chore(licensing): update security instruction attributions and compliance#1294
Conversation
…egation - remove embedded CIS Controls table, delegate to researcher subagent - add third-party attribution to standards-mapping and sssc-standards - add OWASP and OpenSSF trademark marks at first reference - create THIRD-PARTY-NOTICES file at repository root 📜 - Generated by Copilot
- add license, compatibility, and metadata fields to all 12 skill frontmatter blocks - strengthen OWASP CC BY-SA 4.0 attribution across 33 reference files and THIRD-PARTY-NOTICES - update skill-frontmatter schema with license, compatibility, and metadata properties - add multi-license notice to README and update contributing docs - regenerate plugins to reflect updated skill metadata 📜 - Generated by Copilot
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #1294 +/- ##
==========================================
- Coverage 87.63% 87.62% -0.02%
==========================================
Files 61 61
Lines 9328 9328
==========================================
- Hits 8175 8174 -1
- Misses 1153 1154 +1
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
📐 - Generated by Copilot
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Automated PR Review — chore/update-security-instruction-attributions
This PR delivers well-scoped licensing compliance work: correcting OWASP license fields, removing redistributable CIS Controls content, adding attribution blocks and THIRD-PARTY-NOTICES, and enriching skill frontmatter with license, metadata, and compatibility fields. The implementation is clean and the automated validation table is thorough. Two required process items must be addressed before merge.
⚠️ Issue Alignment
No issue is linked to this PR.
The "Related Issue(s)" section explicitly states "No linked issues." Per the repository contribution guidelines, every PR must reference an issue using "Fixes #", "Closes #", or "Resolves #" so changes can be traced to a tracked work item.
Required action: Open an issue describing the licensing compliance gap (e.g., "Remediate OWASP and CIS licensing in hve-core") and link it to this PR before merging.
⚠️ PR Template Compliance
AI Artifact Contributions checklist — unchecked
The "Type of Change" section has both Copilot instructions and Copilot skill checked, which means the AI Artifact Contributions checklist in the "Checklist" section is required. All three items are currently unchecked:
- Used
/prompt-analyzeto review contribution - Addressed all feedback from
prompt-builderreview - Verified contribution follows common standards and type-specific requirements
Required action: Complete the AI Artifact Contributions checklist, or explicitly mark items as N/A with justification if they do not apply to metadata-only changes.
GHCP Maturity Acknowledgment — unchecked (manual action required)
The PR correctly identifies 10 non-stable GHCP artifacts under "GHCP Artifact Maturity" but the two acknowledgment checkboxes are unchecked:
- I acknowledge this PR includes non-stable GHCP artifacts
- Non-stable artifacts are intentional for this change
These require manual author acknowledgment before merge.
🔍 Coding Standards
Changes to .github/instructions/*.instructions.md, SKILL.md files, and docs/contributing/skills.md all follow the applicable conventions from prompt-builder.instructions.md, markdown.instructions.md, and writing-style.instructions.md. No violations found.
The THIRD-PARTY-NOTICES file uses (www.bestpractices.dev/redacted) (no trailing slash) while sssc-standards.instructions.md uses `(www.bestpractices.dev/redacted) This is a cosmetic inconsistency that does not affect correctness.
✅ Code Quality
- License field corrections (MIT → CC-BY-SA-4.0) on the three OWASP skills are accurate and consistent with the upstream OWASP Foundation licensing.
- CIS Controls removal from embedded content is appropriate given redistribution restrictions; delegation to the Researcher Subagent is the correct pattern.
- Attribution blocks in reference files and SKILL.md files are consistent and well-formatted.
- JSON schema additions in
skill-frontmatter.schema.jsonare correct; see inline comment for a non-blocking observation onadditionalProperties: truefor themetadataobject. - Plugin README regeneration is consistent with the
npm run plugin:generateworkflow.
📋 Required Actions Before Merge
- Link a GitHub issue to this PR (Fixes #NNNN or Resolves #NNNN).
- Complete or address the AI Artifact Contributions checklist (three unchecked items under "Checklist → AI Artifact Contributions").
