README.md

title	Agentic Accelerator Framework
description	A comprehensive framework leveraging custom GitHub Copilot agents, GitHub Advanced Security, and Microsoft Defender for Cloud to shift security and compliance left across security, accessibility, code quality, and FinOps domains with SARIF-based CI/CD integration.
author	devopsabcs-engineering
ms.date	2026-03-17
ms.topic	overview
keywords	devsecops github copilot custom agents github advanced security microsoft defender for cloud sarif accessibility finops

Agentic Accelerator Framework

GitHub Advanced Security + GitHub Copilot Custom Agents + Microsoft Defender for Cloud
Shift-left security and compliance across Security, Accessibility, Code Quality, FinOps, and APM Security

---

Overview

The Agentic Accelerator Framework provides a repeatable, org-wide approach to shifting security and compliance left using custom GitHub Copilot agents. It covers five domains — Security, Accessibility, Code Quality, FinOps, and APM Security — with SARIF-based CI/CD integration across GitHub Actions and Azure DevOps.

The framework operates on a "shift-left then scale" principle:

1. Shift Left: Custom GHCP agents run in VS Code (IDE) before commit and in GitHub platform during PR review.
2. Automate: CI/CD pipelines (GitHub Actions + Azure DevOps Pipelines) run the same controls as automated gates.
3. Report: All findings output SARIF v2.1.0 for unified consumption (GitHub Code Scanning + ADO Advanced Security).
4. Govern: Security Overview + Defender for Cloud + Defender for DevOps + Power BI dashboards provide centralized governance.

Architecture

graph TB
    subgraph "Developer Workstation (VS Code)"
        A[Custom GHCP Agents<br/>Security • A11y • Quality • FinOps] --> B[Pre-screened Code]
        I[Instructions + Skills] --> A
        P[Prompt Files] --> A
    end

    subgraph "GitHub Platform"
        B --> C[Pull Request]
        C --> D[Custom Agents<br/>Coding Agent + Code Review]
        D --> E[GitHub Actions CI/CD]
        E --> F[SARIF Results Upload]
    end

    subgraph "Security Controls Pipeline"
        E --> G1[Secrets Scanning - Push Protection]
        E --> G2[SCA - Dependabot + SBOM]
        E --> G3[SAST - CodeQL + Copilot Autofix]
        E --> G4[IaC Scanning - MSDO + Checkov + Trivy]
        E --> G5[Container Image Scanning]
        E --> G6[DAST - ZAP]
        E --> G7[Accessibility - axe-core + IBM]
        E --> G8[Code Coverage ≥80%]
        E --> G9[Agent Config - APM audit]
        G1 & G2 & G3 & G4 & G5 & G6 & G7 & G8 & G9 --> F
    end

    subgraph "Centralized Governance"
        F --> H1[GitHub Security Overview]
        F --> H2[Microsoft Defender for Cloud]
        H2 --> H3[Defender for DevOps]
        H1 --> H4[Security Campaigns + Autofix]
    end

    subgraph "Azure Cloud"
        E --> AZ1[Azure Cost Management APIs]
        AZ1 --> AZ2[FinOps Governance + Alerting]
    end

Loading

Agent Inventory

The repository ships 23 custom GitHub Copilot agents. Sixteen production agents are deployed org-wide to the devopsabcs-engineering/.github-private repository (integrity-verified by the SHA-256 manifest in deploy-to-github-private.yml). The remaining seven are repo-local workshop and scaffolding helpers used for the DIY and workshop experiences.

Custom Agents Deployed to .github-private (16)

These agents are synced to the org-wide private configuration repository and pinned to model: Claude Opus 4.8 (copilot).

