josiadmin/awesome-copilot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

clean

Browse Source
This commit is contained in:
Justin Gosses 2025-08-09 00:37:44 -05:00
parent 71b95feb0f
commit 31cb60b2e6
1 changed files with 7 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
instructions/dependency-risk/dependency-risk-README.md
View File

@ -1,5 +1,5 @@
# Caution. Not an Instructions file. This is a README meant for human
# Caution. Not an Instructions file. This is a README meant for humans
## Introduction to dependency risk instruction files
@ -26,6 +26,7 @@ example of what can be done. You can edit or extend to match your own needs or i
### How to use
Copy and paste all four of the instruction files in this directory into your repository's `.github/instructions/` directory.
Ask Copilot Chat agent mode a question like "What can you tell me about the security and community health of the python package welly?"
Optionally, if you have a new MCP tool or additional API source of information for one of the
dependency risk categories explore trying to add instructions for how to access it to either the
@ -133,7 +134,7 @@ can reasonably have different thresholds for what is acceptable risk.
However, it may still be useful to you if it flags a risk earlier than your
other tooling that flags one of these risks at pull request time or at build time.
#### What parts of continuous risk can be assessed well with metadata alone?
#### What parts of continuous risk can be assessed well with publicly available metadata alone as these instructions try to do?
Continuous risks can be thought of as including three partially overlapping categories:
sustainability risks, quality risks, and security posture risks.
@ -142,20 +143,17 @@ Sustainability risks can include "Possibly abandoned", "Not enough eyeballs to s
package and source repository metadata publicly available in 2025 as they are largely activity-based
and community-based measurements, quality risks and security posture risks often require either
manual evaluation of the source code or additional scans of the source code itself to assess well.
Where OpenSSF scorecard data exists, it is surfaced in the dependency risk report for security
When OpenSSF scorecard data exists, it is surfaced in the dependency risk report for security
posture information.
## Example dependency risk report
The following is an example of a dependency risk report generated by these instructions files.
As the instructions evolve, the report may change to reflect new requirements or formatting guidelines.
Each of the files has a version number in the header.
-------------------------------
The following is an example of a dependency risk report generated by an earlier version of these
instruction files.
### Dependency risk report chat record for python package welly
**Conversation Record**
-------------------------------
**User:**
Tell me about the community health and security of python package welly