant Copilot excessive autonomous capabilities
LikelihoodLow (prompts are guidance, not permissions)
ImpactVariable
MitigationsCopilot's built-in guardrails, tool confirmation dialogs
Residual RiskLow
StatusMitigated (Copilot Controls)

AI-9: Overreliance

FieldValue
CategoryLLM09: Overreliance (OWASP)
AssetCode quality, developer decision-making
ThreatDevelopers accept Copilot output without verification
LikelihoodMedium
ImpactVariable (depends on context)
MitigationsDocumentation emphasizing review, security-focused prompts
Residual RiskMedium (behavioral, not technical)
StatusAccepted with Documentation

AI-10: Model Theft (N/A)

FieldValue
CategoryLLM10: Model Theft (OWASP)
AssetN/A
ThreatHVE Core does not host or distribute models
LikelihoodN/A
ImpactN/A
MitigationsN/A
Residual RiskN/A
StatusNot Applicable

AI-11: AML.T0043 Craft Adversarial Data (MITRE ATLAS)

FieldValue
CategoryMITRE ATLAS AML.T0043
AssetPrompt artifacts
ThreatAdversary crafts prompt content to cause model misbehavior
LikelihoodMedium
ImpactMedium
MitigationsPR review process, CODEOWNERS, artifact structure validation
Residual RiskMedium
StatusPartially Mitigated

AI-12: AML.T0048 Evade ML Model (MITRE ATLAS)

FieldValue
CategoryMITRE ATLAS AML.T0048
AssetSecurity recommendations in prompts
ThreatPrompts designed to cause Copilot to bypass security guidance
LikelihoodLow
ImpactMedium
MitigationsSecurity-first prompt design principles, review process
Residual RiskLow
StatusMitigated

Responsible AI Threats

These threats address ethical and responsible AI considerations aligned with Microsoft's Responsible AI principles.

RAI-1: Fairness - Biased Code Generation Patterns

FieldValue
CategoryFairness (Microsoft RAI Standard)
AssetGenerated code quality across contexts
ThreatPrompts inadvertently favor certain coding styles or exclude accessibility
LikelihoodMedium
ImpactMedium (affects inclusivity of generated code)
MitigationsInclusive language guidelines, accessibility-aware prompts
Residual RiskMedium
StatusPartially Mitigated

RAI-2: Reliability - Inconsistent Prompt Behavior

FieldValue
CategoryReliability & Safety (Microsoft RAI Standard)
AssetPrompt consistency
ThreatSame prompt produces significantly different outputs
LikelihoodMedium (inherent to LLMs)
ImpactLow to Medium
MitigationsStructured prompts, explicit instructions, testing guidance
Residual RiskMedium (LLM behavior inherently variable)
StatusAccepted with Documentation

RAI-3: Privacy - Context Leakage via Prompts

FieldValue
CategoryPrivacy & Security (Microsoft RAI Standard)
AssetDeveloper context, code patterns
ThreatPrompts cause Copilot to surface or infer private information
LikelihoodLow
ImpactMedium
MitigationsPrivacy-conscious prompt design, consumer guidelines
Residual RiskLow
StatusMitigated with Documentation

RAI-4: Inclusiveness - Exclusionary Language in Artifacts

FieldValue
CategoryInclusiveness (Microsoft RAI Standard)
AssetPrompt artifacts, documentation
ThreatLanguage in prompts excludes or marginalizes user groups
LikelihoodLow (writing style guidelines address this)
ImpactMedium (affects adoption and trust)
MitigationsInclusive writing guidelines, spell check, PR review
Residual RiskLow
StatusMitigated

RAI-5: Transparency - Undocumented Prompt Behavior

FieldValue
CategoryTransparency (Microsoft RAI Standard)
AssetUser understanding of system behavior
ThreatPrompts cause unexpected Copilot behavior not explained to users
LikelihoodMedium
ImpactLow to Medium
MitigationsClear documentation, explicit prompt descriptions in frontmatter
Residual RiskLow
StatusMitigated

