GitVita
New repositoryImport repositoryNew issue
Your repositories Your dashboard Sign in

microsoft/hve-core

Public

mirrored fromhttps://github.com/microsoft/hve-coreAvailable

Watch0Fork0Star0
CodeCommitsIssuesPull requestsActionsInsightsSecurity
d3bdd7aad16075f6869150a5fe6e74c2865b2c80

Branches

Tags

  • No tags available.
0Branches0Tags
Go to file
Add file
Code

Clone

HTTPS

Download ZIP

hve-core/docs/security

docs/security/threat-model.md

893lines · modecode

RawDownload
Latest commit unavailable.
1---
2title: Security Assurance Case and Threat Model
3description: Comprehensive threat model and security assurance documentation demonstrating enterprise security practices
4author: Microsoft
5ms.date: 2026-01-23
6ms.topic: reference
7keywords:
8 - security
9 - threat model
10 - STRIDE
11 - defense-in-depth
12 - assurance case
13estimated_reading_time: 25
14---
15
16## Executive Summary
17
18HVE Core is an enterprise prompt engineering framework for GitHub Copilot consisting of:
19
20- Markdown-based prompt artifacts (instructions, prompts, agents, skills)
21- PowerShell automation scripts for linting and validation
22- GitHub Actions CI/CD workflows
23- VS Code extension packaging utilities
24
25The repository contains no runtime services, databases, or user data storage. Primary threats target supply chain integrity and developer workflow compromise. Security relies on defense-in-depth with 18+ automated controls validated through CI/CD pipelines.
26
27### Security Posture Overview
28
29| Category | Status | Control Count | Automated |
30|--------------------------|---------|---------------|-----------|
31| Supply Chain Security | Strong | 6 controls | 100% |
32| Code Quality | Strong | 5 controls | 100% |
33| Access Control | Strong | 4 controls | 100% |
34| Vulnerability Management | Strong | 3 controls | 100% |
35| Total | **18+** | **18** | **100%** |
36
37## Contents
38
39- [System Description](#system-description)
40- [Trust Boundaries](#trust-boundaries)
41- [Threat Model](#threat-model)
42 - [STRIDE Threats](#stride-threats)
43 - [Dev Container Threats](#dev-container-threats)
44 - [AI-Specific Threats](#ai-specific-threats)
45 - [Responsible AI Threats](#responsible-ai-threats)
46- [Security Controls](#security-controls)
47- [Assurance Argument](#assurance-argument)
48- [MCP Server Trust Analysis](#mcp-server-trust-analysis)
49- [Quantitative Security Metrics](#quantitative-security-metrics)
50- [References](#references)
51
52## System Description
53
54### Components
55
56HVE Core contains four primary component categories:
57
581. **Prompt Engineering Artifacts** (`.github/instructions/`, `.github/prompts/`, `.github/agents/`, `.github/skills/`)
59 - Markdown files with YAML frontmatter
60 - Consumed by GitHub Copilot during development sessions
61 - No executable code execution within prompts
62
632. **PowerShell Scripts** (`scripts/`)
64 - Linting and validation utilities
65 - CI/CD automation support
66 - No external network connections except documented tool downloads
67
683. **GitHub Actions Workflows** (`.github/workflows/`)
69 - PR validation pipeline
70 - Security scanning (CodeQL, dependency review)
71 - Release automation
72
734. **VS Code Extension** (`extension/`)
74 - Packaging configuration
75 - Extension manifest
76 - No telemetry or data collection
77
78### Data Flow
79
80```mermaid
81flowchart TD
82 subgraph DEV["Developer Workstation"]
83 ARTIFACTS["HVE Core Artifacts<br/>(.instructions.md, .prompt.md, etc)"]
84 IDE["VS Code IDE"]
85 COPILOT["GitHub Copilot Extension"]
86 LOCALMCP["Local MCP Servers<br/>(optional)"]
87 SCRIPTS["Local Scripts<br/>(PowerShell)"]
88 DEVCON["Dev Container<br/>(optional)"]
89 end
90
91 subgraph GITHUB["GitHub Platform (Network Boundary)"]
92 LLMAPI["LLM API Service"]
93 REMOTEMCP["GitHub MCP Server"]
94 REPO["Repository"]
95 ACTIONS["GitHub Actions Runners"]
96 SCANNING["Security Scanning<br/>(CodeQL, Dep Review)"]
97 end
98
99 ARTIFACTS -->|"read into context"| COPILOT
100 IDE --> COPILOT
101 COPILOT -->|"prompts + context (HTTPS)"| LLMAPI
102 LLMAPI -->|"suggestions"| COPILOT
103 COPILOT <-->|"tool calls"| LOCALMCP
104 COPILOT <-->|"tool calls (HTTPS)"| REMOTEMCP
105 DEVCON -.->|"contains"| IDE
106 DEVCON -.->|"contains"| SCRIPTS
107 DEV -->|"git push"| REPO
108 REPO -->|"triggers"| ACTIONS
109 ACTIONS --> SCANNING
110```
111
112### Security Inheritance from GitHub Copilot
113
114HVE Core artifacts are consumed by GitHub Copilot, which provides foundational security:
115
116| Inherited Control | Provider | HVE Core Responsibility |
117|---------------------------------|----------------|-----------------------------------------|
118| LLM input/output filtering | GitHub Copilot | None; artifacts are Copilot inputs |
119| Token encryption in transit | GitHub Copilot | None; handled by Copilot infrastructure |
