devopsabcs-engineering
diff --git a/‎.copilot-tracking/changes/2026-03-17/agentic-devsecops-framework-changes.md‎
Lines changed: 108 additions & 0 deletions b/‎.copilot-tracking/changes/2026-03-17/agentic-devsecops-framework-changes.md‎
Lines changed: 108 additions & 0 deletions
diff --git a/‎.copilot-tracking/changes/2026-03-17/ci-cd-agent-testing-changes.md‎
Lines changed: 71 additions & 0 deletions b/‎.copilot-tracking/changes/2026-03-17/ci-cd-agent-testing-changes.md‎
Lines changed: 71 additions & 0 deletions
diff --git a/‎.copilot-tracking/changes/2026-03-18/agentic-devsecops-workshop-changes.md‎
Lines changed: 88 additions & 0 deletions b/‎.copilot-tracking/changes/2026-03-18/agentic-devsecops-workshop-changes.md‎
Lines changed: 88 additions & 0 deletions
@@ -0,0 +1,108 @@
+<!-- markdownlint-disable-file -->
+# Release Changes: Agentic DevSecOps Framework
+
+**Related Plan**: agentic-devsecops-framework-plan.instructions.md
+**Implementation Date**: 2026-03-17
+
+## Summary
+
+Build a comprehensive Agentic DevSecOps Framework repository structured for `.github-private` org-wide deployment, leveraging custom GitHub Copilot agents, GitHub Advanced Security, and Microsoft Defender for Cloud across security, accessibility, code quality, and FinOps domains with SARIF-based CI/CD integration.
+
+## Changes
+
+### Added
+
+* `README.md` - Repository overview with architecture diagram and domain descriptions
+* `LICENSE` - MIT license
+* `.gitignore` - Python, Node.js, IDE, coverage, SARIF ignore patterns
+* `.github/copilot-instructions.md` - Repo-wide GHCP agent conventions (SARIF, severity, output format)
+* `.github/CODEOWNERS` - Security governance for agent config paths
+* `mcp.json` - MCP server configuration for ADO work items
+* `apm.yml` - Agent Package Manager manifest declaring all agent dependencies
+* `agents/security-agent.agent.md` - Holistic security orchestrator (AB#2047)
+* `agents/security-reviewer-agent.agent.md` - OWASP Top 10 vulnerability detection (AB#2048)
+* `agents/security-plan-creator.agent.md` - Cloud security plan from IaC (AB#2049)
+* `agents/pipeline-security-agent.agent.md` - CI/CD pipeline hardening (AB#2050)
+* `agents/iac-security-agent.agent.md` - Terraform/Bicep/K8s scanning (AB#2051)
+* `agents/supply-chain-security-agent.agent.md` - Secrets, dependencies, SBOM (AB#2052)
+* `agents/a11y-detector.agent.md` - WCAG 2.2 compliance detector (AB#2054)
+* `agents/a11y-resolver.agent.md` - Accessibility fix agent (AB#2055)
+* `agents/code-quality-detector.agent.md` - Coverage analysis, lint, complexity (AB#2060)
+* `agents/test-generator.agent.md` - Auto-generate tests for uncovered code (AB#2061)
+* `agents/cost-analysis-agent.agent.md` - Azure cost queries and reporting (AB#2063)
+* `agents/finops-governance-agent.agent.md` - Tag compliance monitoring (AB#2064)
+* `agents/cost-anomaly-detector.agent.md` - Cost anomaly detection (AB#2065)
+* `agents/cost-optimizer-agent.agent.md` - Azure Advisor recommendations (AB#2066)
+* `agents/deployment-cost-gate-agent.agent.md` - Deployment budget gating (AB#2067)
+* `instructions/wcag22-rules.instructions.md` - Auto-applied WCAG 2.2 rules (AB#2056)
+* `instructions/a11y-remediation.instructions.md` - A11y remediation patterns (AB#2057)
+* `instructions/code-quality.instructions.md` - Coverage thresholds and testing patterns (AB#2062)
