hve-core/docs/security/threat-model.md at main · microsoft/hve-core

title

description

sidebar_position

author

ms.date

ms.topic

keywords

estimated_reading_time

Security Assurance Case and Threat Model

Comprehensive threat model and security assurance documentation demonstrating enterprise security practices

Microsoft

2026-03-01

reference

security

threat model

STRIDE

defense-in-depth

assurance case

Executive Summary

HVE Core is an enterprise prompt engineering framework for GitHub Copilot consisting of:

Markdown-based prompt artifacts (instructions, prompts, agents, skills)
PowerShell automation scripts for linting and validation
GitHub Actions CI/CD workflows
VS Code extension packaging utilities

The repository contains no runtime services, databases, or user data storage. Primary threats target supply chain integrity and developer workflow compromise. Security relies on defense-in-depth with 20+ automated controls validated through CI/CD pipelines.

Security Posture Overview

Category	Status	Control Count	Automated
Supply Chain Security	Strong	8 controls	100%
Code Quality	Strong	5 controls	100%
Access Control	Strong	4 controls	100%
Vulnerability Management	Strong	3 controls	100%
Total	20+	20	100%

System Description
Trust Boundaries
Threat Model
Security Controls
Assurance Argument
MCP Server Trust Analysis
Quantitative Security Metrics
References

System Description

Components

HVE Core contains four primary component categories:

Prompt Engineering Artifacts (.github/instructions/, .github/prompts/, .github/agents/, .github/skills/)
- Markdown files with YAML frontmatter
- Consumed by GitHub Copilot during development sessions
- No executable code execution within prompts
PowerShell Scripts (scripts/)
- Linting and validation utilities
- CI/CD automation support
- No external network connections except documented tool downloads
GitHub Actions Workflows (.github/workflows/)
- PR validation pipeline
- Security scanning (CodeQL, dependency review)
- Release automation
VS Code Extension (extension/)
- Packaging configuration
- Extension manifest
- No telemetry or data collection

Data Flow

flowchart TD
    subgraph DEV["Developer Workstation"]
        ARTIFACTS["HVE Core Artifacts<br/>(.instructions.md, .prompt.md, etc)"]
        IDE["VS Code IDE"]
        COPILOT["GitHub Copilot Extension"]
        LOCALMCP["Local MCP Servers<br/>(optional)"]
        SCRIPTS["Local Scripts<br/>(PowerShell)"]
        DEVCON["Dev Container<br/>(optional)"]
    end

    subgraph GITHUB["GitHub Platform (Network Boundary)"]
        LLMAPI["LLM API Service"]
        REMOTEMCP["GitHub MCP Server"]
        REPO["Repository"]
        ACTIONS["GitHub Actions Runners"]
        SCANNING["Security Scanning<br/>(CodeQL, Dep Review)"]
    end

    ARTIFACTS -->|"read into context"| COPILOT
    IDE --> COPILOT
    COPILOT -->|"prompts + context (HTTPS)"| LLMAPI
    LLMAPI -->|"suggestions"| COPILOT
    COPILOT <-->|"tool calls"| LOCALMCP
    COPILOT <-->|"tool calls (HTTPS)"| REMOTEMCP
    DEVCON -.->|"contains"| IDE
    DEVCON -.->|"contains"| SCRIPTS
    DEV -->|"git push"| REPO
    REPO -->|"triggers"| ACTIONS
    ACTIONS --> SCANNING

Security Inheritance from GitHub Copilot

HVE Core artifacts are consumed by GitHub Copilot, which provides foundational security:

Inherited Control	Provider	HVE Core Responsibility
LLM input/output filtering	GitHub Copilot	None; artifacts are Copilot inputs
Token encryption in transit	GitHub Copilot	None; handled by Copilot infrastructure
Organization policy enforcement	GitHub Copilot	Document compatible policy options
Audit logging	GitHub Copilot	None; uses Copilot audit streams
SOC 2 Type II compliance	GitHub	None; infrastructure control