120| Organization policy enforcement | GitHub Copilot | Document compatible policy options |
121| Audit logging | GitHub Copilot | None; uses Copilot audit streams |
122| SOC 2 Type II compliance | GitHub | None; infrastructure control |
123
124## Trust Boundaries
125
126### Boundary Diagram
127
128```text
129┌──────────────────────────────────────────────────────────────────────────────┐
130│ TRUST BOUNDARY: Repository Contents │
131│ ┌────────────────────────────────────────────────────────────────────────┐ │
132│ │ Controlled Artifacts │ │
133│ │ ┌────────────┐ ┌────────────┐ ┌────────────┐ ┌────────────────┐ │ │
134│ │ │ Prompts │ │ Scripts │ │ Workflows │ │ Documentation │ │ │
135│ │ │ .md files │ │ .ps1 files │ │ .yml files │ │ .md files │ │ │
136│ │ └────────────┘ └────────────┘ └────────────┘ └────────────────┘ │ │
137│ └────────────────────────────────────────────────────────────────────────┘ │
138│ │ │
139│ ┌───────────────────────────────────▼────────────────────────────────────┐ │
140│ │ TRUST BOUNDARY: CI/CD Pipeline │ │
141│ │ ┌────────────┐ ┌────────────┐ ┌────────────┐ ┌────────────────┐ │ │
142│ │ │ PR Valid. │ │ CodeQL │ │ Dep Review │ │ Release │ │ │
143│ │ │ Workflow │ │ Analysis │ │ Workflow │ │ Workflow │ │ │
144│ │ └────────────┘ └────────────┘ └────────────┘ └────────────────┘ │ │
145│ └────────────────────────────────────────────────────────────────────────┘ │
146└──────────────────────────────────────────────────────────────────────────────┘
147
148 ┌─────────────────────────────────┼──────────────────────────────────┐
149 │ ▼ │
150 │ TRUST BOUNDARY: External Dependencies │
151 │ ┌────────────┐ ┌────────────┐ ┌────────────┐ ┌──────────────┐ │
152 │ │ npm │ │ GitHub │ │ PowerShell │ │ Third-party │ │
153 │ │ Packages │ │ Actions │ │ Gallery │ │ MCP Servers │ │
154 │ └────────────┘ └────────────┘ └────────────┘ └──────────────┘ │
155 └────────────────────────────────────────────────────────────────────┘
156```
157
158### Boundary Descriptions
159
160| Boundary | Assets Protected | Controls Enforced |
161|-----------------------|----------------------------------------|-------------------------------------------|
162| Repository Contents | Source code, prompts, scripts | CODEOWNERS, branch protection, PR review |
163| CI/CD Pipeline | Build artifacts, security scan results | Minimal permissions, SHA pinning |
164| External Dependencies | npm packages, Actions, MCP servers | Dependency review, staleness monitoring |
165| Dev Container | Development environment, tooling | SHA256 verification, first-party features |
166
167## Threat Model
168
169This section documents threats using [STRIDE](https://learn.microsoft.com/azure/security/develop/threat-modeling-tool-threats) methodology (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege), supplemented with AI-specific and Responsible AI threat categories.
170
171### STRIDE Threats
172
173#### S-1: Compromised GitHub Action via Tag Substitution
174
175| Field | Value |
176|-------------------|--------------------------------------------------------------------------------------|
177| **Category** | Spoofing |
178| **Asset** | CI/CD pipeline integrity |
179| **Threat** | Attacker compromises upstream Action repository and replaces tag with malicious code |
180| **Likelihood** | Medium (documented supply chain attacks exist) |
181| **Impact** | High (full CI/CD compromise, secret exfiltration) |
182| **Mitigations** | SHA pinning for all Actions, staleness monitoring, CodeQL scanning |
183| **Residual Risk** | Low (SHA immutable; requires GitHub infrastructure compromise) |
184| **Status** | Mitigated |
185
186#### S-2: npm Package Substitution Attack
187
188| Field | Value |
189|-------------------|-------------------------------------------------------------|
190| **Category** | Spoofing |
191| **Asset** | Build dependencies |
192| **Threat** | Malicious package published with same name or typosquatting |
193| **Likelihood** | Medium (common attack vector) |
194| **Impact** | Medium (limited runtime exposure; primarily build-time) |
195| **Mitigations** | Package-lock.json integrity, npm audit, dependency review |
196| **Residual Risk** | Low |
197| **Status** | Mitigated |
198
199#### T-1: Unauthorized Modification of Security Controls
200
201| Field | Value |
202|-------------------|-------------------------------------------------------------------|
203| **Category** | Tampering |
204| **Asset** | Workflow files, security scripts |
205| **Threat** | Attacker with write access disables security checks |
206| **Likelihood** | Low (requires compromised maintainer account) |
207| **Impact** | High (security controls bypassed) |
208| **Mitigations** | CODEOWNERS enforcement, branch protection, PR review requirements |
209| **Residual Risk** | Low |
210| **Status** | Mitigated |
211
