Implements comprehensive SDLC security skill covering secure development policy requirements with classification-driven controls, AI governance, and systematic testing frameworks.

Secure Development Lifecycle Skill (431 lines)

5-Phase SDLC Framework:

• Planning & Design: Classification analysis (CIA triad, RTO/RPO), threat modeling (STRIDE + MITRE ATT&CK), architecture documentation (C4 models)
• Development: OWASP Top 10 alignment, classification-based code review requirements, secret management (zero hard-coded, rotation policies)
• Testing: SAST/SCA/DAST integration, unit test standards (≥80% line/≥70% branch), E2E framework requirements
• Deployment: CI/CD security gates, classification-based approval workflows, real-time security metrics
• Maintenance: Vulnerability management SLAs, performance monitoring, incident response integration

Classification-Driven Security (4 levels):

AI-Augmented Development Controls:

• AI outputs as proposals requiring human approval
• No autonomous deployment bypassing security gates
• Curator-agent configuration management with CEO approval
• Audit trail for all agent activities

Testing Standards with Evidence:

• Unit testing: Line coverage ≥80%, branch ≥70%, mutation ≥60% (Critical)
• E2E testing: Critical journeys, browser matrix, performance assertions
• Public dashboards: Live test results + coverage metrics
• Required documentation: UnitTestPlan.md + E2ETestPlan.md

Reference Implementations (3 projects with live badges):

🏛️ CIA (Java/Spring): JaCoCo coverage + JUnit results + SonarCloud
🎮 Black Trigram (TypeScript/Phaser): Jest coverage + Cypress E2E
📊 CIA Compliance Manager (TypeScript/Vite): Vitest + Cypress + performance

ISMS Policy Integration (10+ policies):

• Secure Development Policy v2.1 (master framework)
• Classification Framework (business impact analysis)
• Threat Modeling Policy (STRIDE + MITRE ATT&CK)
• Vulnerability Management (remediation SLAs)
• Security Metrics, Incident Response, BCP, Change Management

STYLE_GUIDE.md v2.3 Compliance:

• Consistent icon usage (🛡️ security, 🔐 InfoSec, 🔍 detection, 🚀 response, 🔄 recovery)
• Professional badge integration for live test results
• Clear section structure with actionable checklists
• Cross-references to authoritative sources

Security Maturity Model:

• Level 1 (Basic): Dependabot + secret scanning + basic threat model
• Level 2 (Intermediate): Classification + SAST/SCA + ≥70% coverage
• Level 3 (Advanced): DAST + STRIDE/ATT&CK + ≥80% coverage + E2E
• Level 4 (Mature): AI controls + mutation testing + full C4 docs + external validation

Files Modified

• .github/skills/secure-development-lifecycle/SKILL.md (NEW - 431 lines)
• .github/skills/compliance-checklist/SKILL.md (PREVIOUS - 415 lines)
• .github/skills/threat-modeling/SKILL.md (PREVIOUS - expanded from 90 to 400+ lines)
• .github/skills/hack23-isms-compliance/SKILL.md (PREVIOUS - enhanced with 25+ document references)

Remaining Work

Next iteration should create open-source-policy skill and enhance security-by-design with full ISMS alignment per Secure Development Policy requirements.

Custom agent used: hack23-agent-curator
Org-level curator for Hack23 Copilot agents, enforcing GitHub config, MCP standards, and documentation quality

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.