Trust Boundaries

Boundary Diagram

┌──────────────────────────────────────────────────────────────────────────────┐
│                    TRUST BOUNDARY: Repository Contents                       │
│  ┌────────────────────────────────────────────────────────────────────────┐  │
│  │                         Controlled Artifacts                           │  │
│  │  ┌────────────┐  ┌────────────┐  ┌────────────┐  ┌────────────────┐   │  │
│  │  │ Prompts    │  │ Scripts    │  │ Workflows  │  │ Documentation  │   │  │
│  │  │ .md files  │  │ .ps1 files │  │ .yml files │  │ .md files      │   │  │
│  │  └────────────┘  └────────────┘  └────────────┘  └────────────────┘   │  │
│  └────────────────────────────────────────────────────────────────────────┘  │
│                                      │                                       │
│  ┌───────────────────────────────────▼────────────────────────────────────┐  │
│  │                   TRUST BOUNDARY: CI/CD Pipeline                       │  │
│  │  ┌────────────┐  ┌────────────┐  ┌────────────┐  ┌────────────────┐   │  │
│  │  │ PR Valid.  │  │ CodeQL     │  │ Dep Review │  │ Release        │   │  │
│  │  │ Workflow   │  │ Analysis   │  │ Workflow   │  │ Workflow       │   │  │
│  │  └────────────┘  └────────────┘  └────────────┘  └────────────────┘   │  │
│  └────────────────────────────────────────────────────────────────────────┘  │
└──────────────────────────────────────────────────────────────────────────────┘
                                       │
     ┌─────────────────────────────────┼──────────────────────────────────┐
     │                                 ▼                                  │
     │            TRUST BOUNDARY: External Dependencies                   │
     │  ┌────────────┐  ┌────────────┐  ┌────────────┐  ┌──────────────┐ │
     │  │ npm        │  │ GitHub     │  │ PowerShell │  │ Third-party  │ │
     │  │ Packages   │  │ Actions    │  │ Gallery    │  │ MCP Servers  │ │
     │  └────────────┘  └────────────┘  └────────────┘  └──────────────┘ │
     └────────────────────────────────────────────────────────────────────┘

Boundary Descriptions

Boundary	Assets Protected	Controls Enforced
Repository Contents	Source code, prompts, scripts	CODEOWNERS, branch protection, PR review
CI/CD Pipeline	Build artifacts, security scan results	Minimal permissions, dependency pinning
External Dependencies	npm packages, Actions, MCP servers	Dependency review, staleness monitoring
Dev Container	Development environment, tooling	SHA256 verification, first-party features

Threat Model

This section documents threats using STRIDE methodology (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege), supplemented with AI-specific and Responsible AI threat categories.

STRIDE Threats

S-1: Compromised GitHub Action via Tag Substitution

Field	Value
Category	Spoofing
Asset	CI/CD pipeline integrity
Threat	Attacker compromises upstream Action repository and replaces tag with malicious code
Likelihood	Medium (documented supply chain attacks exist)
Impact	High (full CI/CD compromise, secret exfiltration)
Mitigations	Dependency pinning for all Actions, staleness monitoring, CodeQL scanning
Residual Risk	Low (SHA immutable; requires GitHub infrastructure compromise)
Status	Mitigated

S-2: npm Package Substitution Attack

Field	Value
Category	Spoofing
Asset	Build dependencies
Threat	Malicious package published with same name or typosquatting
Likelihood	Medium (common attack vector)
Impact	Medium (limited runtime exposure; primarily build-time)
Mitigations	Package-lock.json integrity, npm audit, dependency review
Residual Risk	Low
Status	Mitigated

T-1: Unauthorized Modification of Security Controls

Field	Value
Category	Tampering
Asset	Workflow files, security scripts
Threat	Attacker with write access disables security checks
Likelihood	Low (requires compromised maintainer account)
Impact	High (security controls bypassed)
Mitigations	CODEOWNERS enforcement, branch protection, PR review requirements
Residual Risk	Low
Status	Mitigated

T-2: Malicious Prompt Injection via PR

Field	Value
Category	Tampering
Asset	Prompt artifacts
Threat	Contributor submits prompt with hidden malicious instructions
Likelihood	Medium (social engineering possible)
Impact	Medium (affects Copilot behavior for consumers)
Mitigations	PR review, CODEOWNERS, frontmatter validation
Residual Risk	Medium (semantic analysis not automated)
Status	Partially Mitigated