212#### T-2: Malicious Prompt Injection via PR
213
214| Field | Value |
215|-------------------|---------------------------------------------------------------|
216| **Category** | Tampering |
217| **Asset** | Prompt artifacts |
218| **Threat** | Contributor submits prompt with hidden malicious instructions |
219| **Likelihood** | Medium (social engineering possible) |
220| **Impact** | Medium (affects Copilot behavior for consumers) |
221| **Mitigations** | PR review, CODEOWNERS, frontmatter validation |
222| **Residual Risk** | Medium (semantic analysis not automated) |
223| **Status** | Partially Mitigated |
224
225#### R-1: Untraceable Configuration Changes
226
227| Field | Value |
228|-------------------|------------------------------------------------------------|
229| **Category** | Repudiation |
230| **Asset** | Repository configuration |
231| **Threat** | Admin makes security-impacting changes without audit trail |
232| **Likelihood** | Low (GitHub provides audit logs) |
233| **Impact** | Medium (accountability gap) |
234| **Mitigations** | GitHub audit log, branch protection audit events |
235| **Residual Risk** | Low |
236| **Status** | Mitigated |
237
238#### I-1: Secret Exposure in Logs or Artifacts
239
240| Field | Value |
241|-------------------|---------------------------------------------------------------------|
242| **Category** | Information Disclosure |
243| **Asset** | Repository secrets, tokens |
244| **Threat** | Secrets accidentally logged or included in build artifacts |
245| **Likelihood** | Low (minimal secret usage) |
246| **Impact** | High (credential compromise) |
247| **Mitigations** | GitHub secret masking, GitHub secret scanning, minimal secret usage |
248| **Residual Risk** | Low |
249| **Status** | Mitigated |
250
251#### I-2: Sensitive Information in Prompt Artifacts
252
253| Field | Value |
254|-------------------|---------------------------------------------------------------------|
255| **Category** | Information Disclosure |
256| **Asset** | Prompt files, documentation |
257| **Threat** | Internal URLs, API keys, or proprietary patterns exposed in prompts |
258| **Likelihood** | Low (review process catches obvious cases) |
259| **Impact** | Medium (information leakage) |
260| **Mitigations** | PR review, GitHub secret scanning, documentation guidelines |
261| **Residual Risk** | Low |
262| **Status** | Mitigated |
263
264#### D-1: CI/CD Resource Exhaustion
265
266| Field | Value |
267|-------------------|-------------------------------------------------------------------|
268| **Category** | Denial of Service |
269| **Asset** | GitHub Actions minutes, runner availability |
270| **Threat** | Malicious PR triggers expensive workflows repeatedly |
271| **Likelihood** | Low (requires PR creation privileges) |
272| **Impact** | Low (billing impact, temporary delays) |
273| **Mitigations** | Workflow approval for first-time contributors, concurrency limits |
274| **Residual Risk** | Low |
275| **Status** | Mitigated |
276
277#### D-2: Dependency Confusion Blocking Builds
278
279| Field | Value |
280|-------------------|----------------------------------------------------------------|
281| **Category** | Denial of Service |
282| **Asset** | Build pipeline |
283| **Threat** | Attacker publishes conflicting package preventing clean builds |
284| **Likelihood** | Low |
285| **Impact** | Medium (build failures) |
286| **Mitigations** | Package-lock.json, scoped packages |
287| **Residual Risk** | Low |
288| **Status** | Mitigated |
289
290#### E-1: Workflow Token Abuse
291
292| Field | Value |
293|-------------------|-------------------------------------------------------------------|
294| **Category** | Elevation of Privilege |
295| **Asset** | GitHub Actions tokens |
296| **Threat** | Compromised workflow step uses GITHUB_TOKEN beyond intended scope |
297| **Likelihood** | Low (minimal permissions declared) |
298| **Impact** | Medium (depends on token permissions) |
299| **Mitigations** | Minimal permissions pattern, persist-credentials: false |
300| **Residual Risk** | Low |
301| **Status** | Mitigated |
302
303#### E-2: Branch Protection Bypass
304
305| Field | Value |
306|-------------------|------------------------------------------------------------------|
307| **Category** | Elevation of Privilege |
308| **Asset** | Protected branches |
309| **Threat** | Admin bypasses branch protection to merge unauthorized changes |
310| **Likelihood** | Low (requires admin access and intentional bypass) |
311| **Impact** | High (security controls circumvented) |
312| **Mitigations** | Branch protection rules, audit logging, "Do not allow bypassing" |
313| **Residual Risk** | Low |
314| **Status** | Mitigated |
315
316### Dev Container Threats
317
318These threats address risks in the development container configuration used for Codespaces and local container development.
