Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 31 additions & 0 deletions agents/secure-config-advisor.agent.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
---
name: 'secure-config-advisor'
description: 'Application configuration security specialist for environment variables, secret management, config validation, and separating config from code following 12-factor principles'
tools: ['codebase', 'edit/editFiles', 'search', 'runCommands', 'terminalCommand']
---

# Secure Config Advisor

You are an application configuration security specialist. You keep secrets out of code, make configuration explicit, and ensure apps fail fast on bad config instead of misbehaving in production.

## Core Expertise

- **Secret hygiene**: detecting hardcoded credentials, `.env` files in git history, secrets in logs and error messages
- **Secret managers**: when and how to adopt Vault, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, Doppler; rotation strategy
- **Config structure**: 12-factor config via environment, per-environment overrides without per-environment code, `.env.example` upkeep
- **Startup validation**: schema-validated config (zod/envalid, pydantic Settings, Spring ConfigurationProperties, .NET Options pattern) that fails boot on missing/invalid values
- **Least privilege**: scoping credentials per service, avoiding shared god-credentials across environments

## Working Method

1. Audit first: scan tracked files and git history for secrets (`git log -p` patterns, common key formats) before proposing structure.
2. Treat any committed secret as compromised - the fix is rotate + purge + prevent (pre-commit scanning like gitleaks), never just delete the line.
3. Distinguish secret config (credentials, keys) from plain config (ports, flags, URLs); only the former needs a secret manager.
4. Introduce changes incrementally: `.env` + validation first, secret manager when multiple environments or team size justify it.
5. Wire prevention into CI: secret scanning, `.env` in `.gitignore`, and drift checks between code and `.env.example`.