R-1: Untraceable Configuration Changes

Field	Value
Category	Repudiation
Asset	Repository configuration
Threat	Admin makes security-impacting changes without audit trail
Likelihood	Low (GitHub provides audit logs)
Impact	Medium (accountability gap)
Mitigations	GitHub audit log, branch protection audit events
Residual Risk	Low
Status	Mitigated

I-1: Secret Exposure in Logs or Artifacts

Field	Value
Category	Information Disclosure
Asset	Repository secrets, tokens
Threat	Secrets accidentally logged or included in build artifacts
Likelihood	Low (minimal secret usage)
Impact	High (credential compromise)
Mitigations	GitHub secret masking, GitHub secret scanning, minimal secret usage
Residual Risk	Low
Status	Mitigated

I-2: Sensitive Information in Prompt Artifacts

Field	Value
Category	Information Disclosure
Asset	Prompt files, documentation
Threat	Internal URLs, API keys, or proprietary patterns exposed in prompts
Likelihood	Low (review process catches obvious cases)
Impact	Medium (information leakage)
Mitigations	PR review, GitHub secret scanning, documentation guidelines
Residual Risk	Low
Status	Mitigated

D-1: CI/CD Resource Exhaustion

Field	Value
Category	Denial of Service
Asset	GitHub Actions minutes, runner availability
Threat	Malicious PR triggers expensive workflows repeatedly
Likelihood	Low (requires PR creation privileges)
Impact	Low (billing impact, temporary delays)
Mitigations	Workflow approval for first-time contributors, concurrency limits
Residual Risk	Low
Status	Mitigated

D-2: Dependency Confusion Blocking Builds

Field	Value
Category	Denial of Service
Asset	Build pipeline
Threat	Attacker publishes conflicting package preventing clean builds
Likelihood	Low
Impact	Medium (build failures)
Mitigations	Package-lock.json, scoped packages
Residual Risk	Low
Status	Mitigated

E-1: Workflow Token Abuse

Field	Value
Category	Elevation of Privilege
Asset	GitHub Actions tokens
Threat	Compromised workflow step uses GITHUB_TOKEN beyond intended scope
Likelihood	Low (minimal permissions declared)
Impact	Medium (depends on token permissions)
Mitigations	Minimal permissions pattern, persist-credentials: false, inline comments on elevated permissions
Residual Risk	Low
Status	Mitigated with Accepted Risk

Accepted Risk: Token-Permissions Alerts

OpenSSF Scorecard Token-Permissions flags security-events: write as overly broad across workflow files. This permission is required for github/codeql-action/upload-sarif and github/codeql-action/analyze to upload SARIF results to the repository Security tab. The security-events scope grants access only to code scanning alert data and cannot modify repository content, settings, or secrets.

Scorecard's own scorecard.yml requires the same permission to publish results, creating a circular dependency in the token-permissions check.

Affected workflow jobs:

Workflow	Job
`release-stable.yml`	`dependency-pinning-scan`
`release-stable.yml`	`gitleaks-scan`
`pr-validation.yml`	`dependency-pinning-check`
`pr-validation.yml`	`workflow-permissions-check`
`pr-validation.yml`	`gitleaks-scan`
`pr-validation.yml`	`codeql`
`security-scan.yml`	`codeql`
`weekly-security-maintenance.yml`	`validate-pinning`
`weekly-security-maintenance.yml`	`codeql-analysis`

Defense-in-depth controls:

All workflows declare job-level permissions, not workflow-level
persist-credentials: false set on all checkout steps
Inline YAML comments document each security-events: write declaration
SARIF upload is the only write operation performed under this permission

E-2: Branch Protection Bypass

Field	Value
Category	Elevation of Privilege
Asset	Protected branches
Threat	Admin bypasses branch protection to merge unauthorized changes
Likelihood	Low (requires admin access and intentional bypass)
Impact	High (security controls circumvented)
Mitigations	Branch protection rules, audit logging, "Do not allow bypassing"
Residual Risk	Low
Status	Mitigated

Dev Container Threats

These threats address risks in the development container configuration used for Codespaces and local container development.