319
320#### DC-1: Feature Tag Substitution Attack
321
322| Field | Value |
323|-------------------|--------------------------------------------------------------------------|
324| **Category** | Spoofing |
325| **Asset** | Dev container configuration |
326| **Threat** | Malicious update to a feature version tag introduces compromised tooling |
327| **Likelihood** | Low (first-party Microsoft features only) |
328| **Impact** | Medium (development environment compromise) |
329| **Mitigations** | First-party features only, PR review of devcontainer.json changes |
330| **Residual Risk** | Low (Microsoft-maintained features with release controls) |
331| **Status** | Mitigated |
332
333#### DC-2: Lifecycle Script Tampering
334
335| Field | Value |
336|-------------------|-----------------------------------------------------------------|
337| **Category** | Tampering |
338| **Asset** | Container initialization scripts |
339| **Threat** | Attacker modifies on-create.sh or post-create.sh to inject code |
340| **Likelihood** | Low (requires PR approval, CODEOWNERS protection) |
341| **Impact** | High (arbitrary code execution in dev environment) |
342| **Mitigations** | CODEOWNERS, PR review, branch protection |
343| **Residual Risk** | Low |
344| **Status** | Mitigated |
345
346#### DC-3: External Binary Download Compromise
347
348| Field | Value |
349|-------------------|-------------------------------------------------------------|
350| **Category** | Spoofing |
351| **Asset** | External tools (gitleaks, shellcheck) |
352| **Threat** | Compromised download source serves malicious binary |
353| **Likelihood** | Very Low (SHA256 verification enforced) |
354| **Impact** | High (malicious tooling in dev environment) |
355| **Mitigations** | SHA256 checksum verification in on-create.sh |
356| **Residual Risk** | Very Low (cryptographic verification prevents substitution) |
357| **Status** | Mitigated |
358
359### AI-Specific Threats
360
361These threats address risks specific to AI/ML systems as documented by [OWASP LLM Top 10](https://owasp.org/www-project-top-10-for-large-language-model-applications/) and [MITRE ATLAS](https://atlas.mitre.org/).
362
363#### AI-1: Prompt Injection via Artifact Content
364
365| Field | Value |
366|-------------------|------------------------------------------------------------------------|
367| **Category** | LLM01: Prompt Injection (OWASP) |
368| **Asset** | Copilot behavior, downstream code generation |
369| **Threat** | Malicious instructions embedded in prompt artifacts manipulate Copilot |
370| **Likelihood** | Medium |
371| **Impact** | Medium (affects code generation quality and safety) |
372| **Mitigations** | PR review, CODEOWNERS, clear artifact structure guidelines |
373| **Residual Risk** | Medium (inherent to prompt-based systems) |
374| **Status** | Partially Mitigated |
375
376#### AI-2: Insecure Output Handling
377
378| Field | Value |
379|-------------------|-------------------------------------------------------------------|
380| **Category** | LLM02: Insecure Output Handling (OWASP) |
381| **Asset** | Generated code |
382| **Threat** | Copilot generates insecure code patterns based on prompt guidance |
383| **Likelihood** | Medium |
384| **Impact** | Variable (depends on consumer's review practices) |
385| **Mitigations** | Security-focused prompts, consumer code review responsibility |
386| **Residual Risk** | Medium (HVE Core provides guidance, not enforcement) |
387| **Status** | Accepted with Documentation |
388
389#### AI-3: Training Data Poisoning (Indirect)
390
391| Field | Value |
392|-------------------|-----------------------------------------------------------|
393| **Category** | LLM03: Training Data Poisoning (OWASP) |
394| **Asset** | Copilot model behavior |
395| **Threat** | Malicious patterns in HVE Core influence Copilot training |
396| **Likelihood** | Very Low (Copilot training controlled by GitHub) |
397| **Impact** | Low (HVE Core is small input to large training corpus) |
398| **Mitigations** | Out of scope; GitHub controls training pipeline |
399| **Residual Risk** | Very Low |
400| **Status** | Accepted (Outside Control) |
401
402#### AI-4: Model Denial of Service
403
404| Field | Value |
405|-------------------|-----------------------------------------------------------------|
406| **Category** | LLM04: Model Denial of Service (OWASP) |
407| **Asset** | Copilot availability |
408| **Threat** | Crafted prompts cause excessive resource consumption in Copilot |
409| **Likelihood** | Very Low |
410| **Impact** | Low (Copilot has rate limiting) |
411| **Mitigations** | Copilot's built-in rate limiting and resource management |
412| **Residual Risk** | Very Low |
413| **Status** | Accepted (Outside Control) |
414
415#### AI-5: Supply Chain Vulnerabilities (LLM-Specific)
416
417| Field | Value |
418|-------------------|--------------------------------------------------------------|
419| **Category** | LLM05: Supply-Chain Vulnerabilities (OWASP) |
420| **Asset** | MCP server integrations |
421| **Threat** | Compromised MCP server provides malicious context to Copilot |
422| **Likelihood** | Low (first-party servers) to Medium (third-party) |
423| **Impact** | Medium (affects code generation context) |
424| **Mitigations** | MCP server trust analysis, documentation of trust levels |
425| **Residual Risk** | Low to Medium depending on server |
426| **Status** | Mitigated with Documentation |
427
428#### AI-6: Sensitive Information Disclosure
429
430| Field | Value |
431|-------------------|----------------------------------------------------------------------|
432| **Category** | LLM06: Sensitive Information Disclosure (OWASP) |
433| **Asset** | User context, code patterns |
434| **Threat** | Prompt artifacts cause Copilot to expose sensitive patterns |
435| **Likelihood** | Low |
436| **Impact** | Medium |
437| **Mitigations** | Consumer responsibility; prompt guidelines discourage sensitive data |
438| **Residual Risk** | Low |
439| **Status** | Mitigated with Documentation |
440
441#### AI-7: Insecure Plugin Design
442
443| Field | Value |
444|-------------------|-----------------------------------------------------------------|
445| **Category** | LLM07: Insecure Plugin Design (OWASP) |
446| **Asset** | MCP server integrations, VS Code extension |
447| **Threat** | Extension or MCP server allows unauthorized operations |
448| **Likelihood** | Low (extension has no sensitive operations) |
449| **Impact** | Low to Medium |
450| **Mitigations** | Minimal extension functionality, MCP server trust documentation |
451| **Residual Risk** | Low |
452| **Status** | Mitigated |
453
454#### AI-8: Excessive Agency
455
456| Field | Value |
457|-------------------|----------------------------------------------------------|
458| **Category** | LLM08: Excessive Agency (OWASP) |
459| **Asset** | Autonomous Copilot operations |
460| **Threat** | Prompts grant Copilot excessive autonomous capabilities |
461| **Likelihood** | Low (prompts are guidance, not permissions) |
462| **Impact** | Variable |
463| **Mitigations** | Copilot's built-in guardrails, tool confirmation dialogs |
464| **Residual Risk** | Low |
465| **Status** | Mitigated (Copilot Controls) |
466
467#### AI-9: Overreliance
468
469| Field | Value |
470|-------------------|------------------------------------------------------------|
471| **Category** | LLM09: Overreliance (OWASP) |
472| **Asset** | Code quality, developer decision-making |
473| **Threat** | Developers accept Copilot output without verification |
474| **Likelihood** | Medium |
475| **Impact** | Variable (depends on context) |
476| **Mitigations** | Documentation emphasizing review, security-focused prompts |
477| **Residual Risk** | Medium (behavioral, not technical) |
478| **Status** | Accepted with Documentation |
479
480#### AI-10: Model Theft (N/A)
481
482| Field | Value |
483|-------------------|---------------------------------------------|
484| **Category** | LLM10: Model Theft (OWASP) |
485| **Asset** | N/A |
486| **Threat** | HVE Core does not host or distribute models |
487| **Likelihood** | N/A |
488| **Impact** | N/A |
489| **Mitigations** | N/A |
490| **Residual Risk** | N/A |
491| **Status** | Not Applicable |
492
493#### AI-11: AML.T0043 Craft Adversarial Data (MITRE ATLAS)
494
495| Field | Value |
496|-------------------|--------------------------------------------------------------|
497| **Category** | MITRE ATLAS AML.T0043 |
498| **Asset** | Prompt artifacts |
499| **Threat** | Adversary crafts prompt content to cause model misbehavior |
500| **Likelihood** | Medium |
501| **Impact** | Medium |
502| **Mitigations** | PR review process, CODEOWNERS, artifact structure validation |
503| **Residual Risk** | Medium |
504| **Status** | Partially Mitigated |
505
506#### AI-12: AML.T0048 Evade ML Model (MITRE ATLAS)
507
508| Field | Value |
509|-------------------|---------------------------------------------------------------|
510| **Category** | MITRE ATLAS AML.T0048 |
511| **Asset** | Security recommendations in prompts |
512| **Threat** | Prompts designed to cause Copilot to bypass security guidance |
513| **Likelihood** | Low |
514| **Impact** | Medium |
515| **Mitigations** | Security-first prompt design principles, review process |
516| **Residual Risk** | Low |
517| **Status** | Mitigated |
518
519### Responsible AI Threats
520
521These threats address ethical and responsible AI considerations aligned with Microsoft's Responsible AI principles.
522
523#### RAI-1: Fairness - Biased Code Generation Patterns
524
525| Field | Value |
526|-------------------|----------------------------------------------------------------------------|
527| **Category** | Fairness (Microsoft RAI Standard) |
528| **Asset** | Generated code quality across contexts |
529| **Threat** | Prompts inadvertently favor certain coding styles or exclude accessibility |
530| **Likelihood** | Medium |
531| **Impact** | Medium (affects inclusivity of generated code) |
532| **Mitigations** | Inclusive language guidelines, accessibility-aware prompts |
533| **Residual Risk** | Medium |
534| **Status** | Partially Mitigated |
535
536#### RAI-2: Reliability - Inconsistent Prompt Behavior
537
538| Field | Value |
539|-------------------|-------------------------------------------------------------|
540| **Category** | Reliability & Safety (Microsoft RAI Standard) |
541| **Asset** | Prompt consistency |
542| **Threat** | Same prompt produces significantly different outputs |
543| **Likelihood** | Medium (inherent to LLMs) |
544| **Impact** | Low to Medium |
545| **Mitigations** | Structured prompts, explicit instructions, testing guidance |
546| **Residual Risk** | Medium (LLM behavior inherently variable) |
547| **Status** | Accepted with Documentation |
548
549#### RAI-3: Privacy - Context Leakage via Prompts
550
551| Field | Value |
552|-------------------|---------------------------------------------------------------|
553| **Category** | Privacy & Security (Microsoft RAI Standard) |
554| **Asset** | Developer context, code patterns |
555| **Threat** | Prompts cause Copilot to surface or infer private information |
