From 71b95feb0fefc9c5d19e9b0a917505f1e40b5db2 Mon Sep 17 00:00:00 2001 From: Justin Gosses <11600445+JustinGOSSES@users.noreply.github.com> Date: Sat, 9 Aug 2025 00:16:38 -0500 Subject: [PATCH] cleaning up language and making smaller --- README.md | 10 +- .../dependency-risk/dependency-risk-README.md | 218 +++++++----------- ...dependency-risk-base-level.instructions.md | 19 +- ...endency-risk-company-level.instructions.md | 6 +- ...ency-risk-repository-level.instructions.md | 8 +- .../dependency-risk.instructions.md | 8 +- 6 files changed, 119 insertions(+), 150 deletions(-) diff --git a/README.md b/README.md index 13a1039..334bcd7 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,6 @@ GitHub Copilot provides three main ways to customize AI responses and tailor ass > **💡 Pro Tip:** Custom instructions only affect Copilot Chat (not inline code completions). You can combine all three customization types - use custom instructions for general guidelines, prompt files for specific tasks, and chat modes to control the interaction context. - ## 📝 Contributing We welcome contributions! Please see our [Contributing Guide](./CONTRIBUTING.md) for details on how to submit new instructions and prompts. @@ -36,6 +35,7 @@ Team and project-specific instructions to enhance GitHub Copilot's behavior for | [Copilot Process tracking Instructions](instructions/copilot-thought-logging.instructions.md) | See process Copilot is following where you can edit this to reshape the interaction or save when follow up may be needed | [![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://vscode.dev/redirect?url=vscode%3Achat-instructions%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Finstructions%2Fcopilot-thought-logging.instructions.md) [![Install in VS Code](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect?url=vscode-insiders%3Achat-instructions%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Finstructions%2Fcopilot-thought-logging.instructions.md) | | [C# Development](instructions/csharp.instructions.md) | Guidelines for building C# applications | [![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://vscode.dev/redirect?url=vscode%3Achat-instructions%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Finstructions%2Fcsharp.instructions.md) [![Install in VS Code](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect?url=vscode-insiders%3Achat-instructions%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Finstructions%2Fcsharp.instructions.md) | | [Dart and Flutter](instructions/dart-n-flutter.instructions.md) | Instructions for writing Dart and Flutter code following the official recommendations. | [![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://vscode.dev/redirect?url=vscode%3Achat-instructions%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Finstructions%2Fdart-n-flutter.instructions.md) [![Install in VS Code](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect?url=vscode-insiders%3Achat-instructions%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Finstructions%2Fdart-n-flutter.instructions.md) | +| [Dependency Risk](instructions/dependency-risk/dependency-risk-README.md) | Instructions for producing a dependency risk report anytime user requests guidance or Copilot suggests a package. | Uses a multiple layered files so copy and paste required to install | | [Dev Box image definitions](instructions/devbox-image-definition.instructions.md) | Authoring recommendations for creating YAML based image definition files for use with Microsoft Dev Box Team Customizations | [![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://vscode.dev/redirect?url=vscode%3Achat-instructions%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Finstructions%2Fdevbox-image-definition.instructions.md) [![Install in VS Code](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect?url=vscode-insiders%3Achat-instructions%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Finstructions%2Fdevbox-image-definition.instructions.md) | | [DevOps Core Principles](instructions/devops-core-principles.instructions.md) | Foundational instructions covering core DevOps principles, culture (CALMS), and key metrics (DORA) to guide GitHub Copilot in understanding and promoting effective software delivery. | [![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://vscode.dev/redirect?url=vscode%3Achat-instructions%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Finstructions%2Fdevops-core-principles.instructions.md) [![Install in VS Code](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect?url=vscode-insiders%3Achat-instructions%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Finstructions%2Fdevops-core-principles.instructions.md) | | [DDD Systems & .NET Guidelines](instructions/dotnet-architecture-good-practices.instructions.md) | DDD and .NET architecture guidelines | [![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://vscode.dev/redirect?url=vscode%3Achat-instructions%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Finstructions%2Fdotnet-architecture-good-practices.instructions.md) [![Install in VS Code](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect?url=vscode-insiders%3Achat-instructions%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Finstructions%2Fdotnet-architecture-good-practices.instructions.md) | @@ -114,7 +114,7 @@ Ready-to-use prompt templates for specific development scenarios and tasks, defi | [Create GitHub Issue from Implementation Plan](prompts/create-github-issues-feature-from-implementation-plan.prompt.md) | Create GitHub Issues from implementation plan phases using feature_request.yml or chore_request.yml templates. | [![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://vscode.dev/redirect?url=vscode%3Achat-prompt%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fprompts%2Fcreate-github-issues-feature-from-implementation-plan.prompt.md) [![Install in VS Code](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect?url=vscode-insiders%3Achat-prompt%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fprompts%2Fcreate-github-issues-feature-from-implementation-plan.prompt.md) | | [Create GitHub Issues for Unmet Specification Requirements](prompts/create-github-issues-for-unmet-specification-requirements.prompt.md) | Create GitHub Issues for unimplemented requirements from specification files using feature_request.yml