## Response Style

- Findings ordered by severity, each with the exact file/line and a remediation snippet.
- Recommend the lightest tool that solves the problem; do not prescribe Vault for a two-person project.
- When rotation is required, provide the step order that avoids downtime (add new credential → deploy → revoke old).
1 change: 1 addition & 0 deletions docs/README.agents.md
Original file line number Diff line number Diff line change
Expand Up @@ -209,6 +209,7 @@ See [CONTRIBUTING.md](../CONTRIBUTING.md#adding-agents) for guidelines on how to
| [SE: Tech Writer](../agents/se-technical-writer.agent.md)<br />[![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fse-technical-writer.agent.md)<br />[![Install in VS Code Insiders](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode-insiders%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fse-technical-writer.agent.md) | Technical writing specialist for creating developer documentation, technical blogs, tutorials, and educational content | |
| [SE: UX Designer](../agents/se-ux-ui-designer.agent.md)<br />[![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fse-ux-ui-designer.agent.md)<br />[![Install in VS Code Insiders](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode-insiders%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fse-ux-ui-designer.agent.md) | Jobs-to-be-Done analysis, user journey mapping, and UX research artifacts for Figma and design workflows | |
| [Search & AI Optimization Expert](../agents/search-ai-optimization-expert.agent.md)<br />[![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fsearch-ai-optimization-expert.agent.md)<br />[![Install in VS Code Insiders](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode-insiders%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fsearch-ai-optimization-expert.agent.md) | Expert guidance for modern search optimization: SEO, Answer Engine Optimization (AEO), and Generative Engine Optimization (GEO) with AI-ready content strategies | |
| [Secure Config Advisor](../agents/secure-config-advisor.agent.md)<br />[![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fsecure-config-advisor.agent.md)<br />[![Install in VS Code Insiders](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode-insiders%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fsecure-config-advisor.agent.md) | Application configuration security specialist for environment variables, secret management, config validation, and separating config from code following 12-factor principles | |
| [Senior Cloud Architect](../agents/arch.agent.md)<br />[![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Farch.agent.md)<br />[![Install in VS Code Insiders](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode-insiders%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Farch.agent.md) | Expert in modern architecture design patterns, NFR requirements, and creating comprehensive architectural diagrams and documentation | |
| [Sensei Junior Mentor](../agents/mentoring-juniors.agent.md)<br />[![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fmentoring-juniors.agent.md)<br />[![Install in VS Code Insiders](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode-insiders%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fmentoring-juniors.agent.md) | Socratic mentor for junior developers. Guides through questions, never gives direct answers. Helps beginners understand code, debug issues, and build autonomy using the PEAR Loop and progressive clue systems. | |
| [Shopify Expert](../agents/shopify-expert.agent.md)<br />[![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fshopify-expert.agent.md)<br />[![Install in VS Code Insiders](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode-insiders%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fshopify-expert.agent.md) | Expert Shopify development assistant specializing in theme development, Liquid templating, app development, and Shopify APIs | |
Expand Down
1 change: 1 addition & 0 deletions docs/README.skills.md
Original file line number Diff line number Diff line change
Expand Up @@ -157,6 +157,7 @@ See [CONTRIBUTING.md](../CONTRIBUTING.md#adding-skills) for guidelines on how to
| [em-dash](../skills/em-dash/SKILL.md)<br />`gh skills install github/awesome-copilot em-dash` | Expert on the history, origin, and correct use of the em dash. Use when writing or reviewing code, comments, or data files to avoid em and en dashes, defaulting to never using them and replacing any found with a hyphen (-). Includes strong knowledge of punctuation marks and the proper usage of punctuation characters when writing comments. | None |
| [email-drafter](../skills/email-drafter/SKILL.md)<br />`gh skills install github/awesome-copilot email-drafter` | Draft and review professional emails that match your personal writing style. Analyzes your sent emails for tone, greeting, structure, and sign-off patterns via WorkIQ, then generates context-aware drafts for any recipient. USE FOR: draft email, write email, compose email, reply email, follow-up email, analyze email tone, email style. | None |
| [entra-agent-user](../skills/entra-agent-user/SKILL.md)<br />`gh skills install github/awesome-copilot entra-agent-user` | Create Agent Users in Microsoft Entra ID from Agent Identities, enabling AI agents to act as digital workers with user identity capabilities in Microsoft 365 and Azure environments. | None |
| [env-example-generator](../skills/env-example-generator/SKILL.md)<br />`gh skills install github/awesome-copilot env-example-generator` | Generate and maintain a .env.example that stays in sync with every environment variable the code actually reads. Use when the user asks to create or update .env.example, document environment variables, audit config for missing or unused variables, or onboard developers who need to know which variables a project requires. | None |
| [eval-driven-dev](../skills/eval-driven-dev/SKILL.md)<br />`gh skills install github/awesome-copilot eval-driven-dev` | Improve AI application with evaluation-driven development. Define eval criteria, instrument the application, build golden datasets, observe and evaluate application runs, analyze results, and produce a concrete action plan for improvements. ALWAYS USE THIS SKILL when the user asks to set up QA, add tests, add evals, evaluate, benchmark, fix wrong behaviors, improve quality, or do quality assurance for any Python project that calls an LLM model. | `references/1-a-project-analysis.md`<br />`references/1-b-entry-point.md`<br />`references/1-c-eval-criteria.md`<br />`references/2a-instrumentation.md`<br />`references/2b-implement-runnable.md`<br />`references/2c-capture-and-verify-trace.md`<br />`references/3-define-evaluators.md`<br />`references/4-build-dataset.md`<br />`references/5-run-tests.md`<br />`references/6-analyze-outcomes.md`<br />`references/evaluators.md`<br />`references/runnable-examples`<br />`references/testing-api.md`<br />`references/wrap-api.md`<br />`resources` |
| [exam-ready](../skills/exam-ready/SKILL.md)<br />`gh skills install github/awesome-copilot exam-ready` | Activate this skill when a student provides study material (PDF or pasted notes) and a syllabus, and wants to prepare for an exam. Extracts key definitions, points, keywords, diagrams, exam-ready sentences, and practice questions strictly from the provided material. | None |
| [excalidraw-diagram-generator](../skills/excalidraw-diagram-generator/SKILL.md)<br />`gh skills install github/awesome-copilot excalidraw-diagram-generator` | Generate Excalidraw diagrams from natural language descriptions. Use when asked to "create a diagram", "make a flowchart", "visualize a process", "draw a system architecture", "create a mind map", or "generate an Excalidraw file". Supports flowcharts, relationship diagrams, mind maps, and system architecture diagrams. Outputs .excalidraw JSON files that can be opened directly in Excalidraw. | `references/element-types.md`<br />`references/excalidraw-schema.md`<br />`scripts/.gitignore`<br />`scripts/README.md`<br />`scripts/add-arrow.py`<br />`scripts/add-icon-to-diagram.py`<br />`scripts/split-excalidraw-library.py`<br />`templates` |
Expand Down
66 changes: 66 additions & 0 deletions skills/env-example-generator/SKILL.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
---
name: env-example-generator
description: 'Generate and maintain a .env.example that stays in sync with every environment variable the code actually reads. Use when the user asks to create or update .env.example, document environment variables, audit config for missing or unused variables, or onboard developers who need to know which variables a project requires.'
license: MIT
---

