copilot-security-instructions

This MCP server provides a centralized interface to manage and run Copilot security prompts and workflows. It exposes an API and tooling surface that lets you integrate secure coding prompts into your development workflow, route requests to specialized agents, and orchestrate security-focused reviews and fixes. After starting the server, you can configure environment variables to customize port, hostname, and logging, and then invoke the MCP endpoints to load prompt packs, trigger agent workflows, and retrieve findings or remediation guidance. The repository also includes prompts, agents, and skills aimed at guiding Copilot toward secure coding practices across languages like Java, Node.js, C#, and Python. Use the built-in MCP surface to plug these prompts into your CI/CD pipelines or IDE integrations as part of a repeatable, secure-by-default workflow.

To operate, install dependencies, start the server, and ensure your .env contains the necessary variables. You can then interact with the MCP API to load prompt configurations, select an agent (application-security-analyst, -architect, -engineer, etc.), and run specific prompts such as assess-logging, check-for-secrets, or threat-model prompts. This setup enables embedding secure prompts into your project prompts directory and running them from your IDE with the Run Prompt button where applicable.

Prerequisites:

• Node.js (14.x or newer) and npm installed on your system
• Git to clone the repository

Installation steps:

1. Clone the repository git clone https://github.com/your-org/copilot-security-instructions.git cd copilot-security-instructions

2. Install dependencies npm install

3. Set up environment variables

   • Copy the example env file and customize values cp .env.example .env
   • Edit .env to configure server.port, server.hostname, ssl options, and logging as needed

4. Run the MCP server npm start

5. Verify the server is running

   • Open http://localhost:8080 (adjust port/hostname if changed)

Notes:

• The MCP server reads configuration from environment variables. Update .env according to your environment and security requirements.
• If you modify prompts, agents, or skills, restart the server to pick up changes.

Tips and common considerations:

• Recommended env vars to customize: server.port, server.hostname, server.ssl, server.ssl.pfx, server.ssl.pfx.passphrase, logger.transports.console.enabled
• If SSL is disabled (server.ssl=false), you can run without certificates; enable SSL in production with a valid certificate and pfx file.
• Ensure .env is secured and not committed to version control when containing secrets.
• When adding new prompts or agents, follow the repository’s conventions under prompts/, agents/, and skills/ to ensure MCP routing works as expected.
• If you encounter CORS or API access issues, verify server.hostname and port align with your client configuration and that firewall rules allow traffic to the MCP server.
• For troubleshooting, check the console output enabled by logger.transports.console.enabled and review any agent/workflow errors returned by MCP endpoints.