- Check the GHCP Maturity Acknowledgment boxes manually to confirm awareness of the non-stable artifacts included.
|
@JasonTheDeveloper ... sorry for closing your PR ... but this mess is what needed to be done .. |
raymond-nassar
left a comment
raymond-nassar
left a comment
There was a problem hiding this comment.
PR Review — chore/update-security-instruction-attributions
Well-scoped licensing compliance work. The CIS removal, OWASP license corrections, and attribution blocks are all appropriate. Two inline comments below, plus one general observation:
Skill Coverage
The PR description claims all 12 skills were updated with license, metadata, and compatibility fields, but only 10 SKILL.md files appear in the diff. Can you confirm whether security-reviewer-formats/SKILL.md (and any other missing skill) already has these fields, or whether they were inadvertently skipped?
Overall
The THIRD-PARTY-NOTICES file, README licensing subsection, and reference file attribution footers are thorough and consistent. Automated validation passing across all checks is a good sign. See the two inline comments for minor items.
raymond-nassar
left a comment
raymond-nassar
left a comment
There was a problem hiding this comment.
Two minor changes requested, but everything else seems good to go.
🔧 - Generated by Copilot
## Pre-Release 3.3.101 ### ✨ Features - add removed maturity tier and retire owasp-docker (#1444) - add evaluation dataset creator (#1279) - align RAI planner with guide, remove scoring, improve UX (#1287) - add PSGallery staleness check and BOM cleanup (#1379) - ISA-95 network planner agent (#1177) - auto-generate collection.md with maturity filtering (#1316) - add folder-consistency check and standardize WARN outp… (#1350) - add synth-data-generate prompt to data-science collection (#1419) - add canonical deck workflow and customer-card rendering for design thinking (#1413) - add Figma MCP integration for DT artifact export (#1222) - introduce `owasp-docker` (#1245) - replace hve-core-specific references with portable discovery-based language (#1335) - introduce `owasp-cicd` (#1246) - add secure-by-design knowledge skill (#1223) - introduce `owasp-infrastructure` (#1244) - introduce `owasp-mcp` (#1207) - add OutputPath parameter to Invoke-LinkLanguageCheck.ps1 (#1229) - add -OutputPath parameter to Validate-SkillStructure.ps1 (#1225) - add maintainer-only skip-review label guard (#1293) - add extension collections overview and integrate into getting started flow (#950) - add agentic workflows for automated issue triage, implementation, PR review, dependency review, and doc-staleness detection (#1219) - consolidate package-lock.json version sync into Update-VersionFiles.ps1 (#1240) - add standards code review agent and full review orchestrator (#1174) - standardize pytest-mock as Python mocking framework (#1170) - add Jira backlog workflows and Jira/GitLab skills (#978) - add centralized version bump script and supply-chain attestation (#1183) ### 🐛 Bug Fixes - pin PowerShell-Yaml to 0.4.7 across all install sites (#1378) - close fork-PR/workflow-file-PR secret-strip gap and normalize upload-artifact version (#1421) - replace stream-based lookahead with array indexing in list-changed-files.sh (#1376) - centralize ISO 8601 timestamp regex in CIHelpers (#1343) - update stale documentation date in release-process.md (#1363) - pin basic-ftp to 5.3.0 to resolve GHSA-rp42-5vxx-qpwr (#1374) - add bot filter to dependency PR review workflow (#1362) - resolve pip-audit findings in powerpoint, gitlab, and jira skill lock files (#1360) - standardize Timestamp JSON key casing across all lint result files (#1314) - add synchronize trigger to PR Review workflow (#1323) - standardize timestamp in Validate-SkillStructure.ps1 to use Get-StandardTimestamp (#1280) - add parallel subagent dispatch and structured JSON contracts to code-review-full (#1304) - standardize timestamp in SecurityHelpers.psm1 to use Get-StandardTimestamp (#1284) - standardize timestamps in Test-DependencyPinning.ps1 and SecurityClasses.psm1 (#1282) - derive collection artifact counts from YAML at build time (#1275) - standardize timestamp in FrontmatterValidation.psm1 to use Get-StandardTimestamp (#1285) - standardize timestamp in Markdown-Link-Check.ps1 to use Get-StandardTimestamp (#1283) - escape hyphens in Mermaid diagram on Collections page (#1262) - add summary timestamp to PSScriptAnalyzer output (#1211) - fix plugin compatibility and robustness for coding-standards code review agents (#1289) - standardize timestamp in Test-CopyrightHeaders.ps1 to use Get-StandardTimestamp (#1278) - standardize timestamp in Invoke-YamlLint.ps1 to use Get-StandardTimestamp (#1270) - standardize timestamp in Invoke-LinkLanguageCheck.ps1 to use Get-StandardTimestamp (#1264) - fix dependency-review path filters and sparse-checkout cone mode (#1259) - replace invalid bare tool names with official tool identifiers (#1198) - fix broken links and remove orphaned reference in code review docs (#1257) - exclude Python env dirs from skill validation warnings (#1255) - pin happy-dom and serialize-javascript to resolve Dependabot vulnerabilities (#1253) - remove Mermaid diagram and add missing collection cards (#1247) - disable MCP servers by default to prevent token limit errors (#1144) - sync package-lock.json after pre-release version bump (#1236) - separate mermaid node declarations and add dynamic diagram generation with tests (#1215) - replace anchor links in meeting-analyst with bold text references (#1201) - remove recursive symlinks in jira and gitlab skill directories (#1233) - validate-installation scripts now check .github/skills directory (#1010) (#1206) - resolve npm audit vulnerabilities via dependency overrides (#1200) - add post-release triggers to scorecard workflow (#1186) - add missing .md extensions to relative links in agent documentation (#1180) ### 📚 Documentation - broaden Security Review description beyond OWASP (#1385) - document maintainer advisory mode and skip-review label guard (#1386) - document ExcludePaths/OutputPath for Invoke-LinkLanguageCheck (#1383) - CLI getting-started: clarify plugin install commands as alternatives (-all vs base) (#1251) ### ♻️ Refactoring - align agent and prompt folder names to collection identifier (#1210) ### 🔧 Maintenance - pin PSScriptAnalyzer to 1.25.0 and sync stale workflow version comments (#1389) - bump lxml from 6.0.2 to 6.1.0 in /.github/skills/experimental/powerpoint (#1424) - bump @vscode/vsce from 3.7.1 to 3.9.1 in the npm-dependencies group (#1390) - bump the github-actions group across 1 directory with 7 updates (#1391) - bump follow-redirects from 1.15.11 to 1.16.0 in /docs/docusaurus (#1356) - upgrade Node.js from 20 to 24 and bump cspell to v10 (#1353) - bump basic-ftp from 5.2.0 to 5.2.1 (#1324) - update github/gh-aw-actions requirement to 536ea1bad8c6715d098a9dc1afea8d403733acfe in the github-actions group across 1 directory (#1298) - update security instruction attributions and compliance (#1294) - bump the npm-dependencies group with 2 updates (#1297) - pre-release 3.3.41 (#1252) - streamline RAI Planner phase structure and documentation (#1273) - bump happy-dom from 20.8.8 to 20.8.9 in /docs/docusaurus (#1237) - pre-release 3.3.27 (#1191) - bump pygments from 2.19.2 to 2.20.0 in /.github/skills/gitlab/gitlab (#1234) - bump path-to-regexp from 0.1.12 to 0.1.13 in /docs/docusaurus (#1226) - bump the github-actions group with 4 updates (#1231) - add missing folders and alphabetize location lists (#1193) - bump brace-expansion (#1224) - bump handlebars from 4.7.8 to 4.7.9 in /docs/docusaurus (#1217) - bump brace-expansion from 5.0.3 to 5.0.5 in /docs/docusaurus (#1213) - pre-release 3.3.10 (#1187) - bump markdownlint-cli2 from 0.21.0 to 0.22.0 in the npm-dependencies group (#1175) - bump the github-actions group with 3 updates (#1176) - pre-release 3.3.1 (#1165) --- *Managed automatically by pre-release workflow.* Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
4 participants
chore(licensing): update security instruction attributions and compliance
Description
This PR delivers standards licensing compliance remediation for the hve-core repository. The changes address three areas across 54 files (+494/−42 lines):
Third-party content compliance — Removed the embedded CIS Controls v8.1 table (17 lines listing CIS 1–10) from
standards-mapping.instructions.mdbecause CIS licensing prohibits redistribution of control text. CIS lookups now delegate to the Researcher Subagent at runtime. The cross-reference table was updated from specific control numbers (e.g.1, 2, 4, 7) tovia delegation, and the per-component output template changed the CIS field todelegated — include Researcher Subagent findings or N/A.OWASP attribution and licensing — Corrected the