RAI-6: Accountability - Unclear Responsibility for Generated Code

FieldValue
CategoryAccountability (Microsoft RAI Standard)
AssetLiability and responsibility clarity
ThreatAmbiguity about who is responsible for Copilot-generated code issues
LikelihoodMedium (common confusion)
ImpactMedium
MitigationsDocumentation clarifying HVE Core provides guidance only
Residual RiskLow
StatusMitigated with Documentation

RAI-7: Human Oversight - Automated Changes Without Review

FieldValue
CategoryHuman Oversight (Microsoft RAI Standard)
AssetCode quality, security
ThreatPrompts encourage accepting Copilot suggestions without review
LikelihoodLow (prompts emphasize review)
ImpactVariable
MitigationsPrompts include review reminders, security-conscious patterns
Residual RiskLow
StatusMitigated

RAI-8: Value Alignment - Prompts Conflicting with Organizational Values

FieldValue
CategoryValue Alignment (Microsoft RAI Standard)
AssetOrganizational trust
ThreatPrompt artifacts conflict with consumer organization's values
LikelihoodLow
ImpactMedium (reputational)
MitigationsGeneral-purpose prompts, customization guidance for consumers
Residual RiskLow
StatusMitigated with Documentation

RAI-9: Proportionality - Overly Aggressive Automation

FieldValue
CategoryProportionality (Microsoft RAI Standard)
AssetDeveloper autonomy
ThreatPrompts push Copilot toward excessive automation reducing human judgment
LikelihoodLow
ImpactMedium
MitigationsHuman-in-the-loop design patterns in prompts
Residual RiskLow
StatusMitigated

RAI-10: Contestability - No Mechanism to Challenge AI Decisions

FieldValue
CategoryContestability (Microsoft RAI Standard)
AssetUser agency
ThreatUsers cannot override or question Copilot behavior influenced by prompts
LikelihoodLow (Copilot suggestions are optional)
ImpactLow
MitigationsCopilot's non-mandatory nature, edit/reject options built-in
Residual RiskVery Low
StatusMitigated (Copilot Controls)

RAI-11: Societal Impact - Deskilling Developers

FieldValue
CategorySocietal Impact (Microsoft RAI Standard)
AssetDeveloper skill development
ThreatOver-reliance on AI-assisted coding reduces skill development
LikelihoodMedium (industry-wide concern)
ImpactLow for HVE Core specifically
MitigationsPrompts emphasize learning and understanding, not just output
Residual RiskMedium (societal, not technical)
StatusAccepted with Documentation

RAI-12: Environmental Impact - Compute Resource Awareness

FieldValue
CategoryEnvironmental Impact (Microsoft RAI Standard)
AssetCompute resources
ThreatInefficient prompts cause unnecessary model computation
LikelihoodLow
ImpactLow (marginal compute impact)
MitigationsEfficient prompt design guidelines
Residual RiskVery Low
StatusAccepted

RAI-13: Misinformation - Prompts Generating Incorrect Information

FieldValue
CategoryMisinformation (Microsoft RAI Standard)
AssetDocumentation and code accuracy
ThreatPrompts cause Copilot to generate plausible but incorrect content
LikelihoodMedium (LLM hallucination is known issue)
ImpactMedium
MitigationsVerification prompts, citation requirements in prompt guidelines
Residual RiskMedium (inherent LLM limitation)
StatusPartially Mitigated