template. | [![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://vscode.dev/redirect?url=vscode%3Achat-prompt%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fprompts%2Fcreate-github-issues-for-unmet-specification-requirements.prompt.md) [![Install in VS Code](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect?url=vscode-insiders%3Achat-prompt%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fprompts%2Fcreate-github-issues-for-unmet-specification-requirements.prompt.md) | | [Create Implementation Plan](prompts/create-implementation-plan.prompt.md) | Create a new implementation plan file for new features, refactoring existing code or upgrading packages, design, architecture or infrastructure. | [![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://vscode.dev/redirect?url=vscode%3Achat-prompt%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fprompts%2Fcreate-implementation-plan.prompt.md) [![Install in VS Code](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect?url=vscode-insiders%3Achat-prompt%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fprompts%2Fcreate-implementation-plan.prompt.md) | -| [Create LLMs.txt File from Repository Structure](prompts/create-llms.prompt.md) | Create an llms.txt file from scratch based on repository structure following the llms.txt specification at https://llmstxt.org/ | [![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://vscode.dev/redirect?url=vscode%3Achat-prompt%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fprompts%2Fcreate-llms.prompt.md) [![Install in VS Code](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect?url=vscode-insiders%3Achat-prompt%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fprompts%2Fcreate-llms.prompt.md) | +| [Create LLMs.txt File from Repository Structure](prompts/create-llms.prompt.md) | Create an llms.txt file from scratch based on repository structure following the llms.txt specification at | [![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://vscode.dev/redirect?url=vscode%3Achat-prompt%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fprompts%2Fcreate-llms.prompt.md) [![Install in VS Code](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect?url=vscode-insiders%3Achat-prompt%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fprompts%2Fcreate-llms.prompt.md) | | [Generate Standard OO Component Documentation](prompts/create-oo-component-documentation.prompt.md) | Create comprehensive, standardized documentation for object-oriented components following industry best practices and architectural documentation standards. | [![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://vscode.dev/redirect?url=vscode%3Achat-prompt%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fprompts%2Fcreate-oo-component-documentation.prompt.md) [![Install in VS Code](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect?url=vscode-insiders%3Achat-prompt%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fprompts%2Fcreate-oo-component-documentation.prompt.md) | | [Create Readme](prompts/create-readme.prompt.md) | Create a README.md file for the project | [![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://vscode.dev/redirect?url=vscode%3Achat-prompt%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fprompts%2Fcreate-readme.prompt.md) [![Install in VS Code](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect?url=vscode-insiders%3Achat-prompt%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fprompts%2Fcreate-readme.prompt.md) | | [Create Specification](prompts/create-specification.prompt.md) | Create a new specification file for the solution, optimized for Generative AI consumption. | [![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://vscode.dev/redirect?url=vscode%3Achat-prompt%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fprompts%2Fcreate-specification.prompt.md) [![Install in VS Code](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect?url=vscode-insiders%3Achat-prompt%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fprompts%2Fcreate-specification.prompt.md) | @@ -159,7 +159,7 @@ Ready-to-use prompt templates for specific development scenarios and tasks, defi | [Comprehensive Technology Stack Blueprint Generator](prompts/technology-stack-blueprint-generator.prompt.md) | Comprehensive technology stack blueprint generator that analyzes codebases to create detailed architectural documentation. Automatically detects technology stacks, programming languages, and implementation patterns across multiple platforms (.NET, Java, JavaScript, React, Python). Generates configurable blueprints with version information, licensing details, usage patterns, coding conventions, and visual diagrams. Provides implementation-ready templates and maintains architectural consistency for guided development. | [![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://vscode.dev/redirect?url=vscode%3Achat-prompt%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fprompts%2Ftechnology-stack-blueprint-generator.prompt.md) [![Install in VS Code](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect?url=vscode-insiders%3Achat-prompt%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fprompts%2Ftechnology-stack-blueprint-generator.prompt.md) | | [Update Azure Verified Modules in Bicep Files](prompts/update-avm-modules-in-bicep.prompt.md) | Update Azure Verified Modules (AVM) to latest versions in Bicep files. | [![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://vscode.dev/redirect?url=vscode%3Achat-prompt%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fprompts%2Fupdate-avm-modules-in-bicep.prompt.md) [![Install in VS Code](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect?url=vscode-insiders%3Achat-prompt%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fprompts%2Fupdate-avm-modules-in-bicep.prompt.md) | | [Update Implementation Plan](prompts/update-implementation-plan.prompt.md) | Update an existing implementation plan file with new or update requirements to provide new features, refactoring existing code or upgrading packages, design, architecture or infrastructure. | [![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://vscode.dev/redirect?url=vscode%3Achat-prompt%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fprompts%2Fupdate-implementation-plan.prompt.md) [![Install in VS