DC-1: Feature Tag Substitution Attack

Field	Value
Category	Spoofing
Asset	Dev container configuration
Threat	Malicious update to a feature version tag introduces compromised tooling
Likelihood	Low (first-party Microsoft features only)
Impact	Medium (development environment compromise)
Mitigations	First-party features only, PR review of devcontainer.json changes
Residual Risk	Low (Microsoft-maintained features with release controls)
Status	Mitigated

DC-2: Lifecycle Script Tampering

Field	Value
Category	Tampering
Asset	Container initialization scripts
Threat	Attacker modifies on-create.sh or post-create.sh to inject code
Likelihood	Low (requires PR approval, CODEOWNERS protection)
Impact	High (arbitrary code execution in dev environment)
Mitigations	CODEOWNERS, PR review, branch protection
Residual Risk	Low
Status	Mitigated

DC-3: External Binary Download Compromise

Field	Value
Category	Spoofing
Asset	External tools (gitleaks, shellcheck)
Threat	Compromised download source serves malicious binary
Likelihood	Very Low (SHA256 verification enforced)
Impact	High (malicious tooling in dev environment)
Mitigations	SHA256 checksum verification in on-create.sh
Residual Risk	Very Low (cryptographic verification prevents substitution)
Status	Mitigated

AI-Specific Threats

These threats address risks specific to AI/ML systems as documented by OWASP LLM Top 10 and MITRE ATLAS.

AI-1: Prompt Injection via Artifact Content

Field	Value
Category	LLM01: Prompt Injection (OWASP)
Asset	Copilot behavior, downstream code generation
Threat	Malicious instructions embedded in prompt artifacts manipulate Copilot
Likelihood	Medium
Impact	Medium (affects code generation quality and safety)
Mitigations	PR review, CODEOWNERS, clear artifact structure guidelines
Residual Risk	Medium (inherent to prompt-based systems)
Status	Partially Mitigated

AI-2: Insecure Output Handling

Field	Value
Category	LLM02: Insecure Output Handling (OWASP)
Asset	Generated code
Threat	Copilot generates insecure code patterns based on prompt guidance
Likelihood	Medium
Impact	Variable (depends on consumer's review practices)
Mitigations	Security-focused prompts, consumer code review responsibility
Residual Risk	Medium (HVE Core provides guidance, not enforcement)
Status	Accepted with Documentation

AI-3: Training Data Poisoning (Indirect)

Field	Value
Category	LLM03: Training Data Poisoning (OWASP)
Asset	Copilot model behavior
Threat	Malicious patterns in HVE Core influence Copilot training
Likelihood	Very Low (Copilot training controlled by GitHub)
Impact	Low (HVE Core is small input to large training corpus)
Mitigations	Out of scope; GitHub controls training pipeline
Residual Risk	Very Low
Status	Accepted (Outside Control)

AI-4: Model Denial of Service

Field	Value
Category	LLM04: Model Denial of Service (OWASP)
Asset	Copilot availability
Threat	Crafted prompts cause excessive resource consumption in Copilot
Likelihood	Very Low
Impact	Low (Copilot has rate limiting)
Mitigations	Copilot's built-in rate limiting and resource management
Residual Risk	Very Low
Status	Accepted (Outside Control)

AI-5: Supply Chain Vulnerabilities (LLM-Specific)

Field	Value
Category	LLM05: Supply-Chain Vulnerabilities (OWASP)
Asset	MCP server integrations
Threat	Compromised MCP server provides malicious context to Copilot
Likelihood	Low (first-party servers) to Medium (third-party)
Impact	Medium (affects code generation context)
Mitigations	MCP server trust analysis, documentation of trust levels
Residual Risk	Low to Medium depending on server
Status	Mitigated with Documentation

AI-6: Sensitive Information Disclosure

Field	Value
Category	LLM06: Sensitive Information Disclosure (OWASP)
Asset	User context, code patterns
Threat	Prompt artifacts cause Copilot to expose sensitive patterns
Likelihood	Low
Impact	Medium
Mitigations	Consumer responsibility; prompt guidelines discourage sensitive data
Residual Risk	Low
Status	Mitigated with Documentation