Security Controls

Supply Chain Security Controls

IDControlImplementationValidates Against
SC-1Dependency Pinning ValidationTest-DependencyPinning.ps1S-1, S-2
SC-2SHA Staleness MonitoringTest-SHAStaleness.ps1S-1
SC-3Dependency Reviewdependency-review.ymlS-2, AI-5
SC-4npm Security Auditnpm audit in pr-validation.ymlS-2
SC-5Dependabot Updatesdependabot.ymlS-1, S-2
SC-6Tool Checksum Verificationscripts/security/tool-checksums.jsonS-1
SC-7SBOM Generation and Attestationanchore/sbom-action, actions/attest in main.ymlS-1, S-2
SC-8SBOM Dependency Diffsbom-diff job in main.ymlS-1, S-2

SC-8: SBOM Dependency Diff Implementation

The sbom-diff job in main.yml runs during each release to surface supply chain changes between consecutive versions. It compares the current dependency SBOM against the previous release, generating a structured dependency-diff.md report that is uploaded to the GitHub Release.

FieldValue
TriggerRuns when release_created == 'true', after SBOM generation completes
InputSPDX JSON dependency SBOMs from current build and previous GitHub Release
Outputdependency-diff.md uploaded to the GitHub Release as an asset
Failure Modecontinue-on-error: true prevents diff failures from blocking the release
Permissionscontents: write (release asset upload only)

The diff script parses SPDX JSON packages, excludes root document entries, and categorizes changes into three groups:

  • Added packages not present in the previous release
  • Removed packages no longer included in the current build
  • Version changes where the same package appears in both releases at different versions

When no previous release exists or the prior release lacks a dependency SBOM, the job exits cleanly without producing a diff. This graceful degradation ensures the first release in a repository proceeds without error.

Code Quality Controls

IDControlImplementationValidates Against
CQ-1CodeQL Analysiscodeql-analysis.ymlT-1, E-1
CQ-2Markdown Lintinglint:md npm scriptT-2, RAI-4
CQ-3Frontmatter ValidationValidate-MarkdownFrontmatter.ps1T-2
CQ-4PowerShell AnalysisInvoke-PSScriptAnalyzer.ps1T-1
CQ-5YAML LintingInvoke-YamlLint.ps1T-1

Access Controls

IDControlImplementationValidates Against
AC-1Branch ProtectionRepository settingsT-1, E-2
AC-2CODEOWNERS Enforcement.github/CODEOWNERST-1, T-2
AC-3PR Review RequirementsBranch protection rulesT-2, AI-1
AC-4Minimal Workflow Permissionspermissions: in all workflowsE-1

Vulnerability Management Controls

IDControlImplementationValidates Against
VM-1Coordinated DisclosureSECURITY.mdI-1
VM-2Secret ScanningGitHub native, gitleaks PR gate (gitleaks-scan.yml)I-1, I-2
VM-3Credential Persistence Disabledpersist-credentials: falseI-1, E-1

Assurance Argument

This section presents the security assurance case using Goal Structuring Notation (GSN) patterns.

Top-Level Goal

G0: HVE Core is acceptably secure for its intended use as an enterprise prompt engineering framework.

Supporting Goals

GoalStatementStrategy
G1Supply chain attacks are mitigatedS1: Defense-in-depth controls
G2Unauthorized modifications are preventedS2: Access control enforcement
G3AI-specific risks are documented and addressedS3: Risk acceptance with documentation
G4Responsible AI principles are followedS4: Guidelines and review processes

Evidence Mapping

GoalEvidence
G1Dependency pinning logs, staleness reports, dependency review results, SBOM attestation verification, dependency SBOM diff reports
G2Branch protection configuration, CODEOWNERS file, PR review history
G3This threat model document, MCP trust analysis
G4Writing style guidelines, inclusive language checks, PR reviews

Assumptions and Justifications

IDAssumptionJustification
A1GitHub platform security is adequateSOC 2 Type II certified
A2GitHub Copilot provides baseline AI safetyMicrosoft RAI compliance
A3Contributors act in good faithPR review provides verification
A4Consumers implement their own code reviewDocumented as consumer responsibility

Argument Summary

HVE Core achieves acceptable security through:

  1. Automated Controls: 20+ security controls execute automatically via CI/CD
  2. Defense-in-Depth: Multiple overlapping controls for critical threats
  3. Transparent Risk Acceptance: AI-inherent risks documented with clear boundaries
  4. Inherited Security: Uses GitHub and Copilot platform security

MCP Server Trust Analysis

HVE Core documents integrations with Model Context Protocol servers. This section analyzes the trust posture of each server.

