MCP Hub
Back to servers

copilot-security-instructions

A security-focused MCP server that provides a comprehensive suite of prompts to guide AI assistants toward secure coding practices and identify vulnerabilities in Java, Node.js, C#, and Python codebases.

GitHub
AI & MLDevelopment Tools
Stars
32
Forks
9
Updated
Dec 2, 2025
Validated
Jan 9, 2026
View Source
Claim this server

🛡️ CoPilot Security Instructions

Verified on MseeP

A comprehensive toolkit to guide GitHub Copilot toward secure coding practices. This project includes customizable instructions and security-focused prompts to help development teams identify and mitigate security risks effectively.

Designed for security-conscious teams, this configuration ensures Copilot suggests safer code patterns, avoids common vulnerabilities, and reinforces best practices — all without disrupting your workflow.

🔐 What's Inside

This project offers:

  • Secure-by-default guidance for all languages (e.g., input validation, secret handling, safe logging).
  • Language-specific secure patterns:
    • ☕ Java
    • 🟩 Node.js
    • 🟦 C#
    • 🐍 Python
  • "Do Not Suggest" lists to block risky Copilot completions (e.g., eval, inline SQL, insecure deserialization).
  • AI hallucination protections to prevent package spoofing, non-existent APIs, and misinformation risks.
  • Mentorship-style tips to help newer engineers build secure coding habits.
  • An MCP server for seamless integration of these prompts into other projects.

🗂️ Prompt Catalogue

Explore the available prompts and their intended use cases:

PromptDescriptionIntended Use
assess-logging.prompt.mdIdentify unsafe logging and exposure of sensitive data.Audit log output for leaks and recommend safer patterns.
business-logic-review.prompt.mdAnalyze overall business logic flow and decision making.Map application behavior and critique critical logic paths.
check-access-controls.prompt.mdAudit authorization and access control weaknesses.Ensure RBAC/ABAC enforcement and consistent permission checks.
check-for-secrets.prompt.mdDetect hardcoded secrets and credentials.Locate embedded keys or tokens and suggest secure storage.
check-for-unvalidated-genai-acceptances.prompt.mdFind unvalidated AI-generated code or hallucinated assets.Verify that AI suggestions are real, tested, and documented.
dependency-cve-triage.prompt.mdTriage a known CVE against a project's dependency: explain the exploit, assess reachability and configuration, and produce a structured Dependency Tracker report.Analyze a specific CVE's impact on local code, determine exploitability, and generate a concise triage report.
review-auth-flows.prompt.mdEvaluate authentication logic and session handling.Review login flows for common risks and best practices.
scan-for-insecure-apis.prompt.mdSpot deprecated or insecure API usage.Replace risky APIs with modern, safer alternatives.
secure-code-review.prompt.mdPerform a comprehensive security review of the codebase.Conduct an end-to-end audit for security issues.
validate-input-handling.prompt.mdCheck for missing or unsafe input validation.Evaluate request handling for validation and sanitization gaps.

📦 How to Use in a Real Project

Leveraging Static Files

  1. Copy the copilot-instructions.md file into your repo under:
    .github/copilot-instructions.md

  2. Drop the prompts you want into:
    .github/prompts/

  3. Open the prompt you wish to run within your IDE

  4. Click the Run Prompt button to the top-right of the file

    Run Prompt Button

    ℹ️ Note: If you don't see the run prompt button; check to make sure the Chat: Prompt Files functionality is enabled in your settings Chat Prompt Files Setting

Leveraging the MCP Server

The MCP server simplifies the integration of secure coding prompts into your workflow. Follow these steps:

Run MCP from source

  1. Install dependencies

    npm install

  2. Setup environment

    cp .env.example .env

    The MCP server reads configuration from a .env file. Customize the following variables as needed:

    VariableDescriptionDefault
    server.portPort the MCP server listens on.8080
    server.sslWhether to use ssl for express serverfalse
    server.ssl.pfxPath to pfx filelocalhost.pfx
    server.ssl.pfx.passphrasePassphrase for pfx filePFX_PASSPHRASE
    server.hostnameHostname the server binds to.localhost
    logger.transports.console.enabledEnable console logging output.false
    logger.transports.console.levelLog level for console output.info
    logger.transports.amqp.enabledEnable AMQP-based logging.false
    logger.transports.amqp.levelLog level for AMQP transport.http
    logger.transports.amqp.hostnameHostname of the AMQP broker.localhost
    logger.transports.amqp.portPort for the AMQP broker.5672
    logger.transports.amqp.usernameUsername for AMQP authentication.guest
    logger.transports.amqp.passwordPassword for AMQP authentication.guest
    logger.transports.amqp.exchangeExchange name used for AMQP logging.logs
    logger.transports.amqp.vhostVirtual host for AMQP logging./logs
    logger.transports.amqp.heartbeatHeartbeat interval in seconds.60
    logger.transports.amqp.localeLocale for the AMQP connection.en_US
    logger.transports.amqp.typeAMQP exchange type.direct
    logger.transports.amqp.durableWhether the AMQP exchange is durable.false

  3. Start the server

    npm start

Run MCP in Docker

  1. Build docker container

    docker build -t copilot-security-mcp .

  2. Run docker container

    docker run -d -p 8080:8080 copilot-security-mcp

Configuring VSCode for MCP

  1. Open VSCode and run the MCP: Open User Configuration command.

  2. Add the following JSON configuration:

    {
   "servers": {
      "copilot-instructions-mcp": {
         "url": "http://localhost:8080/mcp"
      }
   }
}

  3. Save the configuration.

  4. Navigate to the Extensions menu in VSCode.

  5. Locate the copilot-instructions-mcp server, click the settings cog, and select start server.

Using MCP with GitHub Copilot

  1. Open GitHub Copilot Chat.

  2. Ask it to run any of the prompts against your repository or specific files.

    Example: Please get and run the secure code review prompt.

📚 Languages Supported

  • Java — Spring, Jakarta, JDBC, OWASP Encoder
  • 🟩 Node.js — Express, pg, mongoose, helmet, ajv, zod
  • 🟦 C# — ASP.NET Core, Razor, ADO.NET, Entity Framework
  • 🐍 Python — Flask, Django, SQLAlchemy, pydantic, Jinja2, bcrypt, cryptography

🛠️ Development

Use these npm scripts to work on the project:

CommandDescription
npm startLaunches the MCP server on http://localhost:8080/mcp.
npm run devStarts the server with live reload via nodemon.
npm run lintRuns ESLint and Markdownlint to verify code and docs.
npm run lint:fixAttempts to automatically fix linting issues.

Recommended workflow: Run npm run lint (and npm run lint:fix if needed) before committing or opening a PR.

📣 Feedback & Contributions

This project is community-friendly and designed for continuous improvement.
If you have suggestions, feedback, or language rules to contribute — feel free to open an issue or PR.

Let’s make Copilot safer, one suggestion at a time. 🛠️

Reviews

No reviews yet

Sign in to write a review