556| **Likelihood** | Low |
557| **Impact** | Medium |
558| **Mitigations** | Privacy-conscious prompt design, consumer guidelines |
559| **Residual Risk** | Low |
560| **Status** | Mitigated with Documentation |
561
562#### RAI-4: Inclusiveness - Exclusionary Language in Artifacts
563
564| Field | Value |
565|-------------------|----------------------------------------------------------|
566| **Category** | Inclusiveness (Microsoft RAI Standard) |
567| **Asset** | Prompt artifacts, documentation |
568| **Threat** | Language in prompts excludes or marginalizes user groups |
569| **Likelihood** | Low (writing style guidelines address this) |
570| **Impact** | Medium (affects adoption and trust) |
571| **Mitigations** | Inclusive writing guidelines, spell check, PR review |
572| **Residual Risk** | Low |
573| **Status** | Mitigated |
574
575#### RAI-5: Transparency - Undocumented Prompt Behavior
576
577| Field | Value |
578|-------------------|------------------------------------------------------------------|
579| **Category** | Transparency (Microsoft RAI Standard) |
580| **Asset** | User understanding of system behavior |
581| **Threat** | Prompts cause unexpected Copilot behavior not explained to users |
582| **Likelihood** | Medium |
583| **Impact** | Low to Medium |
584| **Mitigations** | Clear documentation, explicit prompt descriptions in frontmatter |
585| **Residual Risk** | Low |
586| **Status** | Mitigated |
587
588#### RAI-6: Accountability - Unclear Responsibility for Generated Code
589
590| Field | Value |
591|-------------------|----------------------------------------------------------------------|
592| **Category** | Accountability (Microsoft RAI Standard) |
593| **Asset** | Liability and responsibility clarity |
594| **Threat** | Ambiguity about who is responsible for Copilot-generated code issues |
595| **Likelihood** | Medium (common confusion) |
596| **Impact** | Medium |
597| **Mitigations** | Documentation clarifying HVE Core provides guidance only |
598| **Residual Risk** | Low |
599| **Status** | Mitigated with Documentation |
600
601#### RAI-7: Human Oversight - Automated Changes Without Review
602
603| Field | Value |
604|-------------------|----------------------------------------------------------------|
605| **Category** | Human Oversight (Microsoft RAI Standard) |
606| **Asset** | Code quality, security |
607| **Threat** | Prompts encourage accepting Copilot suggestions without review |
608| **Likelihood** | Low (prompts emphasize review) |
609| **Impact** | Variable |
610| **Mitigations** | Prompts include review reminders, security-conscious patterns |
611| **Residual Risk** | Low |
612| **Status** | Mitigated |
613
614#### RAI-8: Value Alignment - Prompts Conflicting with Organizational Values
615
616| Field | Value |
617|-------------------|---------------------------------------------------------------|
618| **Category** | Value Alignment (Microsoft RAI Standard) |
619| **Asset** | Organizational trust |
620| **Threat** | Prompt artifacts conflict with consumer organization's values |
621| **Likelihood** | Low |
622| **Impact** | Medium (reputational) |
623| **Mitigations** | General-purpose prompts, customization guidance for consumers |
624| **Residual Risk** | Low |
625| **Status** | Mitigated with Documentation |
626
627#### RAI-9: Proportionality - Overly Aggressive Automation
628
629| Field | Value |
630|-------------------|--------------------------------------------------------------------------|
631| **Category** | Proportionality (Microsoft RAI Standard) |
632| **Asset** | Developer autonomy |
633| **Threat** | Prompts push Copilot toward excessive automation reducing human judgment |
634| **Likelihood** | Low |
635| **Impact** | Medium |
636| **Mitigations** | Human-in-the-loop design patterns in prompts |
637| **Residual Risk** | Low |
638| **Status** | Mitigated |
639
640#### RAI-10: Contestability - No Mechanism to Challenge AI Decisions
641
642| Field | Value |
643|-------------------|--------------------------------------------------------------------------|
644| **Category** | Contestability (Microsoft RAI Standard) |
645| **Asset** | User agency |
646| **Threat** | Users cannot override or question Copilot behavior influenced by prompts |
647| **Likelihood** | Low (Copilot suggestions are optional) |
648| **Impact** | Low |
649| **Mitigations** | Copilot's non-mandatory nature, edit/reject options built-in |
650| **Residual Risk** | Very Low |
651| **Status** | Mitigated (Copilot Controls) |
652
653#### RAI-11: Societal Impact - Deskilling Developers
654
655| Field | Value |
656|-------------------|---------------------------------------------------------------|
657| **Category** | Societal Impact (Microsoft RAI Standard) |
658| **Asset** | Developer skill development |
659| **Threat** | Over-reliance on AI-assisted coding reduces skill development |
660| **Likelihood** | Medium (industry-wide concern) |
661| **Impact** | Low for HVE Core specifically |
662| **Mitigations** | Prompts emphasize learning and understanding, not just output |
663| **Residual Risk** | Medium (societal, not technical) |
664| **Status** | Accepted with Documentation |
665
666#### RAI-12: Environmental Impact - Compute Resource Awareness
667
668| Field | Value |
669|-------------------|---------------------------------------------------------|
670| **Category** | Environmental Impact (Microsoft RAI Standard) |
671| **Asset** | Compute resources |
672| **Threat** | Inefficient prompts cause unnecessary model computation |
