Summary
Add a guide on security & governance for AI-generated code. AI-assisted developers ship far faster but introduce security findings at a much higher rate, which matters for our context. We need clear, practical guidance so colleagues use agents safely.
The guide should cover
- The risk: higher defect/vulnerability rate in agent-generated code, and why review still matters.
- What never to put in a prompt (secrets, credentials, customer/sensitive data).
- Guardrails: PR gates, secret scanning, dependency/license checks, human-in-the-loop review.
- How to use the
security-review skill as part of the flow.
- Sensible defaults for reviewing and verifying AI changes before merge.
Notes
- Back the findings with web research across multiple independent sources.
- Keep it practical and tool-general (GitHub Copilot CLI, OpenCode, Pi); aim at a regulated/enterprise context.
Summary
Add a guide on security & governance for AI-generated code. AI-assisted developers ship far faster but introduce security findings at a much higher rate, which matters for our context. We need clear, practical guidance so colleagues use agents safely.
The guide should cover
security-reviewskill as part of the flow.Notes