Agent	Domain	Source File	SARIF Category	Description
SecurityAgent	Security	agents/security-agent.agent.md	security/	Holistic security review orchestrator — ASP.NET Core, IaC, CI/CD, supply chain
SecurityReviewerAgent	Security	agents/security-reviewer-agent.agent.md	security/	Security-focused code reviewer detecting OWASP Top 10 vulnerabilities in source
SecurityPlanCreator	Security	agents/security-plan-creator.agent.md	security/	Security architect that builds cloud security plans from IaC blueprints
PipelineSecurityAgent	Security	agents/pipeline-security-agent.agent.md	security/	Hardens GitHub Actions and Azure DevOps YAML; emits patched workflows
IaCSecurityAgent	Security	agents/iac-security-agent.agent.md	security/	Scans Terraform, Bicep, ARM, Kubernetes, and Helm for misconfigurations
SupplyChainSecurityAgent	Security	agents/supply-chain-security-agent.agent.md	security/	Detects secrets, dependency vulnerabilities, and repo governance gaps
A11yDetector	Accessibility	agents/a11y-detector.agent.md	accessibility-scan/	WCAG 2.2 Level AA compliance detector (axe-core, IBM Equal Access, custom checks)
A11yResolver	Accessibility	agents/a11y-resolver.agent.md	accessibility-scan/	Accessibility remediation with verification re-scan
CodeQualityDetector	Code Quality	agents/code-quality-detector.agent.md	code-quality/coverage/	Code quality and coverage analysis; flags below-threshold functions
TestGenerator	Code Quality	agents/test-generator.agent.md	code-quality/coverage/	Auto-generates tests for uncovered code (happy path, error paths, edge cases)
CostAnalysisAgent	FinOps	agents/cost-analysis-agent.agent.md	finops-finding/v1	Cost Management API queries; cost reports by group, service, and tag
FinOpsGovernanceAgent	FinOps	agents/finops-governance-agent.agent.md	finops-finding/v1	Tag compliance and governance monitor
CostAnomalyDetector	FinOps	agents/cost-anomaly-detector.agent.md	finops-finding/v1	Cost anomaly detection and root-cause investigation
CostOptimizerAgent	FinOps	agents/cost-optimizer-agent.agent.md	finops-finding/v1	Right-sizing, reserved instances, and idle-resource savings
DeploymentCostGateAgent	FinOps	agents/deployment-cost-gate-agent.agent.md	finops-finding/v1	Deployment gatekeeper estimating IaC change costs against budget
ReverseEngineerSpec	Spec / Modernization	agents/reverse-engineer-spec.agent.md	n/a	Reverse-engineers current-state Spec-Kit slices from brownfield repos (four-pass)

Additional Repo-Local Agents (7)

These support the workshop and DIY domain-scaffolding experiences and are not part of the org-wide deployment manifest.

Agent	Domain	Source File	Purpose
APMSecurityDetector	APM Security	agents/apm-security-detector.agent.md	Agent-config security scanner (APM audit, semantic patterns, MCP validation)
APMSecurityResolver	APM Security	agents/apm-security-resolver.agent.md	Agent-config remediation (Unicode stripping, CODEOWNERS, MCP allowlist)
Accessibility Workshop Agent	Accessibility	agents/a11y-workshop.agent.md	Guides students through accessibility scanning labs
Code Quality Workshop Agent	Code Quality	agents/code-quality-workshop.agent.md	Guides students through code-quality scanning labs
FinOps Workshop Agent	FinOps	agents/finops-workshop.agent.md	Guides students through FinOps scanning labs
APM Security Workshop Agent	APM Security	agents/apm-security-workshop.agent.md	Guides students through APM Security scanning labs
DomainScaffolder	Platform	agents/domain-scaffolder.agent.md	Scaffolds new domain scanner demo-app and workshop repositories

Repository Structure

This repository uses the .github-private org-wide layout where agent configuration directories are at the repo root:

agents/                  ← 23 custom GHCP agent definitions (.agent.md); 16 deployed org-wide
instructions/            ← Path-specific instruction files (a11y-remediation, code-quality, wcag22-rules)
prompts/                 ← Reusable prompt templates (a11y-fix, a11y-scan)
skills/                  ← On-demand domain knowledge (a11y-scan, security-scan)
scripts/                 ← Agent validation tooling (validate-agents.mjs)
apm.yml                  ← APM dependency manifest
mcp.json                 ← MCP server configuration (ADO work items)
.github/
  CODEOWNERS             ← Mandatory security-team review for agent config paths
  copilot-instructions.md ← Repo-wide Copilot conventions
  instructions/          ← Workflow instructions (ado-workflow)
  skills/                ← Additional skills (docx, pdf, pptx, xlsx, Power BI)
  workflows/             ← 7 GitHub Actions CI/CD pipelines
docs/                    ← Framework documentation (9 guides)
sample-app/              ← Next.js demo application with Bicep infrastructure
samples/
  azure-devops/          ← 3 sample ADO pipeline YAML files