# Env Example Generator

Scan the codebase for every environment variable it reads and generate a complete, documented `.env.example` - without ever copying real secret values.

## When to Use This Skill

Use this skill when you need to:
- Create a `.env.example` for a project that lacks one
- Detect drift: variables read in code but missing from `.env.example`, or documented but no longer used
- Document what each variable does, its format, and a safe default
- Prepare a project for new-developer onboarding or open-sourcing

## Workflow

1. **Scan for reads** across the stack:
- Node: `process.env.X`, `import.meta.env.X`
- Python: `os.environ[...]`, `os.getenv(...)`, pydantic `BaseSettings` fields
- Go: `os.Getenv(...)`; Java/Spring: `${X}` in properties/yml, `@Value`; .NET: `builder.Configuration[...]`, `IConfiguration`
- Infra: `docker-compose.yml` `environment:`/`env_file:`, Dockerfiles `ENV`/`ARG`, CI workflows, K8s manifests
2. **Merge and dedupe** into one inventory with file references.
3. **Classify each variable**: required (no fallback in code) vs. optional (has default), secret vs. non-secret.
4. **Generate `.env.example`** grouped by concern, with a comment and placeholder per variable.
5. **Report drift**: list variables in code but not in the example, and stale entries in the example no code reads.

## Output Format

```bash
# ---------------------------------------------------------------
# App
# ---------------------------------------------------------------
# Runtime environment: development | staging | production
NODE_ENV=development
# HTTP port the API listens on (default: 3000)
PORT=3000

# ---------------------------------------------------------------
# Database
# ---------------------------------------------------------------
# PostgreSQL connection string (required)
DATABASE_URL=postgresql://user:password@localhost:5432/appdb

# ---------------------------------------------------------------
# Auth (secrets - generate real values, never commit them)
# ---------------------------------------------------------------
# JWT signing secret (required) - generate with: openssl rand -hex 32
JWT_SECRET=change-me
```

## Guidelines

1. **Never copy real values** - even from a local `.env`; placeholders only. If a real secret is spotted in tracked files, flag it and suggest rotation plus secret-manager adoption.
2. **Required variables get no default placeholder that "works"** - use `change-me` style values that fail loudly rather than silently connecting somewhere wrong.
3. **Comment format and origin** - each entry says what it is, its format, and (for secrets) how to generate one.
4. **Keep ordering stable and grouped** - diffs stay readable when variables are grouped by concern, alphabetical within groups.
5. **Suggest validation** - recommend fail-fast startup validation (zod/envalid, pydantic Settings, Spring `@ConfigurationProperties`) so missing variables break boot, not runtime.

## Limitations

- Dynamic access (`process.env[name]`) cannot be resolved statically; report these call sites for manual review.
- Variables consumed only by third-party libraries (e.g. `AWS_REGION`) may not appear in code scans; check docs of detected SDKs.
Loading