Code](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect?url=vscode-insiders%3Achat-prompt%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fprompts%2Fupdate-implementation-plan.prompt.md) | -| [Update LLMs.txt File](prompts/update-llms.prompt.md) | Update the llms.txt file in the root folder to reflect changes in documentation or specifications following the llms.txt specification at https://llmstxt.org/ | [![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://vscode.dev/redirect?url=vscode%3Achat-prompt%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fprompts%2Fupdate-llms.prompt.md) [![Install in VS Code](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect?url=vscode-insiders%3Achat-prompt%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fprompts%2Fupdate-llms.prompt.md) | +| [Update LLMs.txt File](prompts/update-llms.prompt.md) | Update the llms.txt file in the root folder to reflect changes in documentation or specifications following the llms.txt specification at | [![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://vscode.dev/redirect?url=vscode%3Achat-prompt%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fprompts%2Fupdate-llms.prompt.md) [![Install in VS Code](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect?url=vscode-insiders%3Achat-prompt%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fprompts%2Fupdate-llms.prompt.md) | | [Update Markdown File Index](prompts/update-markdown-file-index.prompt.md) | Update a markdown file section with an index/table of files from a specified folder. | [![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://vscode.dev/redirect?url=vscode%3Achat-prompt%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fprompts%2Fupdate-markdown-file-index.prompt.md) [![Install in VS Code](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect?url=vscode-insiders%3Achat-prompt%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fprompts%2Fupdate-markdown-file-index.prompt.md) | | [Update Standard OO Component Documentation](prompts/update-oo-component-documentation.prompt.md) | Update existing object-oriented component documentation following industry best practices and architectural documentation standards. | [![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://vscode.dev/redirect?url=vscode%3Achat-prompt%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fprompts%2Fupdate-oo-component-documentation.prompt.md) [![Install in VS Code](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect?url=vscode-insiders%3Achat-prompt%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fprompts%2Fupdate-oo-component-documentation.prompt.md) | | [Update Specification](prompts/update-specification.prompt.md) | Update an existing specification file for the solution, optimized for Generative AI consumption based on new requirements or updates to any existing code. | [![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://vscode.dev/redirect?url=vscode%3Achat-prompt%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fprompts%2Fupdate-specification.prompt.md) [![Install in VS Code](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect?url=vscode-insiders%3Achat-prompt%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fprompts%2Fupdate-specification.prompt.md) | @@ -222,7 +222,7 @@ Custom chat modes define specific behaviors and tools for GitHub Copilot Chat, e | [Wg Code Alchemist](chatmodes/wg-code-alchemist.chatmode.md) | Ask WG Code Alchemist to transform your code with Clean Code principles and SOLID design | [![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://vscode.dev/redirect?url=vscode%3Achat-mode%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fchatmodes%2Fwg-code-alchemist.chatmode.md) [![Install in VS Code](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect?url=vscode-insiders%3Achat-mode%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fchatmodes%2Fwg-code-alchemist.chatmode.md) | | [Wg Code Sentinel](chatmodes/wg-code-sentinel.chatmode.md) | Ask WG Code Sentinel to review your code for security issues. | [![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://vscode.dev/redirect?url=vscode%3Achat-mode%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fchatmodes%2Fwg-code-sentinel.chatmode.md) [![Install in VS Code](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect?url=vscode-insiders%3Achat-mode%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fchatmodes%2Fwg-code-sentinel.chatmode.md) | -> 💡 **Usage**: Create new chat modes using the command `Chat: Configure Chat Modes...`, then switch your chat mode in the Chat input from _Agent_ or _Ask_ to your own mode. +> 💡 **Usage**: Create new chat modes using the command `Chat: Configure Chat Modes...`, then switch your chat mode in the Chat input from *Agent* or *Ask* to your own mode. ## 📚 Additional Resources @@ -256,4 +256,4 @@ This project may contain trademarks or logos for projects, products, or services trademarks or logos is subject to and must follow [Microsoft's Trademark & Brand Guidelines](https://www.microsoft.com/en-us/legal/intellectualproperty/trademarks/usage/general). Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. -Any use of third-party trademarks or logos are subject to those third-party's policies. \ No newline at end of file +Any use of third-party trademarks or logos are subject to those third-party's policies. diff --git a/instructions/dependency-risk/dependency-risk-README.md b/instructions/dependency-risk/dependency-risk-README.md index 3b7c80d..88829c5 100644 --- a/instructions/dependency-risk/dependency-risk-README.md +++ b/instructions/dependency-risk/dependency-risk-README.md @@ -1,16 +1,9 @@ -# Caution, Not an Instructions file - -------------------------------- - -THIS IS NOT AN INSTRUCTIONS FILE. -IT IS FOR HUMANS TO LEARN ABOUT THE DEPENDENCY RISK INSTRUCTION FILES LOCATED IN SAME FOLDER - -------------------------------- +# Caution. Not an Instructions file. This is a README meant for human ## Introduction to dependency risk instruction files -Dependency risk instruction files are designed to provide detailed guidance for Copilot, when in agent mode, on where to get information and how to assess the risks of using a third-party package or library in software development, as well as how to format that information into a standardized dependency risk report in the chat window that is easily scannable and understandable by developers such that they make better informed decisions about dependency consumption. +Dependency risk instruction files are designed to provide detailed guidance for Copilot, when in agent mode, on where to get information and how to assess the risks of using a third-party package or library in software development, as well as how to format that information into a standardized dependency risk report in the chat window that is easily scannable and understandable by developers such that they make better informed decisions about dependency consumption. See the [example dependency risk report for welly](#example-dependency-risk-report) at the bottom of this file. The goal is to support the following visions: @@ -22,29 +15,61 @@ These instructions are meant to be called when: 1. Copilot is explicitly asked about the riskiness, health, quality, or security posture of a package or library. 