AI-7: Insecure Plugin Design

Field	Value
Category	LLM07: Insecure Plugin Design (OWASP)
Asset	MCP server integrations, VS Code extension
Threat	Extension or MCP server allows unauthorized operations
Likelihood	Low (extension has no sensitive operations)
Impact	Low to Medium
Mitigations	Minimal extension functionality, MCP server trust documentation
Residual Risk	Low
Status	Mitigated

AI-8: Excessive Agency

Field	Value
Category	LLM08: Excessive Agency (OWASP)
Asset	Autonomous Copilot operations
Threat	Prompts grant Copilot excessive autonomous capabilities
Likelihood	Low (prompts are guidance, not permissions)
Impact	Variable
Mitigations	Copilot's built-in guardrails, tool confirmation dialogs
Residual Risk	Low
Status	Mitigated (Copilot Controls)

AI-9: Overreliance

Field	Value
Category	LLM09: Overreliance (OWASP)
Asset	Code quality, developer decision-making
Threat	Developers accept Copilot output without verification
Likelihood	Medium
Impact	Variable (depends on context)
Mitigations	Documentation emphasizing review, security-focused prompts
Residual Risk	Medium (behavioral, not technical)
Status	Accepted with Documentation

AI-10: Model Theft (N/A)

Field	Value
Category	LLM10: Model Theft (OWASP)
Asset	N/A
Threat	HVE Core does not host or distribute models
Likelihood	N/A
Impact	N/A
Mitigations	N/A
Residual Risk	N/A
Status	Not Applicable

AI-11: AML.T0043 Craft Adversarial Data (MITRE ATLAS)

Field	Value
Category	MITRE ATLAS AML.T0043
Asset	Prompt artifacts
Threat	Adversary crafts prompt content to cause model misbehavior
Likelihood	Medium
Impact	Medium
Mitigations	PR review process, CODEOWNERS, artifact structure validation
Residual Risk	Medium
Status	Partially Mitigated

AI-12: AML.T0048 Evade ML Model (MITRE ATLAS)

Field	Value
Category	MITRE ATLAS AML.T0048
Asset	Security recommendations in prompts
Threat	Prompts designed to cause Copilot to bypass security guidance
Likelihood	Low
Impact	Medium
Mitigations	Security-first prompt design principles, review process
Residual Risk	Low
Status	Mitigated

Responsible AI Threats

These threats address ethical and responsible AI considerations aligned with Microsoft's Responsible AI principles.

RAI-1: Fairness - Biased Code Generation Patterns

Field	Value
Category	Fairness (Microsoft RAI Standard)
Asset	Generated code quality across contexts
Threat	Prompts inadvertently favor certain coding styles or exclude accessibility
Likelihood	Medium
Impact	Medium (affects inclusivity of generated code)
Mitigations	Inclusive language guidelines, accessibility-aware prompts
Residual Risk	Medium
Status	Partially Mitigated

RAI-2: Reliability - Inconsistent Prompt Behavior

Field	Value
Category	Reliability & Safety (Microsoft RAI Standard)
Asset	Prompt consistency
Threat	Same prompt produces significantly different outputs
Likelihood	Medium (inherent to LLMs)
Impact	Low to Medium
Mitigations	Structured prompts, explicit instructions, testing guidance
Residual Risk	Medium (LLM behavior inherently variable)
Status	Accepted with Documentation

RAI-3: Privacy - Context Leakage via Prompts

Field	Value
Category	Privacy & Security (Microsoft RAI Standard)
Asset	Developer context, code patterns
Threat	Prompts cause Copilot to surface or infer private information
Likelihood	Low
Impact	Medium
Mitigations	Privacy-conscious prompt design, consumer guidelines
Residual Risk	Low
Status	Mitigated with Documentation

RAI-4: Inclusiveness - Exclusionary Language in Artifacts

Field	Value
Category	Inclusiveness (Microsoft RAI Standard)
Asset	Prompt artifacts, documentation
Threat	Language in prompts excludes or marginalizes user groups
Likelihood	Low (writing style guidelines address this)
Impact	Medium (affects adoption and trust)
Mitigations	Inclusive writing guidelines, spell check, PR review
Residual Risk	Low
Status	Mitigated

