You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Create a set of composable GitHub Actions workflows under .github/workflows/ that fetch code scanning alerts weekly and create one backlog issue per unique rule title for new findings, updating existing issues when a match is found.
Motivation
Manual security backlog creation doesn't scale. A weekly workflow automates discovery of new code scanning findings and creates actionable GitHub issues without duplicating existing ones.
Three composable workflows created under .github/workflows/: gh-code-scanning.yml (scan and artifact upload), create-gh-code-scanning-issues.yml (issue creation/update), and weekly-gh-code-scanning.yml (schedule orchestrator), with:
Step 2 (bash): loops jq -c '.[]' alerts.json, checks for existing open issue by title, creates with gh issue create when absent, or refreshes body and adds a dated comment via gh issue edit + gh issue comment when found
npm run lint:all passes (includes lint:ps and YAML lint)
npm run test:ps -- -TestPath "scripts/tests/security/" passes
Prerequisites
scripts/security/Modules/SecurityHelpers.psm1 must exist. Get-CodeScanningAlerts.ps1 (delivered in #1418) imports this module for Invoke-GitHubAPIWithRetry and token validation.
References
Research: .copilot-tracking/research/2026-04-09/github-security-scanning-backlog-research.md — Scenarios 1 and 3
Summary
Create a set of composable GitHub Actions workflows under
.github/workflows/that fetch code scanning alerts weekly and create one backlog issue per unique rule title for new findings, updating existing issues when a match is found.Motivation
Manual security backlog creation doesn't scale. A weekly workflow automates discovery of new code scanning findings and creates actionable GitHub issues without duplicating existing ones.
Acceptance Criteria
scripts/security/Get-CodeScanningAlerts.ps1exists (completed in feat(skills): add github-security code-scanning skill #1418):Owner(mandatory),Repo(mandatory),Branch(default:main),OutputFormat(Table|Json|Markdown)rule.description, sorted descending by count#Requires -Version 7.0,[CmdletBinding()],$ErrorActionPreference = 'Stop',SecurityHelpers.psm1import viaJoin-Path $PSScriptRootscripts/tests/security/Get-CodeScanningAlerts.Tests.ps1exists (completed in feat(skills): add github-security code-scanning skill #1418).github/workflows/:gh-code-scanning.yml(scan and artifact upload),create-gh-code-scanning-issues.yml(issue creation/update), andweekly-gh-code-scanning.yml(schedule orchestrator), with:cron: '0 3 * * 1'(Mondays 03:00 UTC, offset from existing Monday 09:00 job)workflow_dispatchtrigger on the orchestratorcontents: read,issues: write,security-events: read(scoped per workflow)Get-CodeScanningAlerts.ps1 -OutputFormat Json, writesalerts.jsonjq -c '.[]' alerts.json, checks for existing open issue by title, creates withgh issue createwhen absent, or refreshes body and adds a dated comment viagh issue edit+gh issue commentwhen foundnpm run lint:allpasses (includeslint:psand YAML lint)npm run test:ps -- -TestPath "scripts/tests/security/"passesPrerequisites
scripts/security/Modules/SecurityHelpers.psm1must exist.Get-CodeScanningAlerts.ps1(delivered in #1418) imports this module forInvoke-GitHubAPIWithRetryand token validation.References
.copilot-tracking/research/2026-04-09/github-security-scanning-backlog-research.md— Scenarios 1 and 3.github/workflows/weekly-security-maintenance.yml(schedule/step pattern)scripts/security/Modules/SecurityHelpers.psm1(module usage)Get-CodeScanningAlerts.ps1and Pester tests)