+* `prompts/a11y-scan.prompt.md` - Accessibility scan prompt (AB#2058)
+* `prompts/a11y-fix.prompt.md` - Accessibility fix prompt (AB#2058)
+* `skills/a11y-scan/SKILL.md` - Accessibility scanning domain knowledge (AB#2053)
+* `skills/security-scan/SKILL.md` - Security scanning domain knowledge (AB#2059)
+* `docs/architecture.md` - Framework architecture with Mermaid diagrams (AB#2042)
+* `docs/agent-patterns.md` - Agent file specification and deployment model (AB#2043)
+* `docs/sarif-integration.md` - SARIF v2.1.0 mapping for all domains (AB#2044)
+* `docs/platform-comparison.md` - GitHub vs Azure DevOps feature matrix (AB#2045)
+* `docs/implementation-roadmap.md` - 5-phase rollout plan (AB#2046)
+* `docs/prompt-file-security.md` - Threat model and APM controls (AB#2069)
+* `docs/azure-devops-pipelines.md` - ADO pipeline equivalents documentation (AB#2075)
+* `docs/agent-extensibility.md` - Plugin model and org-scale sharing (AB#2076)
+* `docs/centralized-governance.md` - Security Overview, MDC, Defender for DevOps (AB#2077)
+* `.github/workflows/security-scan.yml` - SAST + SCA + IaC + secrets + DAST pipeline (AB#2070)
+* `.github/workflows/accessibility-scan.yml` - Three-engine a11y scanner (AB#2071)
+* `.github/workflows/code-quality.yml` - Coverage enforcement with SARIF (AB#2072)
+* `.github/workflows/apm-security.yml` - APM audit on PRs (AB#2073)
+* `.github/workflows/finops-cost-gate.yml` - IaC cost estimation gate (AB#2074)
+* `samples/azure-devops/security-pipeline.yml` - ADO security pipeline sample (AB#2075)
+* `samples/azure-devops/accessibility-pipeline.yml` - ADO accessibility pipeline sample (AB#2075)
+* `samples/azure-devops/quality-pipeline.yml` - ADO quality pipeline sample (AB#2075)
+* `sample-app/package.json` - Next.js project with intentional issues (AB#2078)
+* `sample-app/tsconfig.json` - TypeScript configuration (AB#2078)
+* `sample-app/next.config.js` - Next.js configuration (AB#2078)
+* `sample-app/tailwind.config.ts` - Tailwind CSS configuration (AB#2078)
+* `sample-app/postcss.config.js` - PostCSS configuration (AB#2078)
+* `sample-app/src/app/layout.tsx` - Root layout with missing lang attribute (AB#2080)
+* `sample-app/src/app/page.tsx` - Home page with low contrast, missing labels (AB#2080)
+* `sample-app/src/app/globals.css` - Tailwind CSS imports (AB#2078)
+* `sample-app/src/app/products/page.tsx` - Product listing with missing alt text (AB#2080)
+* `sample-app/src/app/products/[id]/page.tsx` - Product detail with SQL injection (AB#2079)
+* `sample-app/src/lib/db.ts` - Database module with hardcoded secrets (AB#2079)
+* `sample-app/src/lib/auth.ts` - Auth module with weak crypto (AB#2079)
+* `sample-app/src/lib/utils.ts` - Utility functions with high complexity (AB#2081)
+* `sample-app/src/components/Header.tsx` - Header with broken heading hierarchy (AB#2080)
+* `sample-app/src/components/ProductCard.tsx` - Product card with XSS (AB#2079)
+* `sample-app/infra/main.bicep` - IaC with missing tags and security issues (AB#2082)
+* `sample-app/infra/variables.bicep` - Oversized SKU parameters (AB#2082)
+* `sample-app/__tests__/placeholder.test.ts` - Minimal test file (AB#2081)
+* `sample-app/README.md` - Testing guide documenting all intentional issues (AB#2083)
+
+### Modified
+
+* `.gitignore` - Added exception for `sample-app/src/lib/` path