RAI-5: Transparency - Undocumented Prompt Behavior

Field	Value
Category	Transparency (Microsoft RAI Standard)
Asset	User understanding of system behavior
Threat	Prompts cause unexpected Copilot behavior not explained to users
Likelihood	Medium
Impact	Low to Medium
Mitigations	Clear documentation, explicit prompt descriptions in frontmatter
Residual Risk	Low
Status	Mitigated

RAI-6: Accountability - Unclear Responsibility for Generated Code

Field	Value
Category	Accountability (Microsoft RAI Standard)
Asset	Liability and responsibility clarity
Threat	Ambiguity about who is responsible for Copilot-generated code issues
Likelihood	Medium (common confusion)
Impact	Medium
Mitigations	Documentation clarifying HVE Core provides guidance only
Residual Risk	Low
Status	Mitigated with Documentation

RAI-7: Human Oversight - Automated Changes Without Review

Field	Value
Category	Human Oversight (Microsoft RAI Standard)
Asset	Code quality, security
Threat	Prompts encourage accepting Copilot suggestions without review
Likelihood	Low (prompts emphasize review)
Impact	Variable
Mitigations	Prompts include review reminders, security-conscious patterns
Residual Risk	Low
Status	Mitigated

RAI-8: Value Alignment - Prompts Conflicting with Organizational Values

Field	Value
Category	Value Alignment (Microsoft RAI Standard)
Asset	Organizational trust
Threat	Prompt artifacts conflict with consumer organization's values
Likelihood	Low
Impact	Medium (reputational)
Mitigations	General-purpose prompts, customization guidance for consumers
Residual Risk	Low
Status	Mitigated with Documentation

RAI-9: Proportionality - Overly Aggressive Automation

Field	Value
Category	Proportionality (Microsoft RAI Standard)
Asset	Developer autonomy
Threat	Prompts push Copilot toward excessive automation reducing human judgment
Likelihood	Low
Impact	Medium
Mitigations	Human-in-the-loop design patterns in prompts
Residual Risk	Low
Status	Mitigated

RAI-10: Contestability - No Mechanism to Challenge AI Decisions

Field	Value
Category	Contestability (Microsoft RAI Standard)
Asset	User agency
Threat	Users cannot override or question Copilot behavior influenced by prompts
Likelihood	Low (Copilot suggestions are optional)
Impact	Low
Mitigations	Copilot's non-mandatory nature, edit/reject options built-in
Residual Risk	Very Low
Status	Mitigated (Copilot Controls)

RAI-11: Societal Impact - Deskilling Developers

Field	Value
Category	Societal Impact (Microsoft RAI Standard)
Asset	Developer skill development
Threat	Over-reliance on AI-assisted coding reduces skill development
Likelihood	Medium (industry-wide concern)
Impact	Low for HVE Core specifically
Mitigations	Prompts emphasize learning and understanding, not just output
Residual Risk	Medium (societal, not technical)
Status	Accepted with Documentation

RAI-12: Environmental Impact - Compute Resource Awareness

Field	Value
Category	Environmental Impact (Microsoft RAI Standard)
Asset	Compute resources
Threat	Inefficient prompts cause unnecessary model computation
Likelihood	Low
Impact	Low (marginal compute impact)
Mitigations	Efficient prompt design guidelines
Residual Risk	Very Low
Status	Accepted

RAI-13: Misinformation - Prompts Generating Incorrect Information

Field	Value
Category	Misinformation (Microsoft RAI Standard)
Asset	Documentation and code accuracy
Threat	Prompts cause Copilot to generate plausible but incorrect content
Likelihood	Medium (LLM hallucination is known issue)
Impact	Medium
Mitigations	Verification prompts, citation requirements in prompt guidelines
Residual Risk	Medium (inherent LLM limitation)
Status	Partially Mitigated