2. Copilot suggests a new package or library. -You can learn more about when they are called by reading the tops of the instruction files themselves where this is defined. -The instructions are split into four files to allow for flexibility in ownership and customization of the instructions, which is explained in more detail below in the section titled ["Why not a single file"](#why-not-a-single-file) -What risks are flagged to users is detailed in the section ["Types of dependency risks"](#types-of-dependency-risks) -These instruction files are prototypes and rapid change is expected. You can edit or extend to match your needs or internal policies. +The instructions are split into four files to allow for flexibility in ownership and customization +of different parts of the instructions over time, for instance between a centralized +Open Source Programs Office and individual development teams. This is explained in more detail below in the +section titled ["Why not a single instructions file"](#why-not-a-single-instructions-file) +What risks are currently flagged to users is detailed in the section +["Types of dependency risks"](#types-of-dependency-risks) These instruction files are meant as an +example of what can be done. You can edit or extend to match your own needs or internal company policies. + +### How to use + +Copy and paste all four of the instruction files in this directory into your repository's `.github/instructions/` directory. + +Optionally, if you have a new MCP tool or additional API source of information for one of the +dependency risk categories explore trying to add instructions for how to access it to either the +company or repository level instructions files. ### Disclaimer -These instructions are not exhaustive and do not replace any required compliance processes that you may be required to follow based on writing code for a company or organization. They do not surface all risks, nor is there any guarantee that the information is up-to-date or accurate. Much of the data is sourced from either public metadata repositories, package managers, or GitHub source repository pages, so information in some cases could be manipulated by the package authors or maintainers. +These instructions are not exhaustive and do not replace any required compliance processes that you may be required to follow based on writing code for a company or organization. They definitely do not surface all risks, nor is there any guarantee that the information is up-to-date or accurate. Much of the data is sourced from either public metadata repositories, package managers, or GitHub source repository pages, so information in some cases could be manipulated by the package authors or maintainers. The dependency risk report is meant to provide a quick reference that flags for developers risks identified with metadata that associated with third-party dependencies. It tries to do this at the point when using a package is being first considered in their IDE (Integrated Development Environment), as this is when switching costs are lowest. - Users are encouraged to leverage the report as a starting point and then visit the suggested links to find more information. ## Why not a single instructions file The dependency risk instructions are split into four files to allow for instructions to be owned by different parties and then combined. While all the files are local files now, one or more files could be externally defined. While Copilot will normally -not accept externally defined instructions, it will if the user explicitly allows it. Splitting them in this -way allows for both a standardized set of initial default instructions, individual project-specific instructions for some -risks, and company-specific tooling that can evolves over time -**without having to submit pull requests to change every file in every repository one at a time**. For example, the -company-level instructions file might be defined in another GitHub repository or in an MCP. -The files that layer on top of one another are described in more details below. +not accept externally defined instructions, it will if the instruction files include instructions to ask +the user for permission first and then the user explicitly allows it, as is seen in the +`dependencyRisk.instructions.md` file. + +The benefit of this approach is it is possible to then have one or more of the instructions files +for how to generate the dependency risk report sit outside the repository, either in a MCP +tool or external repository. This allows for the top-level instructions to be somewhere +controlled by a centralized team, such as an open source programs office (OSPO) or a centralized +engineering team. These centrally controlled instruction files can be evolved over time and +point to newly created internal MCPs without needing to make pull requests to every repository +that wants to be able to generate a dependency risk report, minimizing problems with instruction +file staleness over time. At the same time, you can have repository-level preferences for styling, +or even stricter thresholds for some metrics, controlled in repository-specific instruction files +that get combined with the externally defined instructions to form a single end user experience. + +In summary, this approach of layering instruction files into one joint instruction file allows for +the end-user experience from instruction files to be a combination of centralized team standards +and tooling with the repository-specific needs without