licensefield on three OWASP skills (owasp-agentic,owasp-llm,owasp-top-10) fromMITtoCC-BY-SA-4.0. Added## Third-Party Attributionblocks with copyright, license, source URL, modification description, and trademark notice to each SKILL.md. Added CC BY-SA 4.0 attribution footers to all 33 OWASP vulnerability reference documents (11 per skill). AddedOWASP®trademark registration marks across instruction and skill files.Skill metadata enrichment — Added
license,metadata(authors, spec_version, framework_revision, last_updated, skill_based_on, content_based_on), andcompatibilityfields to all 12 skill SKILL.md frontmatters. Expandedskill-frontmatter.schema.jsonwith property definitions for these three fields (+43 lines). Documented the new fields indocs/contributing/skills.md(+57 lines).Supporting artifacts:
THIRD-PARTY-NOTICESfile (84 lines, 8 external sources), a "Licensing" subsection inREADME.mdexplaining the dual-license model (MIT repository + CC BY-SA 4.0 for OWASP-derived content), and plugin README regeneration reflecting CIS reclassification.Detailed Change Breakdown
Commit 1:
2df4ce6c— CIS removal and delegationstandards-mapping.instructions.md(59 lines changed):"License terms prohibit redistribution; use runtime lookup"via delegationdelegated — include Researcher Subagent findings or N/A"Embedded OWASP, NIST, and CIS"to"Embedded OWASP and NIST"## Third-Party Attributionsection (OWASP CC BY-SA 4.0, NIST public domain)OWASP®trademark registration markssssc-standards.instructions.md(+28 lines):## Third-Party Attributionsection covering 6 external standards: OpenSSF Scorecard (Apache 2.0), SLSA (Community Specification 1.0), Best Practices Badge (MIT + CC BY 3.0+), Sigstore (Apache 2.0), SPDX (Community Specification 1.0), CycloneDX (Apache 2.0)OpenSSF®trademark noticeidentity.instructions.md: Updated description to remove CIS reference in standards coverage summary.3 plugin READMEs: Updated CIS wording from "embedded" to "runtime lookup via Researcher Subagent."
Commit 2:
d4b073b7— License metadata and OWASP attribution12 SKILL.md files — Added frontmatter fields to all skills:
CC-BY-SA-4.0CC-BY-SA-4.0CC-BY-SA-4.0MIT33 OWASP reference files — Added CC BY-SA 4.0 attribution footer to each vulnerability reference document:
.github/skills/security/owasp-agentic/references/01–10(11 files).github/skills/security/owasp-llm/references/01–10(11 files).github/skills/security/owasp-top-10/references/01–10(11 files)3 OWASP SKILL.md files — Added
## Third-Party Attributionblocks with copyright, license identifier, source URL, modification description, and OWASP® trademark notice.skill-frontmatter.schema.json(+43 lines):licenseproperty (SPDX identifier, string, max 128 chars)compatibilityproperty (runtime requirements, string, max 256 chars)metadataobject with 6 optional sub-properties:authors,spec_version,framework_revision,last_updated(ISO 8601 pattern),skill_based_on,content_based_onTHIRD-PARTY-NOTICES(new file, 84 lines) — Centralized attribution for 8 external sources:README.md(+8 lines) — Added "Licensing" subsection:prompt-builder.instructions.md: Addedlicenseto the list of required SKILL.md frontmatter fields (valid-keys enumeration).Commit 3:
81d2d51d— Contributing documentationdocs/contributing/skills.md(+57 lines):compatibilityfield documentation with description and examplesCommit 4:
b702d0cc— Table formattingdocs/contributing/skills.md: Normalized table column widths to pass theformat:tablesCI check.Related Issue(s)
Closes #1295
Type of Change
Select all that apply:
Code & Documentation:
Infrastructure & Configuration:
AI Artifacts:
prompt-builderagent and addressed all feedback.github/instructions/*.instructions.md).github/prompts/*.prompt.md).github/agents/*.agent.md).github/skills/*/SKILL.md)Other:
.ps1,.sh,.py)Sample Prompts (for AI Artifact Contributions)
User Request:
These changes modify metadata and attribution content on existing instruction and skill files. No new agent, prompt, or skill invocation is introduced. The artifacts continue to function identically — users invoke them through the same prompts and workflows as before.