Security Controls

Supply Chain Security Controls

ID	Control	Implementation	Validates Against
SC-1	Dependency Pinning Validation	Test-DependencyPinning.ps1	S-1, S-2
SC-2	SHA Staleness Monitoring	Test-SHAStaleness.ps1	S-1
SC-3	Dependency Review	dependency-review.yml	S-2, AI-5
SC-4	npm Security Audit	npm audit in pr-validation.yml	S-2
SC-5	Dependabot Updates	dependabot.yml	S-1, S-2
SC-6	Tool Checksum Verification	scripts/security/tool-checksums.json	S-1
SC-7	SBOM Generation and Attestation	anchore/sbom-action, actions/attest in main.yml	S-1, S-2
SC-8	SBOM Dependency Diff	sbom-diff job in main.yml	S-1, S-2

SC-8: SBOM Dependency Diff Implementation

The sbom-diff job in main.yml runs during each release to surface supply chain changes between consecutive versions. It compares the current dependency SBOM against the previous release, generating a structured dependency-diff.md report that is uploaded to the GitHub Release.

Field	Value
Trigger	Runs when `release_created == 'true'`, after SBOM generation completes
Input	SPDX JSON dependency SBOMs from current build and previous GitHub Release
Output	`dependency-diff.md` uploaded to the GitHub Release as an asset
Failure Mode	`continue-on-error: true` prevents diff failures from blocking the release
Permissions	`contents: write` (release asset upload only)

The diff script parses SPDX JSON packages, excludes root document entries, and categorizes changes into three groups:

Added packages not present in the previous release
Removed packages no longer included in the current build
Version changes where the same package appears in both releases at different versions

When no previous release exists or the prior release lacks a dependency SBOM, the job exits cleanly without producing a diff. This graceful degradation ensures the first release in a repository proceeds without error.

Code Quality Controls

ID	Control	Implementation	Validates Against
CQ-1	CodeQL Analysis	codeql-analysis.yml	T-1, E-1
CQ-2	Markdown Linting	lint:md npm script	T-2, RAI-4
CQ-3	Frontmatter Validation	Validate-MarkdownFrontmatter.ps1	T-2
CQ-4	PowerShell Analysis	Invoke-PSScriptAnalyzer.ps1	T-1
CQ-5	YAML Linting	Invoke-YamlLint.ps1	T-1

Access Controls

ID	Control	Implementation	Validates Against
AC-1	Branch Protection	Repository settings	T-1, E-2
AC-2	CODEOWNERS Enforcement	.github/CODEOWNERS	T-1, T-2
AC-3	PR Review Requirements	Branch protection rules	T-2, AI-1
AC-4	Minimal Workflow Permissions	permissions: in all workflows	E-1

Vulnerability Management Controls

ID	Control	Implementation	Validates Against
VM-1	Coordinated Disclosure	SECURITY.md	I-1
VM-2	Secret Scanning	GitHub native, gitleaks PR gate (gitleaks-scan.yml)	I-1, I-2
VM-3	Credential Persistence Disabled	persist-credentials: false	I-1, E-1

Assurance Argument

This section presents the security assurance case using Goal Structuring Notation (GSN) patterns.

Top-Level Goal

G0: HVE Core is acceptably secure for its intended use as an enterprise prompt engineering framework.

Supporting Goals

Goal	Statement	Strategy
G1	Supply chain attacks are mitigated	S1: Defense-in-depth controls
G2	Unauthorized modifications are prevented	S2: Access control enforcement
G3	AI-specific risks are documented and addressed	S3: Risk acceptance with documentation
G4	Responsible AI principles are followed	S4: Guidelines and review processes

Evidence Mapping

Goal	Evidence
G1	Dependency pinning logs, staleness reports, dependency review results, SBOM attestation verification, dependency SBOM diff reports
G2	Branch protection configuration, CODEOWNERS file, PR review history
G3	This threat model document, MCP trust analysis
G4	Writing style guidelines, inclusive language checks, PR reviews

Assumptions and Justifications

ID	Assumption	Justification
A1	GitHub platform security is adequate	SOC 2 Type II certified
A2	GitHub Copilot provides baseline AI safety	Microsoft RAI compliance
A3	Contributors act in good faith	PR review provides verification
A4	Consumers implement their own code review	Documented as consumer responsibility

Argument Summary

HVE Core achieves acceptable security through:

Automated Controls: 20+ security controls execute automatically via CI/CD
Defense-in-Depth: Multiple overlapping controls for critical threats
Transparent Risk Acceptance: AI-inherent risks documented with clear boundaries
Inherited Security: Uses GitHub and Copilot platform security

MCP Server Trust Analysis

HVE Core documents integrations with Model Context Protocol servers. This section analyzes the trust posture of each server.