frequent repeated pull requests across large +numbers of repositories. + +The four files that layer on top of one another are described in more details below. + +### Central risk instructions file that only points to the others + +The `dependencyRisk.instructions.md` file mostly just defines when the instructions files are used and points to +the other three dependency risk report instruction files. If any of the other instruction files +are externally defined or in MCPs, there is a line in this instruction files that asks the user +for permission to fetch them. ### Base level instructions file @@ -63,96 +88,27 @@ The `dependencyRisk.repositoryLevel.instructions.md` file is where repository-sp As a company might provide dependency-related tooling in an MCP or API format or there may be other tools to identify and reduce risks in dependencies, these instructions can be in the `dependencyRisk.companyLevel.instructions.md` file. -### Central risk instructions file that only points to the others +## Helping developers make better dependency consumption choices -The `dependencyRisk.instructions.md` file mostly just defines when the instructions files are used and points to -the other three dependency risk report instruction files. +We know developers too often choose dependencies based on familiarity or convenience rather than health, +security, and quality. Developers have also reported using packages that Copilot suggests without +additional checking if they exist or are risky. -The benefit of this approach is it should -be possible to then have one or more of the other files sit outside the repository. This could allow for the -top-level instructions to be somewhere controlled by a centralized team, -such as an open source programs office (OSPO) or a centralized engineering team. -It could also allow just that 1 of 3 instruction files to be open sourced in a -central location while the other two are private. It also allows the company-level instructions to similarly be -in a centralized location where it can be evolved over time and point to new internal tooling or MCPs without -needing to make any pull requests to change files in a repository. You could even have that company instructions -files just tell Copilot to use a suite of tools in a company specific MCP. - -## Problems and limitations this approach is solving for - -#### Problems: Developer behavior - -- Developers often choose dependencies based on popularity or convenience rather than health, security, and quality. -- Developers have reported using packages that Copilot suggests without additional checking if they exist or are risky. - -#### Answer: Developer behavior - -- The dependency risk report will pop up without being asked for explicitly but rather than Copilot is suggesting a package or the user is asking Copilot about a package. -- Increase chance dependency risks are considered by not requiring the developer to leave their IDE (Integrated Development Environment) -- Shrink time to check for a collection of dependency risks goes from 10-30 minutes to 0.5-2 minutes. - -#### Problem: Staleness of instruction files - -- Instructions files can become stale or inconsistent between repositories over time. A developer might copy -and paste an instructions file once and then never update it even as the centrally provided instructions -for dependency risk reports continues to evolve and change over time in its own repository. This is a -repeating problem in any file that exists in many repositories. -- Additionally, it is reasonable to expect more MCP tools to be available over time, including those that deal -with dependencies and compliance. Ideally, the instruction files for dependency risks would assume they would -exist in the future and not become obsolete when they do exist. - -#### Answer: Staleness of instruction files - -- As the instructions are split across several different files that are layered, it opens up the possibility - for one or more of those instruction files to site in an external file or a MCP tool instead of every - individual repository. If the company-level instructions file is defined in an internal MCP endpoint, then it can be managed and changed by a central team without changes requiring a pull request into however many - repositories use the file. - -#### Problem: Usage of external instructions requires user interaction - -- If you put a link to an external instructions file in a Copilot instructions file, Copilot will say it can - not access instructions at an external link when you try to use that instructions file. - -#### Answer: Usage of external instruction requires user interaction - -- This problem can be resolved by having the local instructions file include instructions for Copilot to ask the - user for permissions to fetch the instructions at the external link. Because the user then has knowledge of - where Copilot is getting instructions from, Copilot can then fetch and follow the instructions. - -#### Problem: I expect my company will have a MCP for dependency compliance in future so do not want to do anything in this space right now - -- It can be nerve wracking to get started with this sort of approach if you expected other teams or products to eventually come out with MCP tools that address some of these risks. You might not want to start doing anything in this space. - -#### Answer: I expect my company will have a MCP for dependency compliance in future so do not want to do anything in this space right now - -- If you use a company-level instructions file that is defined in an MCP or a publicly accessibly GitHub repository, you can later make changes to that single file instead of having to make pull requests to every repository using this approach. +To minimize these risks and encourage more well informed choices, the dependency risk report will +generate in the Copilot chat window when in agent mode without being asked for explicitly anytime +Copilot is suggesting a package in addition to when the user is asking Copilot about a package. +As the dependency report can generate fully in 0.2-2 minutes and is in their +IDE (Integrated Development Environment), it is hoped the information will be more likely to +be considered than if they had to leave their IDE and spend 10-30 minutes manually researching +the same information across package managers, source repositories, and others locations. ## Types