Execution Flow:
owasp-agentic,owasp-llm,owasp-top-10) load their SKILL.md and reference files during security review workflows. Thelicensefield now correctly declaresCC-BY-SA-4.0and each reference file includes a CC BY-SA 4.0 footer.standards-mapping.instructions.mdno longer contains embedded CIS Controls content. When CIS lookup is needed, the instruction delegates to the Researcher Subagent for runtime retrieval.sssc-standards.instructions.mdincludes a Third-Party Attribution section identifying six external standard sources.licenseandmetadatafields in frontmatter, enabling downstream tooling to detect licensing requirements automatically.Output Artifacts:
No new output artifacts are created by invoking these AI artifacts. The changes affect metadata, attribution, and compliance content only.
Success Indicators:
npm run validate:skillspasses with all 12 skills validated.npm run lint:frontmatterpasses with all frontmatter fields valid.license: CC-BY-SA-4.0and a## Third-Party Attributionsection.license: MIT.Testing
Automated validation performed:
npm run lint:mdnpm run spell-checknpm run lint:frontmatternpm run validate:skillsnpm run lint:md-linksnpm run lint:psnpm run plugin:generateManual testing was not performed. Changes are metadata, attribution, and documentation only.
Checklist
Required Checks
AI Artifact Contributions
/prompt-analyzeto review contribution (N/A — metadata-only changes to existing artifacts; no new agents, prompts, or skills introduced)prompt-builderreview (N/A — metadata-only changes)npm run validate:skillsandnpm run lint:frontmatter)Required Automated Checks
The following validation commands must pass before merging:
npm run lint:mdnpm run spell-checknpm run lint:frontmatternpm run validate:skillsnpm run lint:md-linksnpm run lint:psnpm run plugin:generateSecurity Considerations
GHCP Artifact Maturity
Warning
This PR includes experimental GHCP artifacts that may have breaking changes.
.github/instructions/security/identity.instructions.md.github/instructions/security/sssc-standards.instructions.md.github/instructions/security/standards-mapping.instructions.md.github/skills/experimental/powerpoint/SKILL.md.github/skills/experimental/video-to-gif/SKILL.md.github/skills/experimental/vscode-playwright/SKILL.md.github/skills/security/owasp-agentic/SKILL.md.github/skills/security/owasp-llm/SKILL.md.github/skills/security/owasp-top-10/SKILL.md.github/instructions/hve-core/prompt-builder.instructions.md.github/instructions/security/identity.instructions.md.github/instructions/security/sssc-standards.instructions.md.github/instructions/security/standards-mapping.instructions.md.github/skills/experimental/powerpoint/SKILL.md.github/skills/experimental/video-to-gif/SKILL.md.github/skills/experimental/vscode-playwright/SKILL.md.github/skills/gitlab/gitlab/SKILL.md.github/skills/installer/hve-core-installer/SKILL.md.github/skills/jira/jira/SKILL.md.github/skills/security/owasp-agentic/SKILL.md.github/skills/security/owasp-llm/SKILL.md.github/skills/security/owasp-top-10/SKILL.md.github/skills/shared/pr-reference/SKILL.mdGHCP Maturity Acknowledgment
Additional Notes
THIRD-PARTY-NOTICESfile follows Microsoft OSS conventions with per-source attribution blocks containing license identifier, source URL, usage description, and modification notes where applicable.metadata.content_based_onfield in OWASP skill frontmatter links directly to the upstream OWASP publication, enabling automated provenance verification.npm run plugin:generateto reflect CIS reclassification from "embedded" to "runtime lookup via Researcher Subagent."compatibilityfield was added to the JSON schema and three OWASP SKILL.md files to indicate CC BY-SA 4.0 attribution requirements for downstream consumers.