Note

GitHub MCP is enabled by default in VS Code when using GitHub Copilot. The other servers are optional and recommended for an optimal HVE Core development experience. See MCP Configuration for setup instructions.

Server Summary

Server	Provider	Classification	Trust Level	Data Flow Risk	Default
GitHub MCP	GitHub	First-party	High	Low	Yes
Azure DevOps MCP	Microsoft	First-party	High	Low	No
Microsoft Docs MCP	Microsoft	First-party	High	Low	No
Context7 MCP	Upstash	Third-party	Medium	Medium	No

GitHub MCP Server

Attribute	Assessment
Operator	GitHub (Microsoft subsidiary)
Deployment	Remote (github.com hosted) or local
Authentication	OAuth, GitHub App tokens, PATs
Authorization	Inherits GitHub permission model
Data Handling	Data stays within GitHub ecosystem
Audit	GitHub audit log captures operations
Recommendation	Low risk; enable organization policies for access control

Azure DevOps MCP Server

Attribute	Assessment
Operator	Microsoft
Deployment	Local only (npx invocation)
Authentication	Browser-based Azure AD login
Authorization	Inherits Azure DevOps permissions
Data Handling	No persistent storage by MCP server
Audit	Azure DevOps audit log
Recommendation	Low risk; standard Microsoft security practices apply

Microsoft Docs MCP Server

Attribute	Assessment
Operator	Microsoft
Deployment	Remote (learn.microsoft.com API)
Authentication	None required (public documentation)
Authorization	Rate limiting only
Data Handling	Read-only queries; no user data transmitted beyond search terms
Audit	Standard Microsoft API logging
Recommendation	Low risk; queries limited to public documentation

Context7 MCP Server

Attribute	Assessment
Operator	Upstash (third-party)
Deployment	Local client, Upstash backend
Authentication	API keys via Upstash dashboard
Authorization	Rate limiting, enterprise SSO available
Data Handling	Queries processed locally; only topics sent to backend
Audit	API logs with 30-day retention
Recommendation	Medium risk; evaluate topic extraction for sensitive context

Trust Recommendations

First-party servers (GitHub, Azure DevOps, Microsoft Docs): Enable with organization policy controls; GitHub MCP is enabled by default
Third-party servers (Context7): Evaluate data flow, use API key rotation, review Upstash trust center

Quantitative Security Metrics

Configured Thresholds

Metric	Threshold	Source
Dependency Pinning Compliance	≥95%	dependency-pinning-scan.yml
SHA Staleness	≤30 days	sha-staleness-check.yml
Dependency Review Fail	moderate	dependency-review.yml
npm Audit Fail Level	moderate	pr-validation.yml
Required PR Reviewers	1	Branch protection

Security Response Commitments

Commitment	SLA	Source
Security Report Response	24 hours	SECURITY.md
Governance Change Comment	1 week	GOVERNANCE.md

Validation Workflow Coverage

Workflow	Trigger	Security Checks
pr-validation.yml	PR to main/develop	Pinning, npm audit, CodeQL, gitleaks
release-stable.yml	Push to main	Pinning, gitleaks, SBOM attestation, dependency diff (release)
codeql-analysis.yml	Push, PR, weekly	Static analysis
dependency-review.yml	PR to main/develop	Vulnerability scanning
weekly-security-maintenance.yml	Sundays 2 AM UTC	Pinning, staleness, CodeQL

References

Internal Documentation

SECURITY.md: Vulnerability disclosure process
GOVERNANCE.md: Project governance and roles
Branch Protection: Repository protection configuration
MCP Configuration: MCP server setup guidance

External Standards

🤖 Crafted with precision by ✨Copilot following brilliant human instruction, then carefully refined by our team of discerning human reviewers.

FilesExpand file tree

threat-model.md

Latest commit

History