Skip to content

Constrain list_code_scanning_alerts prompt usage with explicit state/severity bounds#43744

Open
pelikhan with Copilot wants to merge 4 commits into
mainfrom
copilot/hippo-audit-workflow-prompts
Open

Constrain list_code_scanning_alerts prompt usage with explicit state/severity bounds#43744
pelikhan with Copilot wants to merge 4 commits into
mainfrom
copilot/hippo-audit-workflow-prompts

Conversation

Copilot AI commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Hippo flagged recurring oversized MCP responses from unbounded list_code_scanning_alerts usage in workflow prompt surfaces. This PR tightens prompt guidance to require bounded queries and adds a regression check so the bounds remain present.

  • Prompt/template guardrails

    • Added explicit guidance to include:
      • state: open
      • severity: critical,high
    • Updated:
      • .github/aw/github-mcp-server.md
      • .github/skills/github-mcp-server/SKILL.md
      • docs/src/content/docs/guides/mcps.md
  • Regression coverage

    • Added pkg/cli/code_scanning_prompt_bounds_test.go to assert key workflow/prompt docs that reference list_code_scanning_alerts also include the required bounds near that reference.
    • This protects against future prompt drift reintroducing unbounded usage.
  • Illustrative guidance pattern

    When invoking `list_code_scanning_alerts` from workflow prompts/templates, always include:
    - `state: open`
    - `severity: critical,high`

Copilot AI and others added 3 commits July 6, 2026 08:47
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Audit workflow prompts for list_code_scanning_alerts Constrain list_code_scanning_alerts prompt usage with explicit state/severity bounds Jul 6, 2026
Copilot AI requested a review from pelikhan July 6, 2026 08:54
@pelikhan pelikhan marked this pull request as ready for review July 6, 2026 09:41
Copilot AI review requested due to automatic review settings July 6, 2026 09:41

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR tightens prompt/documentation guidance around using the GitHub MCP server’s list_code_scanning_alerts tool to reduce oversized responses by requiring bounded queries, and adds a Go regression test intended to prevent prompt drift.

Changes:

  • Added explicit prompt guidance to always include state: open and severity: critical,high when invoking list_code_scanning_alerts.
  • Added a regression test to ensure selected workflow/prompt surfaces keep these bounds near the tool reference.
  • Updated MCP documentation in .github and the docs site to reflect the bounded-query requirement.
Show a summary per file
File Description
pkg/cli/code_scanning_prompt_bounds_test.go Adds a regression test scanning key prompt/doc files for bounded list_code_scanning_alerts usage.
docs/src/content/docs/guides/mcps.md Adds bounded-query guidance for list_code_scanning_alerts in the docs site guide.
.github/skills/github-mcp-server/SKILL.md Adds bounded-query guidance for list_code_scanning_alerts in the GitHub MCP server skill.
.github/aw/github-mcp-server.md Adds bounded-query guidance for list_code_scanning_alerts in the .github/aw MCP server guidance doc.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 4/4 changed files
  • Comments generated: 3
  • Review effort level: Low

Comment on lines +15 to +19
paths := []string{
filepath.Join("..", "..", ".github", "workflows", "github-mcp-structural-analysis.md"),
filepath.Join("..", "..", ".github", "aw", "github-mcp-server.md"),
filepath.Join("..", "..", ".github", "skills", "github-mcp-server", "SKILL.md"),
}
Comment on lines +33 to +37
hasBoundedReference := false
for i, line := range lines {
if !strings.Contains(line, "list_code_scanning_alerts") {
continue
}
- `get_code_scanning_alert` - Get details of a specific alert
- `create_code_scanning_alert` - Create a code scanning alert

When invoking `list_code_scanning_alerts` from workflow prompts/templates, always include `state: open` and `severity: critical,high`.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[hippo] Audit workflow prompts for unbounded list_code_scanning_alerts calls

3 participants