Add security alert burndown campaign with clustered fixes

[Copilot]

Implements an automated campaign to systematically remediate code scanning alerts, prioritizing file write vulnerabilities (path traversal, arbitrary file write, unsafe permissions).

Campaign Architecture

Orchestrator (Copilot): Discovers alerts via GitHub Code Scanning API, dispatches worker with clustered payloads (1-3 related alerts), tracks progress in repo-memory.

Worker (Claude): Generates security fixes with comprehensive inline documentation explaining vulnerability, attack vector, mitigation, and OWASP/CWE references. Implements idempotency via deterministic PR keys.

Configuration

# security-alert-burndown.campaign.md
kpis:
  - name: Critical File Write Vulnerabilities
    baseline: 10
    target: 0
    time-window-days: 60
    priority: primary

governance:
  max-new-items-per-run: 5
  max-discovery-items-per-run: 100

Worker Output Example

// SECURITY FIX: Path Traversal Prevention (CWE-22)
//
// VULNERABILITY: User-controlled path without validation
// - Attack vector: User provides "../../../etc/passwd"
// - Impact: Arbitrary file write, system compromise
//
// FIX APPLIED: Path sanitization and validation
// - Validate path is within allowed directory
// - Normalize to prevent traversal bypass
//
// SECURITY BEST PRACTICES:
// - OWASP A03:2021 - Injection
// - Always validate file paths against allowlist

const securePath = getSecurePath(userInput);
fs.writeFileSync(securePath, data);

Three-Phase Strategy

1. File write issues (0-30d): Path traversal, arbitrary write, unsafe permissions
2. High severity (30-60d): Injection, XSS, auth bypass, crypto weaknesses
3. Medium severity (60-90d): Remaining alerts

Alert clustering groups related issues (same file/type) to reduce PR volume and provide better review context.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Campaign: Security Alert Burndown</issue_title>
<issue_description>Write a campaign that burns down the code security alerts backlog. Focus on file write issues first, cluster alerts if possible (up to 3), and add comments generated code for fixes. Use Claude for codegen, copilot for campaign manager.</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes githubnext/gh-aw#11177

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.