+
+### Removed
+
+* `sample-app/.gitkeep` - Replaced by actual sample application files
+* `samples/azure-devops/.gitkeep` - Replaced by actual pipeline samples
+
+## Additional or Deviating Changes
+
+* `.gitignore` had a `lib/` pattern that excluded `sample-app/src/lib/`; added `!sample-app/src/lib/` exception
+
+## Release Summary
+
+All 11 implementation phases completed across 60+ files:
+
+* **15 agent files** in `agents/` with valid YAML frontmatter (all under 10K chars)
+* **3 instruction files** in `instructions/` with correct applyTo patterns
+* **2 prompt files** in `prompts/` delegating to a11y agents
+* **2 skill files** in `skills/` for security and accessibility domains
+* **8 documentation files** in `docs/` covering architecture, patterns, SARIF, platform comparison, roadmap, security, extensibility, and governance
+* **5 GitHub Actions workflows** in `.github/workflows/` with distinct SARIF categories
+* **3 ADO pipeline samples** in `samples/azure-devops/`
+* **1 apm.yml** manifest declaring all agent dependencies
+* **1 mcp.json** for ADO work items MCP server
+* **18 sample-app files** with intentional issues across security (15), accessibility (7), code quality (5), and FinOps (10) domains
+* All validation checks passed: YAML frontmatter, glob patterns, link integrity, SARIF uniqueness, Unicode safety, mcp.json validity
@@ -0,0 +1,71 @@
+<!-- markdownlint-disable-file -->
+# Release Changes: CI/CD Automation for Agent Testing & Deployment
+
+**Related Plan**: ci-cd-agent-testing-plan.instructions.md
+**Implementation Date**: 2026-03-17
+
+## Summary
+
+Implements full CI/CD automation for agent testing and deployment: fixes 3 broken existing workflows, configures sample-app test infrastructure, creates an agent validation script (structural + cross-reference + domain checks), builds a CI workflow with 4 jobs covering all 15 agents across 4 domains, and adds a CD workflow deploying 25 files to `.github-private` with SHA-256 integrity verification.
+
+## Changes
+
+### Added
+
+* `sample-app/package-lock.json` — Generated lockfile for `npm ci` in CI workflows
+* `sample-app/jest.config.ts` — Jest configuration with jsdom environment, `@/` alias mapping, coverage reporters
+* `sample-app/.eslintrc.json` — ESLint config extending `next/core-web-vitals` for `next lint` in CI
+* `scripts/validate-agents.mjs` — Agent validation script: Tier 1 structural, Tier 2 cross-reference, Tier 4 domain content checks with SARIF + JSON + Job Summary output (749 lines)
+* `scripts/package.json` — Dependencies for validation script (gray-matter, minimatch)
+* `scripts/package-lock.json` — Lockfile for validation script dependencies
+* `.github/workflows/ci-full-test.yml` — CI workflow with 4 jobs: agent-validation, apm-security, sample-app-quality, summary; triggers on push/PR to main
+* `.github/workflows/deploy-to-github-private.yml` — CD workflow with deploy + verify jobs; syncs 25 files to .github-private with SHA-256 integrity verification
+
+### Modified
+
+* `.github/workflows/security-scan.yml` — Replaced invalid job-level `hashFiles()` on container job with step-level Dockerfile existence check; gated Build, Trivy scan, and SARIF upload steps
+* `.github/workflows/finops-cost-gate.yml` — Removed redundant job-level `hashFiles()` check; workflow-level `paths:` filter provides equivalent gating