of dependency risks It can be helpful to think of dependency risks in terms of two classes of risks, continuous and binary. - -### Types of dependency risk considered by the dependency risk report - -| Risk Class | Risk | Definition | Factors Considered in Report | -|---------------|---------------------------|----------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------| -| Binary | Vulnerability | Whether known security vulnerabilities are associated with the dependency. | Public vulnerability databases reflected in ecosyste.ms. and sometimes vulnerability information on source repository in GitHub. Use other tools for full assessment. | -| Binary | License | Finds license of the package. | As presence of a quickly identifiable license is all this checks for, other tooling should be used for actual license compliance. Does not cover multiple licenses, modified licenses, whether copyleft license, tell you what licenses require extra steps, etc. | -| Binary | Malicious | Theoretically flags if the package is known or suspected to be malicious. | Depends on company instructions file tooling or does not provide any advice. Use other tools for full assessment. | -| Continuous | Possibly abandoned | Assesses if the dependency appears to be no longer maintained. | Time since last commit or release, lack of recent activity, source repository is archived, etc.. | -| Continuous | Not enough eyeballs | Evaluates if there are too few contributors or reviewers to catch issues. | Number of downloads, number of dependent repositories. | -| Continuous | Contribution could stop suddenly | Considers the risk that development may halt unexpectedly. | Reliance on a single maintainer, Number of contributors is small, Only single version published, Few commits recently, etc. | -| Continuous | Poor security posture | Assesses the overall security practices and responsiveness of the project. | Presence of security policy, Low OpenSSF Scorecard score, uses a dangerous GitHub Action workflow pattern, etc. Note that not all packages will have pre-existing scans by OpenSSF Scorecard | - -**Use other tooling to assess the risk of license complications, malicious code, and security vulnerabilities as the dependency risk report generated is not exhaustive!** It may still be useful to you if it flags a risk earlier than your -other tooling that flags one of these risks at pull request time or at build time. Company or paid tooling to -asses continuous risks may also be available but is less common. - -#### What parts of continuous risk can be assessed well with metadata alone? - -Continuous risks can be thought of as including sustainability risks, quality risks, and security posture risks. -Sustainability risks can include "Possibly abandoned", "Not enough eyeballs to spot bugs", and "Contribution could stop suddenly". Sustainability risks are often possible to identify with package and source repository metadata publicly -available in 2025 whereas quality risks and security posture risks often require manual evaluation of the source code or -additional scans of the source code itself to assess well. +Binary risks are either present or not, with clear yes/no answers, which makes them fit well into compliance frameworks +and compliance tooling that can be deployed across an entire organization with the same thresholds and rules. +Continuous risks in contrast are risks that tend to exist on a continuous spectrum of risks AND different projects +can reasonably have different thresholds for what is acceptable risk. ### Differences Between Binary and Continuous Risks @@ -161,29 +117,33 @@ additional scans of the source code itself to assess well. | Binary | Risks that are either present or not, with clear yes/no answers. | Company-scale (often enforced organization-wide) | $, reputation, trust | Typically fits into compliance frameworks (e.g., license, vulnerabilities) | Company-specific instructions file (`dependencyRisk.companyLevel.instructions.md`) | | Continuous | Risks that exist on a spectrum and require judgment or thresholds. | Individual team (context-specific, flexible) | unplanned for developer time | Often fits into risk-reduction frameworks (e.g., maintenance, community health) | Repository-specific instructions file (`dependencyRisk.repositoryLevel.instructions.md`) | -Binary risks are either present or not, with clear yes/no answers, which makes them fit well into compliance frameworks -and compliance tooling that can be deployed across an entire organization with the same thresholds and rules. -Continuous risks in contrast are risks that tend to exist on a continuous spectrum of risks AND different projects -can reasonably have different thresholds for what is acceptable risk. +### Types of dependency risk considered by the dependency risk report -## Deciding not to use a package is only one way to reduce risk +| Risk Class | Risk | Definition | Factors Considered in Report | +|---------------|---------------------------|----------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------| +| Binary | Vulnerability | Whether known security vulnerabilities are associated with the dependency based on a CVE. | Report uses public vulnerability databases reflected in ecosyste.ms. and sometimes vulnerability information on source repository in GitHub. Use other tools for full assessment! | +| Binary | License | License of the package. | Currently, only the first identified licenses is surfaced to the user. Does not cover multiple licenses, modified licenses, whether copyleft license, tell you what licenses require extra steps, etc. Use other tooling for actual license compliance! | +| Binary | Malicious | Whether the package contains known or suspected malicious code. | Currently, this does nothing but tell you to use your own tooling and check for company instructions file for listed tooling. It is a placeholder. | +| Continuous | Possibly abandoned | Assesses if the dependency appears to be no longer maintained. | Considers time since last release, lack of recent activity, if source repository is archived, etc. | +| Continuous | Not enough eyeballs | Evaluates if there are too few contributors or reviewers to catch issues. | Considers number of downloads, number of dependent repositories. | +| Continuous | Contribution could stop suddenly | Considers the risk that development may halt unexpectedly. | Considers reliance on a single maintainer, if number of contributors is small, if only single version published, too few commits recently, etc. | +| Continuous | Poor security posture | Assesses the overall security posture of the project. | Considers low OpenSSF Scorecard score, if uses a dangerous GitHub Action workflow pattern, etc. Note that not all packages will have pre-existing scans by OpenSSF Scorecard | -The dependency report generated by these instructions files targets the point in time before any code is written -with a given dependency, which is the point of lowest switching cost. It largely targets the decision to use a -package or not. +**Use other tooling to assess the risk of license complications, malicious code, and security vulnerabilities as the dependency risk report generated is not exhaustive!