From faba9263a6fb5a237bd8fc3905fb0368ce19a2a0 Mon Sep 17 00:00:00 2001 From: Tianning Li Date: Thu, 26 Mar 2026 12:50:19 -0400 Subject: [PATCH] ci: add Copilot instructions for PII and security review [SVLS-8660] MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Add .github/copilot-instructions.md to steer Copilot auto-review toward security-relevant patterns - Flag PII in log statements: HTTP headers/bodies, user-identifiable fields, secrets — covering all tracing macro forms including unqualified info!/debug!/warn!/error! used via use tracing::{...} - Flag new unsafe blocks with required safety invariant explanation - Flag silently swallowed errors (.ok(), let _ = result) and panicking operations (.unwrap()/.expect()) in network/input paths Co-Authored-By: Claude Sonnet 4.6 --- .github/copilot-instructions.md | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 .github/copilot-instructions.md diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md new file mode 100644 index 000000000..b6a4842bc --- /dev/null +++ b/.github/copilot-instructions.md @@ -0,0 +1,26 @@ +# Copilot Code Review Instructions + +## Security — PII and Secrets + +Flag any logging statements (`log::info!`, `log::debug!`, `log::warn!`, `log::error!`, +`tracing::info!`, `tracing::debug!`, `tracing::warn!`, `tracing::error!`, or unqualified +`info!`, `debug!`, `warn!`, `error!` macros (e.g., via `use tracing::{info, debug, warn, error}`)) +that may log: +- HTTP request/response headers (Authorization, Cookie, X-API-Key, or similar) +- HTTP request/response bodies or raw payloads +- Any PII fields (e.g., email, name, user_id, ip_address, phone, ssn, date_of_birth) +- API keys, tokens, secrets, or credentials +- Structs or types that contain any of the above fields + +Suggest redacting or omitting the sensitive field rather than logging it. + +## Security — Unsafe Rust + +Flag new `unsafe` blocks and explain what invariant the author must uphold to make the +block safe. If there is a safe alternative, suggest it. + +## Security — Error Handling + +Flag cases where errors are silently swallowed (empty `catch`, `.ok()` without +handling, `let _ = result`) or where operations like `.unwrap()`/`.expect()` may panic, +in code paths that handle external input or network responses.