NOTE

GitHub MCP is enabled by default in VS Code when using GitHub Copilot. The other servers are optional and recommended for an optimal HVE Core development experience. See MCP Configuration for setup instructions.

Server Summary

ServerProviderClassificationTrust LevelData Flow RiskDefault
GitHub MCPGitHubFirst-partyHighLowYes
Azure DevOps MCPMicrosoftFirst-partyHighLowNo
Microsoft Docs MCPMicrosoftFirst-partyHighLowNo
Context7 MCPUpstashThird-partyMediumMediumNo

GitHub MCP Server

AttributeAssessment
OperatorGitHub (Microsoft subsidiary)
DeploymentRemote (github.com hosted) or local
AuthenticationOAuth, GitHub App tokens, PATs
AuthorizationInherits GitHub permission model
Data HandlingData stays within GitHub ecosystem
AuditGitHub audit log captures operations
RecommendationLow risk; enable organization policies for access control

Azure DevOps MCP Server

AttributeAssessment
OperatorMicrosoft
DeploymentLocal only (npx invocation)
AuthenticationBrowser-based Azure AD login
AuthorizationInherits Azure DevOps permissions
Data HandlingNo persistent storage by MCP server
AuditAzure DevOps audit log
RecommendationLow risk; standard Microsoft security practices apply

Microsoft Docs MCP Server

AttributeAssessment
OperatorMicrosoft
DeploymentRemote (learn.microsoft.com API)
AuthenticationNone required (public documentation)
AuthorizationRate limiting only
Data HandlingRead-only queries; no user data transmitted beyond search terms
AuditStandard Microsoft API logging
RecommendationLow risk; queries limited to public documentation

Context7 MCP Server

AttributeAssessment
OperatorUpstash (third-party)
DeploymentLocal client, Upstash backend
AuthenticationAPI keys via Upstash dashboard
AuthorizationRate limiting, enterprise SSO available
Data HandlingQueries processed locally; only topics sent to backend
AuditAPI logs with 30-day retention
RecommendationMedium risk; evaluate topic extraction for sensitive context

Trust Recommendations

  1. First-party servers (GitHub, Azure DevOps, Microsoft Docs): Enable with organization policy controls; GitHub MCP is enabled by default
  2. Third-party servers (Context7): Evaluate data flow, use API key rotation, review Upstash trust center

Quantitative Security Metrics

Configured Thresholds

MetricThresholdSource
Dependency Pinning Compliance≥95%dependency-pinning-scan.yml
SHA Staleness≤30 dayssha-staleness-check.yml
Dependency Review Failmoderatedependency-review.yml
npm Audit Fail Levelmoderatepr-validation.yml
Required PR Reviewers1Branch protection

Security Response Commitments

CommitmentSLASource
Security Report Response24 hoursSECURITY.md
Governance Change Comment1 weekGOVERNANCE.md

Validation Workflow Coverage

WorkflowTriggerSecurity Checks
pr-validation.ymlPR to main/developPinning, npm audit, CodeQL, gitleaks
release-stable.ymlPush to mainPinning, gitleaks, SBOM attestation, dependency diff (release)
codeql-analysis.ymlPush, PR, weeklyStatic analysis
dependency-review.ymlPR to main/developVulnerability scanning
weekly-security-maintenance.ymlSundays 2 AM UTCPinning, staleness, CodeQL

References

Internal Documentation

External Standards

🤖 Crafted with precision by ✨Copilot following brilliant human instruction, then carefully refined by our team of discerning human reviewers.