** +However, it may still be useful to you if it flags a risk earlier than your +other tooling that flags one of these risks at pull request time or at build time. -However, there are many risks that can appear after a package is already in use -and not using a package is only one possible action. The table below summarizes, -at a very high level, common actions that can be taken at various points in the development process. +#### What parts of continuous risk can be assessed well with metadata alone? -| Action | When | Keep Using Dependency? | -|------------------------------------------------------------------------|-----------------------------------------------------------|-----------------| -| Use a different package with lower risk. | Before writing code, PR time, or during usage | No | -| Decide not to use a package at all and write code. | Before writing code, PR time, or during usage | No | -| Use a different version with no known vulnerabilities. | Before writing code, PR time, or during usage | Yes | -| Recommend others not start using a risky package already in use to eventually reduce aggregate usage without having to ban a dependency outright. | Before first usage on individual repositories | Yes (for self), No (for others) | -| Sponsor a package to reduce sustainability, quality, or security risks. | During usage | Yes | -| Upstream contributions to improve quality, security, or sustainability risks. | During usage | Yes | +Continuous risks can be thought of as including three partially overlapping categories: +sustainability risks, quality risks, and security posture risks. +Sustainability risks can include "Possibly abandoned", "Not enough eyeballs to spot bugs", and +"Contribution could stop suddenly". While sustainability risks are often possible to identify with +package and source repository metadata publicly available in 2025 as they are largely activity-based +and community-based measurements, quality risks and security posture risks often require either +manual evaluation of the source code or additional scans of the source code itself to assess well. +Where OpenSSF scorecard data exists, it is surfaced in the dependency risk report for security +posture information. ## Example dependency risk report @@ -259,7 +219,7 @@ Here is a detailed dependency risk report for the Python package welly (latest v **Key links** -- Ecosyte.ms: +- Ecosyste.ms: - Source repository on GitHub: @@ -271,14 +231,12 @@ Here is a detailed dependency risk report for the Python package welly (latest v - OpenSSF scorecard (API): - ---- - +\ Please confirm this information via the provided webpage links and understand users can provide fake information, especially via README or description so be careful with those sources. This report is not exhaustive and is not a substitute for actual compliance processes you may be required to follow. ---- +------------------------------- **Package name:** welly **Package type:** pypi @@ -291,4 +249,4 @@ This report is not exhaustive and is not a substitute for actual compliance proc - dependencyRisk.repositoryLevel.instructions.md: 0.0.5 - dependencyRisk.instructions.md: 0.0.4 - + diff --git a/instructions/dependency-risk/dependency-risk-base-level.instructions.md b/instructions/dependency-risk/dependency-risk-base-level.instructions.md index c9b4b0b..f94f1e8 100644 --- a/instructions/dependency-risk/dependency-risk-base-level.instructions.md +++ b/instructions/dependency-risk/dependency-risk-base-level.instructions.md @@ -2,9 +2,11 @@ description: 'How to give guidance on which packages or libraries to use. Provides a dependency risk report.' applyTo: '**' mode: "agent" -version: "0.1.00" +version: "0.1.01" --- +# Dependency Risk Base Level Instructions + ## When to use the instructions below These instructions should be used: @@ -33,7 +35,7 @@ the dependency risk report in the following locations: - `/.github/dependency-risk-company-level.instructions.md` file - `/.github/dependency-risk-repository-level.instructions.md`, file, -#### Formatting and Styling Guidelines for Dependency Risk Report +### Formatting and Styling Guidelines for Dependency Risk Report Check for style guidelines in `./dependency-risk-repository-level.instructions.md` file. or `./dependency-risk-company-level.instructions.md` file. If not found, use style choices that make it easy to read and skim. @@ -41,7 +43,7 @@ Check for style guidelines in `./dependency-risk-repository-level.instructions.m You will visit the following pages and return only the data instructed necessary to flag specific risks: -- Ecosyte.ms: /packages/ +- Ecosyste.ms: /packages/ - Source repository on GitHub: / - Contributors graph on GitHub : //graphs/contributors - Pull request page on GitHub: //pulls @@ -54,6 +56,7 @@ Do not return information except what information was requested and where it was ## Structure of report to deliver in chat window Yes to any of the following questions indicates a risk you should report in the report to the user + ------------ ### Indicators of that risk that project is POSSIBLY ABANDONED? @@ -90,7 +93,7 @@ Yes to any of the following questions indicates a risk you should report in the - If yes: - 1. Remind user to ensure they are not using a vulnerable version of the package. - 2. Provide link to vulnerability advisors, either: - - /packages//advisories + - /packages//advisories - //security - 3. State latest version of package based on ecosyste.ms data. REMEMBER, Do not state this version is vulnerable unless you know this specific version is listed as vulnerable. @@ -106,14 +109,14 @@ or `/.github/dependencyRisk.repositoryLevel.instructions.md`, simply state that ### Key links to include at end of report, populate by replacing variables as appropriate for each package for which a report is being made -- Ecosyte.ms: /packages/ +- Ecosyste.ms: /packages/ - Source repository on GitHub: / - Contributors graph on GitHub : //graphs/contributors - Pull request page on GitHub: //pulls - Commits over time on GitHub: //commits - OpenSSF scorecard.dev: / ---------------- +------------ ## How to process data into flagged risks for the report @@ -131,7 +134,7 @@ or `/.github/dependencyRisk.repositoryLevel.instructions.md`, simply state that ### How to get that information from ecosyste.ms -Ecosyste.ms is a website that has metadata information about packages and their source repository as plain text on the page. The format of the URL is : `https://packages.ecosyste.ms/api/v1/registries//packages/` where the package name is the variable in that URL. The possible package manager names that should be used in variable in the URL above are: "pypi.org" for python packages, "npmjs.org" for javascript or npm packages, "proxy.golang.org" for go packages, "hub.docker.com" for docker, "nuget.org" for C# and C+ packages, "repo1.maven.org" for java packages, "rubygems.org" for ruby packages, "crates.io" for Rust packages, "cocapods.org", and "anaconda.org" for conda packages. +Ecosyste.ms is a website that has metadata information about packages and their source repository as plain text on the page. The format of the URL is : `https://packages.ecosyste.ms/api/v1/registries//packages/` where the package name is the variable in that URL. The possible package manager names that should be used in variable in the URL above are: "pypi.org" for python packages, "npmjs.org" for javascript or npm packages, "proxy.golang.org" for go packages, "hub.docker.com" for docker, "nuget.org" for C# and C+ packages, "repo1.maven.org" for java packages, "rubygems.org" for ruby packages, "crates.io" for Rust packages, "cocapods.org", and "anaconda.org" for conda packages. Within the ecosystem.ms page found in the last step there are several top-level KEYS with more useful information for determining risk that should be found and remembered. Please find each of these. @@ -190,7 +193,7 @@ REMEMBER: Do not use a GitHub repository's description, About section, or README.md or README.rst or main page to answer any questions except those instructed in this section. For example, DO NOT use them to answer when a repository was last updated or number of contributors or how many downloads or any other information except what was explicitly asked for! ----------- +------------ ## LAST REMINDERS diff --git a/instructions/dependency-risk/dependency-risk-company-level.instructions.md b/instructions/dependency-risk/dependency-risk-company-level.instructions.md index 0d3dc68..8d54f7c 100644 --- a/instructions/dependency-risk/dependency-risk-company-level.instructions.md +++ b/instructions/dependency-risk/dependency-risk-company-level.instructions.md @@ -1,10 +1,12 @@ --- -description: 'Sub-instructions of `dependency_instructions_baseLevel.md" focused on company specific guidance or tools.' +description: 'Sub-instructions of "dependency-risk-base-level.instructions.md" focused on company specific guidance or tools.' applyTo: '**' mode: "agent" -version: "0.1.00" +version: "0.1.01" --- +# Dependency Risk Company Level Instructions + ## Instructions The following are instructions that reflect policies that must be followed that are specific to this repository. They build off of the instructions found in the [./dependency-risk-base-level.instructions.md](./dependency_instructions_baseLevel.md) and override any instructions in that file. diff --git a/instructions/dependency-risk/dependency-risk-repository-level.instructions.md b/instructions/dependency-risk/dependency-risk-repository-level.instructions.md index f98947e..ec6975e 100644 --- a/instructions/dependency-risk/dependency-risk-repository-level.instructions.md +++ b/instructions/dependency-risk/dependency-risk-repository-level.instructions.md @@ -1,10 +1,12 @@ --- -description: 'Sub-instructions of `dependency_instructions_baseLevel.md" focused on per-repository guidance or tools for "Should I use" questions.' +description: 'Sub-instructions of "dependency-risk-base-level.instructions.md" focused on per-repository guidance or tools for "Should I use" questions.' applyTo: '**' mode: "agent" -version: "0.1.00" +version: "0.1.01" --- +# Dependency Risk Repository Level Instructions + ## Instructions The following are instructions that reflect policies that must be followed that are specific to this repository. They build off of the instructions found in the [./dependency-risk-base-level.instructions.md](./dependency_instructions_baseLevel.md) and override any instructions in that file. @@ -13,7 +15,7 @@ The following are instructions that reflect policies that must be followed that No additional instructions for MCPs or APIs at this time. -#### Formatting and Styling Guidelines for Dependency Risk Report +### Formatting and Styling Guidelines for Dependency Risk Report - Use section headers in bold (e.g., **Indicators of risk: POSSIBLY ABANDONED**). - For each risk indicator, use: diff --git a/instructions/dependency-risk/dependency-risk.instructions.md b/instructions/dependency-risk/dependency-risk.instructions.md index 2bb4887..44e5b1b 100644 --- a/instructions/dependency-risk/dependency-risk.instructions.md +++ b/instructions/dependency-risk/dependency-risk.instructions.md @@ -1,15 +1,19 @@ --- +description: "Instructions for producing a dependency risk report anytime user requests or Copilot suggests a package." applyTo: '**' -version: '0.1.00' +mode: "agent" +version: '0.1.01' --- +# Dependency Risk Instructions + Anytime Copilot mentions or suggests a new package or library or the use asks Copilot about the riskiness, health, quality, or security posture of a package, follow the instructions to produce a dependency risk report. You must follow the instructions in `.github/instructions/dependency-risk-base-level.instructions.md` file -And add to those instructions the additions ones found in: +And add to those instructions the additional ones found in: - `.github/instructions/dependency-risk-company-level.instructions.md` - `.github/instructions/dependency-risk-repository-level.instructions.md`