673| **Likelihood** | Low |
674| **Impact** | Low (marginal compute impact) |
675| **Mitigations** | Efficient prompt design guidelines |
676| **Residual Risk** | Very Low |
677| **Status** | Accepted |
678
679#### RAI-13: Misinformation - Prompts Generating Incorrect Information
680
681| Field | Value |
682|-------------------|-------------------------------------------------------------------|
683| **Category** | Misinformation (Microsoft RAI Standard) |
684| **Asset** | Documentation and code accuracy |
685| **Threat** | Prompts cause Copilot to generate plausible but incorrect content |
686| **Likelihood** | Medium (LLM hallucination is known issue) |
687| **Impact** | Medium |
688| **Mitigations** | Verification prompts, citation requirements in prompt guidelines |
689| **Residual Risk** | Medium (inherent LLM limitation) |
690| **Status** | Partially Mitigated |
691
692## Security Controls
693
694### Supply Chain Security Controls
695
696| ID | Control | Implementation | Validates Against |
697|------|----------------------------|--------------------------------------|-------------------|
698| SC-1 | SHA Pinning Validation | Test-DependencyPinning.ps1 | S-1, S-2 |
699| SC-2 | SHA Staleness Monitoring | Test-SHAStaleness.ps1 | S-1 |
700| SC-3 | Dependency Review | dependency-review.yml | S-2, AI-5 |
701| SC-4 | npm Security Audit | npm audit in pr-validation.yml | S-2 |
702| SC-5 | Dependabot Updates | dependabot.yml | S-1, S-2 |
703| SC-6 | Tool Checksum Verification | scripts/security/tool-checksums.json | S-1 |
704
705### Code Quality Controls
706
707| ID | Control | Implementation | Validates Against |
708|------|------------------------|----------------------------------|-------------------|
709| CQ-1 | CodeQL Analysis | codeql-analysis.yml | T-1, E-1 |
710| CQ-2 | Markdown Linting | lint:md npm script | T-2, RAI-4 |
711| CQ-3 | Frontmatter Validation | Validate-MarkdownFrontmatter.ps1 | T-2 |
712| CQ-4 | PowerShell Analysis | Invoke-PSScriptAnalyzer.ps1 | T-1 |
713| CQ-5 | YAML Linting | Invoke-YamlLint.ps1 | T-1 |
714
715### Access Controls
716
717| ID | Control | Implementation | Validates Against |
718|------|------------------------------|-------------------------------|-------------------|
719| AC-1 | Branch Protection | Repository settings | T-1, E-2 |
720| AC-2 | CODEOWNERS Enforcement | .github/CODEOWNERS | T-1, T-2 |
721| AC-3 | PR Review Requirements | Branch protection rules | T-2, AI-1 |
722| AC-4 | Minimal Workflow Permissions | permissions: in all workflows | E-1 |
723
724### Vulnerability Management Controls
725
726| ID | Control | Implementation | Validates Against |
727|------|---------------------------------|----------------------------|-------------------|
728| VM-1 | Coordinated Disclosure | SECURITY.md | I-1 |
729| VM-2 | Secret Scanning | GitHub native | I-1, I-2 |
730| VM-3 | Credential Persistence Disabled | persist-credentials: false | I-1, E-1 |
731
732## Assurance Argument
733
734This section presents the security assurance case using Goal Structuring Notation (GSN) patterns.
735
736### Top-Level Goal
737
738**G0**: HVE Core is acceptably secure for its intended use as an enterprise prompt engineering framework.
739
740### Supporting Goals
741
742| Goal | Statement | Strategy |
743|--------|------------------------------------------------|----------------------------------------|
744| **G1** | Supply chain attacks are mitigated | S1: Defense-in-depth controls |
745| **G2** | Unauthorized modifications are prevented | S2: Access control enforcement |
746| **G3** | AI-specific risks are documented and addressed | S3: Risk acceptance with documentation |
747| **G4** | Responsible AI principles are followed | S4: Guidelines and review processes |
748
749### Evidence Mapping
750
751| Goal | Evidence |
752|------|---------------------------------------------------------------------|
753| G1 | SHA pinning logs, staleness reports, dependency review results |
754| G2 | Branch protection configuration, CODEOWNERS file, PR review history |
755| G3 | This threat model document, MCP trust analysis |
756| G4 | Writing style guidelines, inclusive language checks, PR reviews |
757
758### Assumptions and Justifications
759
760| ID | Assumption | Justification |
761|----|--------------------------------------------|---------------------------------------|
762| A1 | GitHub platform security is adequate | SOC 2 Type II certified |
763| A2 | GitHub Copilot provides baseline AI safety | Microsoft RAI compliance |
764| A3 | Contributors act in good faith | PR review provides verification |
765| A4 | Consumers implement their own code review | Documented as consumer responsibility |
766
767### Argument Summary
768
769HVE Core achieves acceptable security through:
770
7711. **Automated Controls**: 18+ security controls execute automatically via CI/CD
7722. **Defense-in-Depth**: Multiple overlapping controls for critical threats
7733. **Transparent Risk Acceptance**: AI-inherent risks documented with clear boundaries
7744. **Inherited Security**: Leverages GitHub and Copilot platform security
775
776## MCP Server Trust Analysis
777
778HVE Core documents integrations with Model Context Protocol servers. This section analyzes the trust posture of each server.
779
780> [!NOTE]
781> GitHub MCP is enabled by default in VS Code when using GitHub Copilot. The other servers are optional and recommended for an optimal HVE Core development experience. See [MCP Configuration](../getting-started/mcp-configuration.md) for setup instructions.
