Skip to content

Add a security & governance guide for AI-generated code #23

Description

@oto-macenauer-absa

Summary

Add a guide on security & governance for AI-generated code. AI-assisted developers ship far faster but introduce security findings at a much higher rate, which matters for our context. We need clear, practical guidance so colleagues use agents safely.

The guide should cover

  • The risk: higher defect/vulnerability rate in agent-generated code, and why review still matters.
  • What never to put in a prompt (secrets, credentials, customer/sensitive data).
  • Guardrails: PR gates, secret scanning, dependency/license checks, human-in-the-loop review.
  • How to use the security-review skill as part of the flow.
  • Sensible defaults for reviewing and verifying AI changes before merge.

Notes

  • Back the findings with web research across multiple independent sources.
  • Keep it practical and tool-general (GitHub Copilot CLI, OpenCode, Pi); aim at a regulated/enterprise context.

Metadata

Metadata

Assignees

No one assigned

    Labels

    documentationImprovements or additions to documentation

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions