Skip to content

Constrain list_code_scanning_alerts prompt usage with explicit state/severity bounds#43744

Open
pelikhan with Copilot wants to merge 5 commits into
mainfrom
copilot/hippo-audit-workflow-prompts
Open

Constrain list_code_scanning_alerts prompt usage with explicit state/severity bounds#43744
pelikhan with Copilot wants to merge 5 commits into
mainfrom
copilot/hippo-audit-workflow-prompts

Conversation

Copilot AI commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Hippo flagged recurring oversized MCP responses from unbounded list_code_scanning_alerts usage in workflow prompt surfaces. This PR tightens prompt guidance to require bounded queries and adds a regression check so the bounds remain present.

  • Prompt/template guardrails

    • Added explicit guidance to include:
      • state: open
      • severity: critical,high
    • Updated:
      • .github/aw/github-mcp-server.md
      • .github/skills/github-mcp-server/SKILL.md
      • docs/src/content/docs/guides/mcps.md
  • Regression coverage

    • Added pkg/cli/code_scanning_prompt_bounds_test.go to assert key workflow/prompt docs that reference list_code_scanning_alerts also include the required bounds near that reference.
    • This protects against future prompt drift reintroducing unbounded usage.
  • Illustrative guidance pattern

    When invoking `list_code_scanning_alerts` from workflow prompts/templates, always include:
    - `state: open`
    - `severity: critical,high`

Copilot AI and others added 3 commits July 6, 2026 08:47
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Audit workflow prompts for list_code_scanning_alerts Constrain list_code_scanning_alerts prompt usage with explicit state/severity bounds Jul 6, 2026
Copilot AI requested a review from pelikhan July 6, 2026 08:54
@pelikhan pelikhan marked this pull request as ready for review July 6, 2026 09:41
Copilot AI review requested due to automatic review settings July 6, 2026 09:41

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR tightens prompt/documentation guidance around using the GitHub MCP server’s list_code_scanning_alerts tool to reduce oversized responses by requiring bounded queries, and adds a Go regression test intended to prevent prompt drift.

Changes:

  • Added explicit prompt guidance to always include state: open and severity: critical,high when invoking list_code_scanning_alerts.
  • Added a regression test to ensure selected workflow/prompt surfaces keep these bounds near the tool reference.
  • Updated MCP documentation in .github and the docs site to reflect the bounded-query requirement.
Show a summary per file
File Description
pkg/cli/code_scanning_prompt_bounds_test.go Adds a regression test scanning key prompt/doc files for bounded list_code_scanning_alerts usage.
docs/src/content/docs/guides/mcps.md Adds bounded-query guidance for list_code_scanning_alerts in the docs site guide.
.github/skills/github-mcp-server/SKILL.md Adds bounded-query guidance for list_code_scanning_alerts in the GitHub MCP server skill.
.github/aw/github-mcp-server.md Adds bounded-query guidance for list_code_scanning_alerts in the .github/aw MCP server guidance doc.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 4/4 changed files
  • Comments generated: 3
  • Review effort level: Low

Comment on lines +15 to +19
paths := []string{
filepath.Join("..", "..", ".github", "workflows", "github-mcp-structural-analysis.md"),
filepath.Join("..", "..", ".github", "aw", "github-mcp-server.md"),
filepath.Join("..", "..", ".github", "skills", "github-mcp-server", "SKILL.md"),
}
Comment on lines +33 to +37
hasBoundedReference := false
for i, line := range lines {
if !strings.Contains(line, "list_code_scanning_alerts") {
continue
}
- `get_code_scanning_alert` - Get details of a specific alert
- `create_code_scanning_alert` - Create a code scanning alert

When invoking `list_code_scanning_alerts` from workflow prompts/templates, always include `state: open` and `severity: critical,high`.
@@ -0,0 +1,51 @@
//go:build !integration

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot delete this test file

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done — the file has been deleted in the latest commit.

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

🤖 PR Triage

Field Value
Category docs
Risk low
Priority Score 44/100
Recommended Action 🚀 fast_track

Score breakdown: Impact 22 + Urgency 12 + Quality 10

Rationale: Constrains unbounded list_code_scanning_alerts prompt usage with explicit state/severity bounds — prevents oversized MCP responses. 3 files (.github/aw/, SKILL.md, docs). Human reviewer @pelikhan engaged in discussion. Low risk, actionable prompt guardrails.

Run §28795034579

Generated by 🔧 PR Triage Agent · 78.2 AIC · ⌖ 8.88 AIC · ⊞ 5.5K ·

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[hippo] Audit workflow prompts for unbounded list_code_scanning_alerts calls

3 participants