+* `.github/workflows/code-quality.yml` — Added `defaults.run.working-directory: sample-app` to lint, type-check, and test jobs; added `cache-dependency-path` for npm cache
+* `sample-app/package.json` — Added `eslint`, `eslint-config-next`, `@types/jest`, `ts-node` to devDependencies (required for CI commands)
+* `.gitignore` — Added `validation-results.json` and `validation-results.sarif` to ignore; un-ignored `scripts/package-lock.json`
+
+### Removed
+
+## Additional or Deviating Changes
+
+* Security domain keyword check in `validate-agents.mjs` broadened beyond OWASP/CWE to also accept CIS, NIST, and OpenSSF references
+  * 3 security agents (IaCSecurityAgent, PipelineSecurityAgent, SecurityPlanCreator) use CIS Azure benchmarks, NIST 800-53, and OpenSSF standards — agent files are the source of truth
+* `sample-app/package.json` required 4 additional devDependencies not in the original plan: `eslint`, `eslint-config-next`, `@types/jest`, `ts-node`
+  * These were infrastructure gaps discovered during Phase 2 validation — all required for CI commands to succeed
+* Deployment tagging step (tagging source repo with `deploy/github-private/YYYYMMDD-HHMMSS-{run_number}`) deferred to follow-on work
+  * The CD workflow commits and pushes to `.github-private` but does not tag the source repo
+
+## Release Summary
+
+Total files affected: 15 (8 added, 6 modified, 0 removed)
+
+Files created:
+* `sample-app/package-lock.json` — Lockfile enabling `npm ci` in CI
+* `sample-app/jest.config.ts` — Jest configuration for sample-app testing
+* `sample-app/.eslintrc.json` — ESLint configuration for `next lint`
+* `scripts/validate-agents.mjs` — Agent validation script (749 lines, Tier 1+2+4)
+* `scripts/package.json` — Validation script dependencies
+* `scripts/package-lock.json` — Validation script lockfile
+* `.github/workflows/ci-full-test.yml` — CI workflow (4 jobs, triggers on push/PR to main)
+* `.github/workflows/deploy-to-github-private.yml` — CD workflow (2 jobs, syncs 25 files with SHA-256 verification)
+
+Files modified:
+* `.github/workflows/security-scan.yml` — Fixed invalid `hashFiles()` at job level
+* `.github/workflows/finops-cost-gate.yml` — Removed redundant `hashFiles()` check
+* `.github/workflows/code-quality.yml` — Added working directory for sample-app
+* `sample-app/package.json` — Added 4 missing devDependencies
+* `.gitignore` — Updated ignore patterns for validation outputs
+* `.copilot-tracking/` — Planning and tracking artifacts updated
+
+Dependency changes:
+* `gray-matter` ^4.0.3 and `minimatch` ^9.0.0 added to `scripts/package.json`
+* `eslint` ^8.57.0, `eslint-config-next` ^14.2.0, `@types/jest` ^29.5.0, `ts-node` ^10.9.0 added to `sample-app/package.json`
+
+Deployment prerequisites (not in this change):
+* GitHub App with `contents: write` on `devopsabcs-engineering/.github-private`
+* Secrets `DEPLOY_APP_ID` and `DEPLOY_APP_PRIVATE_KEY` in source repo settings
@@ -0,0 +1,88 @@
+<!-- markdownlint-disable-file -->
+# Release Changes: Agentic DevSecOps Workshop
+
+**Related Plan**: agentic-devsecops-workshop-plan.instructions.md
+**Implementation Date**: 2026-03-18
+
+## Summary
+
+Build a complete hands-on workshop repository with 12 progressive labs teaching developers to use AI-powered DevSecOps agents from the Agentic DevSecOps Framework.