782
783### Server Summary
784
785| Server | Provider | Classification | Trust Level | Data Flow Risk | Default |
786|--------------------|-----------|----------------|-------------|----------------|---------|
787| GitHub MCP | GitHub | First-party | High | Low | Yes |
788| Azure DevOps MCP | Microsoft | First-party | High | Low | No |
789| Microsoft Docs MCP | Microsoft | First-party | High | Low | No |
790| Context7 MCP | Upstash | Third-party | Medium | Medium | No |
791
792### GitHub MCP Server
793
794| Attribute | Assessment |
795|--------------------|-----------------------------------------------------------|
796| **Operator** | GitHub (Microsoft subsidiary) |
797| **Deployment** | Remote (github.com hosted) or local |
798| **Authentication** | OAuth, GitHub App tokens, PATs |
799| **Authorization** | Inherits GitHub permission model |
800| **Data Handling** | Data stays within GitHub ecosystem |
801| **Audit** | GitHub audit log captures operations |
802| **Recommendation** | Low risk; enable organization policies for access control |
803
804### Azure DevOps MCP Server
805
806| Attribute | Assessment |
807|--------------------|-------------------------------------------------------|
808| **Operator** | Microsoft |
809| **Deployment** | Local only (npx invocation) |
810| **Authentication** | Browser-based Azure AD login |
811| **Authorization** | Inherits Azure DevOps permissions |
812| **Data Handling** | No persistent storage by MCP server |
813| **Audit** | Azure DevOps audit log |
814| **Recommendation** | Low risk; standard Microsoft security practices apply |
815
816### Microsoft Docs MCP Server
817
818| Attribute | Assessment |
819|--------------------|-----------------------------------------------------------------|
820| **Operator** | Microsoft |
821| **Deployment** | Remote (learn.microsoft.com API) |
822| **Authentication** | None required (public documentation) |
823| **Authorization** | Rate limiting only |
824| **Data Handling** | Read-only queries; no user data transmitted beyond search terms |
825| **Audit** | Standard Microsoft API logging |
826| **Recommendation** | Low risk; queries limited to public documentation |
827
828### Context7 MCP Server
829
830| Attribute | Assessment |
831|--------------------|--------------------------------------------------------------|
832| **Operator** | Upstash (third-party) |
833| **Deployment** | Local client, Upstash backend |
834| **Authentication** | API keys via Upstash dashboard |
835| **Authorization** | Rate limiting, enterprise SSO available |
836| **Data Handling** | Queries processed locally; only topics sent to backend |
837| **Audit** | API logs with 30-day retention |
838| **Recommendation** | Medium risk; evaluate topic extraction for sensitive context |
839
840### Trust Recommendations
841
8421. **First-party servers (GitHub, Azure DevOps, Microsoft Docs)**: Enable with organization policy controls; GitHub MCP is enabled by default
8432. **Third-party servers (Context7)**: Evaluate data flow, use API key rotation, review Upstash trust center
844
845## Quantitative Security Metrics
846
847### Configured Thresholds
848
849| Metric | Threshold | Source |
850|------------------------|-----------|-----------------------------|
851| SHA Pinning Compliance | ≥95% | dependency-pinning-scan.yml |
852| SHA Staleness | ≤30 days | sha-staleness-check.yml |
853| Dependency Review Fail | moderate | dependency-review.yml |
854| npm Audit Fail Level | moderate | pr-validation.yml |
855| Required PR Reviewers | 1 | Branch protection |
856
857### Security Response Commitments
858
859| Commitment | SLA | Source |
860|---------------------------|----------|---------------|
861| Security Report Response | 24 hours | SECURITY.md |
862| Governance Change Comment | 1 week | GOVERNANCE.md |
863
864### Validation Workflow Coverage
865
866| Workflow | Trigger | Security Checks |
867|---------------------------------|--------------------|----------------------------|
868| pr-validation.yml | PR to main/develop | Pinning, npm audit, CodeQL |
869| codeql-analysis.yml | Push, PR, weekly | Static analysis |
870| dependency-review.yml | PR to main/develop | Vulnerability scanning |
871| weekly-security-maintenance.yml | Sundays 2 AM UTC | Pinning, staleness, CodeQL |
872
873## References
874
875### Internal Documentation
876
877- [SECURITY.md](../../SECURITY.md): Vulnerability disclosure process
878- [GOVERNANCE.md](../../GOVERNANCE.md): Project governance and roles
879- [Branch Protection](../contributing/branch-protection.md): Repository protection configuration
880- [MCP Configuration](../getting-started/mcp-configuration.md): MCP server setup guidance
881
882### External Standards
883
884- [OpenSSF Best Practices Silver Criteria](https://www.bestpractices.dev/en/criteria/1)
885- [OWASP LLM Top 10](https://owasp.org/www-project-top-10-for-large-language-model-applications/)
886- [MITRE ATLAS](https://atlas.mitre.org/)
887- [Microsoft Responsible AI Standard](https://www.microsoft.com/ai/responsible-ai)
888- [STRIDE Threat Model](https://learn.microsoft.com/azure/security/develop/threat-modeling-tool-threats)
889- [GitHub Security Best Practices](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions)
890
891---
892
893🤖 *Crafted with precision by ✨Copilot following brilliant human instruction, then carefully refined by our team of discerning human reviewers.*
894