Integration of GhAS in Copilot for Security - Example Session
This article is part of a series of articles related to how to install and use two custom (unofficial!) plugins just released for the integration of GitHub Advanced Security (GhAS) in Copilot for Security. Please start from here: Copilot for Security Custom Plugin for GitHub Advanced Security | LinkedIn
Let's start from the list of skills of the two plugins that can be accessed from the "system capabilities" link as described in the dedicated page.
Start by clicking on any of the skills in the plugin for the "org" API. For example, select the skill that list all the secrets found in the repo of my GitHub organization:
The following action related to the User-Agent input parameter is due to a temporary workaround that will be removed very soon!
NOTE - In the very first release of these two custom plugins, the User-Agent field is set as a mandatory input parameter explicitly requested to the users for every skill. This is a workaround, a temporary solution, introduced because calls to the GitHub API without a User-Agent parameter in the headers would result in a forbidden response (apparently, at the time of this first release, if we don't explicitly add this User-Agent parameter here, no User-Agent is sent to the GitHub APIs). It’s important to note that Copilot’s ability to consider conversation history typically means that this placeholder parameter only needs to be specified once per user session.
NOTE - While in the direct call to each skill it is mandatory to set a value for this User-Agent parameter (you can write any text in it and the call will succeed!), when Copilot arrives to any of these skills by understanding the intent of the user's prompt written in natural language, it is not necessary at all that the user's prompt includes a value for this parameter: in that case Copilot uses a default value. This behavior was observed at the time of this writing; most probably, in the near future, there won't be any need to include a User-Agent in the list of parameters asked to the users.
Put any value on the User Agent field:
For example, like this:
Submit you prompt and wait for the answer.
Now you can test the ability of Copilot to understand the intent of the prompts written in natural language and aimed to retrieve information from GitHub Advanced Security.
For example, you may ask:
Please note that, in this second prompt and in the following ones, I do not need to specify the User-Agent parameter temporarly added to the list of input parameters of each skill: Copilot consider the history of the conversation and uses the one specified in the first prompt.
领英推荐
As expected, Copilot selects the correct plugin, the one designed to query the "orgs" API in GitHub:?
Now, let's submit another prompt asking for an information that Copilot should search in the second custom plugin, the one designed to query the "repos" API in GitHub. This will happen if my custom prompt explicitly references a specific GitHub repo. For example:?
The selection of the skill was done as expected!
Now, let's submit a prompt to address another skill, the one related to dependabot scanning in GitHub Advanced Security. For example:
Once again, Copilot has selected the right plugin and skill. Please note that I omitted to specify explicitly the name of the org and of the repo: Copilot automatically understood that, in my new question, I was referring to the same context (org, repo) of my previous question.
Now, let's benefit from the ability of Copilot to mix sources of info. For example, let's ask Copilot to give details about a specific vulnerability found by the dependabot analysis of my code:?
As expected, Copilot chose MDTI as the best source for the requested information.
Now, let's change again source by asking Copilot to search for this CVE in the components deployed in my infrastructure:?
As expected, Copilot searched for the CVE by using the data retrieved from MDVM.?
Now, let's look into the code vulnerabilities. For example, let's search for the vulnerabilities of kind "remote code execution".
Copilot understood that the question was now related to the Code Analysis at organization level.