+
+## Changes
+
+### Added
+
+* `README.md` — Workshop main entry point with 12-lab checklist, delivery tiers, Mermaid dependency diagram
+* `LICENSE` — MIT License
+* `CODE_OF_CONDUCT.md` — Microsoft Open Source Code of Conduct
+* `CONTRIBUTING.md` — Workshop contribution guidelines
+* `_config.yml` — Jekyll theme config for GitHub Pages
+* `.gitignore` — Node.js, Next.js, coverage exclusions
+* `.github/copilot-instructions.md` — Workshop-specific Copilot instructions
+* `.github/workflows/security-scan.yml` — Security scanning workflow from framework
+* `.github/workflows/accessibility-scan.yml` — Accessibility scanning workflow from framework
+* `.github/workflows/code-quality.yml` — Code quality workflow from framework
+* `.github/workflows/finops-cost-gate.yml` — FinOps cost gate workflow from framework
+* `.devcontainer/devcontainer.json` — Codespaces config with Node.js 20, required extensions
+* `agents/` — 15 agent definitions copied from framework (security, a11y, code quality, FinOps)
+* `instructions/` — 3 instruction files copied from framework
+* `prompts/` — 2 prompt template files copied from framework
+* `skills/a11y-scan/SKILL.md` — Accessibility scan skill package
+* `skills/security-scan/SKILL.md` — Security scan skill package
+* `sample-app/` — Full Next.js 14 app with 40+ intentional vulnerabilities
+* `apm.yml` — Agent Policy Manager configuration
+* `validation-results.sarif` — SARIF output file for Lab 06 walkthrough
+* `images/lab-00/` through `images/lab-11/` — 12 screenshot directories with .gitkeep and README placeholders
+* `labs/lab-00-setup.md` — Lab 00: Prerequisites and Environment Setup (30 min, Beginner)
+* `labs/lab-01.md` — Lab 01: Explore the Sample App (25 min, Beginner)
+* `labs/lab-02.md` — Lab 02: Understanding Agents, Skills, and Instructions (20 min, Beginner)
+* `labs/lab-03.md` — Lab 03: Security Scanning with Copilot Agents (40 min, Intermediate)
+* `labs/lab-04.md` — Lab 04: Accessibility Scanning with Copilot Agents (35 min, Intermediate)
+* `labs/lab-05.md` — Lab 05: Code Quality Analysis with Copilot Agents (35 min, Intermediate)
+* `labs/lab-06.md` — Lab 06: Understanding SARIF Output (30 min, Intermediate)
+* `labs/lab-07.md` — Lab 07: Setting Up GitHub Actions Pipelines (40 min, Intermediate)
+* `labs/lab-08.md` — Lab 08: Viewing Results in GitHub Security Tab (25 min, Intermediate)
+* `labs/lab-09.md` — Lab 09: FinOps Agents and Azure Cost Governance (45 min, Advanced, Optional)
+* `labs/lab-10.md` — Lab 10: Agent Remediation Workflows (45 min, Advanced)
+* `labs/lab-11.md` — Lab 11: Creating Your Own Custom Agent (45 min, Advanced)
+
+### Modified
+
+### Removed
+
+* `sample-app/coverage/` — Removed build artifact from framework copy (students generate their own)
+
+## Additional or Deviating Changes
+
+* Phase 1 initial commit pushed directly to `main` instead of via PR because the repository was empty (no main branch existed)
+  * Reason: GitHub cannot create a PR without a base branch
+* Repository marked as GitHub Template via `gh repo edit --template`
+* Default branch set to `main` via `gh repo edit --default-branch main`
+* `apm.yml` and `validation-results.sarif` were not copied in Phase 1 subagent execution; added in Phase 4 commit
+  * Reason: Phase 1 subagent copied directory-level assets but missed root-level individual files
+
+## Release Summary
+
+Total files affected: 76 files created across 6 phases in 5 PRs
+
+**Files created:**
+* 12 lab files in `labs/`
+* 15 agent definitions in `agents/`
+* 3 instruction files in `instructions/`
+* 2 prompt files in `prompts/`
+* 2 skill packages in `skills/`
+* 4 GitHub Actions workflows in `.github/workflows/`
+* 12 image directories with README placeholders
+* 1 devcontainer config
+* 1 copilot instructions file
+* ~20 sample-app source files
+* 6 community/config files (README, LICENSE, CODE_OF_CONDUCT, CONTRIBUTING, _config.yml, .gitignore)
+* 2 framework assets (apm.yml, validation-results.sarif)
+
+**ADO Work Items:** Epic #2094 → Feature #2095 → User Stories #2096, #2097, #2098, #2099, #2100, #2101
+
+**GitHub PRs:** #1 (foundation labs), #2 (scanning labs), #3 (CI/CD labs), #4 (advanced labs), #5 (config/polish)
+
+**Repository Configuration:** Template repository enabled, default branch set to `main`
+
+**Deployment notes:** GitHub Pages can be enabled via Settings → Pages → main/root. The _config.yml is ready for minima theme.