microsoft/hve-core

Public

mirrored fromhttps://github.com/microsoft/hve-coreAvailable

Watch0 Fork0 Star0

Code Commits Issues Pull requests Actions Insights Security

940773c7065ca3c06217d8ebda68b40571cd73f3

Find a branch or tag

Branches

940773c7065ca3c06217d8ebda68b40571cd73f3

Clone

HTTPS

Download ZIP

hve-core/.github/instructions/security

.github/instructions/security/sssc-backlog.instructions.md

158lines · modecode

Raw Download

Latest commit unavailable.

unknown

1	`---`
2	`description: "Phase 5 dual-format work item generation with templates and priority derivation for SSSC Planner."`
3	`applyTo: '/.copilot-tracking/sssc-plans/'`
4	`---`
5
6	`# SSSC Phase 5 — Backlog Generation`
7
8	`Generate actionable work items from the gap analysis in dual format (ADO + GitHub). Each work item maps a supply chain security gap to concrete adoption steps.`
9
10	`## Work Item Template`
11
12	`Each generated work item follows this structure:`
13
14	```markdown
15	`## [{Priority}] {Title}`
16
17	`Scorecard Check: {check_name} \| Risk: {Critical\|High\|Medium\|Low}`
18	`Effort: {S\|M\|L\|XL} \| Adoption Type: {category}`
19	`Prerequisite: {work_item_id or "None"}`
20
21	`### Description`
22	`{What needs to be done and why — include the security benefit}`
23
24	`### Adoption Steps`
25	`1. {Concrete step with file path or workflow reference}`
26	`2. {Next step}`
27
28	`### Source References`
29	`- Workflow: {repo}/path/to/workflow.yml`
30	`- Script: {repo}/path/to/script.ps1`
31	`- Documentation: {URL or path}`
32
33	`### Acceptance Criteria`
34	`- [ ] {Verifiable criterion}`
35	`- [ ] {Verifiable criterion}`
36
37	`### ADO Mapping`
38	`- Type: {Epic\|Feature\|User Story\|Task}`
39	`- Tags: supply-chain, ossf, {scorecard-check}, {adoption-type}`
40
41	`### GitHub Mapping`
42	`- Labels: supply-chain, ossf, {scorecard-check}, {adoption-type}`
43	`- Milestone: {milestone}`
44	```
45
46	`## Priority Derivation`
47
48	`Derive work item priority from the Scorecard risk level:`
49
50	`\| Risk Level \| Priority \| Execution Order \|`
51	`\|------------\|----------\|-----------------\|`
52	`\| Critical \| P1 \| First \|`
53	`\| High \| P2 \| Second \|`
54	`\| Medium \| P3 \| Third \|`
55	`\| Low \| P4 \| Fourth \|`
56
57	`Within the same priority level, order items by adoption type (reusable workflow first, new capability last).`
58
59	`## ADO Work Item Format`
60
61	Assign sequential IDs using the format `WI-SSSC-{NNN}` (for example, WI-SSSC-001, WI-SSSC-002). This convention distinguishes SSSC work items from Security Planner items (`WI-SEC-{NNN}`). Order work items by type hierarchy: Epic, Feature, User Story, Task.
62
63	`Work item hierarchy for supply chain security:`
64
65	`* Epic: Supply chain security improvement program (one per assessment)`
66	`* Feature: Per adoption category (reusable workflow adoption, platform configuration, etc.)`
67	`* User Story: Per Scorecard check or SLSA improvement step`
68	`* Task: Individual implementation steps for a user story`
69
70	`HTML template for ADO description fields:`
71
72	```html
73	`<div>`
74	`<h3>Supply Chain Control: {title}</h3>`
75	`<p><strong>Scorecard Check:</strong> {check_name}</p>`
76	`<p><strong>Risk Level:</strong> {risk_level}</p>`
77	`<p><strong>Adoption Type:</strong> {adoption_type}</p>`
78	`<h4>Adoption Steps</h4>`
79	`<ol>`
80	`<li>{step_1}</li>`
81	`<li>{step_2}</li>`
82	`</ol>`
83	`<h4>Acceptance Criteria</h4>`
84	`<ul>`
85	`<li>{criterion_1}</li>`
86	`<li>{criterion_2}</li>`
87	`</ul>`
88	`</div>`
89	```
90
91	`## GitHub Issue Format`
92
93	Assign temporary IDs using the format `{{SSSC-TEMP-N}}`, replaced with real issue numbers on creation.
94
95	`Include a YAML metadata block at the top of the issue body:`
96
97	```yaml
98	`---`
99	`scorecard_check: {check_name}`
100	`risk_level: {Critical\|High\|Medium\|Low}`
101	`adoption_type: {category}`
102	`effort: {S\|M\|L\|XL}`
103	`standards: [{scorecard_check}, {slsa_level}, {badge_criteria}]`
104	`---`
105	```
106
107	`Markdown template for GitHub issue body:`
108
109	```markdown
110	`## Supply Chain Control: {title}`
111
112	`Scorecard Check: {check_name}`
113	`Risk Level: {risk_level}`
114	`Adoption Type: {adoption_type}`
115
116	`### Adoption Steps`
117
118	`1. {step_1}`
119	`2. {step_2}`
120
121	`### Source References`
122
123	- Workflow: `{repo}/path/to/workflow.yml`
124	- Script: `{repo}/path/to/script.ps1`
125
126	`### Acceptance Criteria`
127
128	`- [ ] {criterion_1}`
129	`- [ ] {criterion_2}`
130	```
131
132	`## Content Sanitization`
133
134	`Strip internal tracking paths from work item output before handoff:`
135
136	1. Replace `.copilot-tracking/` paths with descriptive text (e.g., "SSSC plan artifacts").
137	`2. Replace full file system paths with relative references.`
138	`3. Remove state JSON content or references.`
139	`4. Preserve standards references (Scorecard check names, SLSA levels, Badge criteria) in all cases.`
140
141	`## Three-Tier Autonomy Model`
142
143	`Three tiers control how work items reach the target backlog system:`
144
145	`* Full autonomy: Create work items directly via backlog manager. User pre-approves batch creation.`
146	`* Partial autonomy (default): Present each batch of 5-10 items for user review before creation. User can modify, skip, or approve individual items.`
147	`* Manual: Produce output file without invoking backlog tools. User imports items independently.`
148
149	`Ask the user which tier they prefer. Default to partial autonomy on first use.`
150
151	`## Output`
152
153	Write the neutral intermediate backlog to `.copilot-tracking/sssc-plans/{project-slug}/sssc-backlog.md`.
154
155	Update `state.json`:
156	* Set `phases.5-backlog.status` to `✅`
157	* Add `sssc-backlog.md` to `phases.5-backlog.artifacts`
158	* Advance `currentPhase` to `6`
159

microsoft/hve-core

Branches

Tags

Clone