CI/CD Workflows

Workflow	Trigger	Purpose
security-scan.yml	PR and push to main	SCA, SAST (CodeQL), IaC, container, and DAST scanning
accessibility-scan.yml	PR and weekly schedule	Three-engine a11y scan with threshold gating
code-quality.yml	PR	Lint, type check, test, and 80% coverage gate
finops-cost-gate.yml	PR (IaC file changes)	Infracost estimate against monthly budget
apm-security.yml	PR (agent config file changes)	APM audit for prompt file supply chain attacks
ci-full-test.yml	Push and PR to main	Agent validation (structure, cross-refs, domain rules)
deploy-to-github-private.yml	Push to main	Syncs agent config to org-wide .github-private repository

Quick Start

1. Clone this repository (or use as .github-private for org-wide deployment).
2. Review the 23 agent definitions in agents/ (16 are deployed org-wide).
3. Customize instructions/ and prompts/ for your organization's standards.
4. Enable GitHub Actions workflows for CI/CD integration.
5. Configure mcp.json with your Azure DevOps organization details.
6. Run apm audit to validate agent configuration file integrity.

Documentation

• Architecture — Framework architecture and design patterns
• Agent Patterns — Agent file specification and YAML frontmatter schema
• Agent Extensibility — Plugin architecture, MCP integration, and APM dependency management
• SARIF Integration — SARIF v2.1.0 mapping for all domains
• Platform Comparison — GitHub vs Azure DevOps feature comparison
• Azure DevOps Pipelines — ADO YAML pipeline equivalents for each workflow
• Centralized Governance — Dual-platform dashboards and Defender for Cloud integration
• Prompt File Security — Threat model and APM defense for agent configuration files
• Implementation Roadmap — Phased rollout plan
• Domain Parity and Contribution Guide — Cross-domain feature parity comparison and guide for contributing new domains

Standards

• SARIF v2.1.0: OASIS SARIF specification for unified findings output
• WCAG 2.2 Level AA: W3C accessibility standard
• OWASP Top 10: Application security risks
• OWASP LLM Top 10: AI/LLM security risks
• CIS Azure Benchmarks, NIST 800-53, PCI-DSS: Compliance frameworks

Workshops

• Agentic Accelerator Workshop — Hands-on workshop for building and deploying custom GitHub Copilot agents with the Agentic Accelerator Framework
• Accessibility Scan Workshop — Workshop for WCAG 2.2 Level AA accessibility scanning and remediation using custom agents
• Code Quality Scan Workshop — Workshop for code quality scanning with ESLint, Ruff, jscpd, Lizard, and coverage tools
• FinOps Scan Workshop — Workshop for Azure cost optimization and FinOps governance using custom agents
• APM Security Scan Workshop — Workshop for agent configuration file security scanning with Unicode, semantic, and MCP validation engines

Domain Repositories

Each domain has a scanner platform repo (demo-app) and a workshop template repo:

Domain	Scanner Platform	Workshop
Accessibility	accessibility-scan-demo-app	accessibility-scan-workshop
Code Quality	code-quality-scan-demo-app	code-quality-scan-workshop
FinOps	finops-scan-demo-app	finops-scan-workshop
APM Security	apm-security-scan-demo-app	apm-security-scan-workshop

DIY: Build a New Domain

Ready to build the Code Quality domain from scratch? The framework includes a DomainScaffolder agent and complete automation artifacts for generating scanner demo-app and workshop repositories with full parity to the existing Accessibility, Code Quality, and FinOps domains.

See the DIY: Build the APM Security Domain guide for step-by-step instructions covering repo creation, sample app development, SARIF converters, workshop labs, Power BI PBIP, and ADO pipeline setup.

License

This project is licensed under the MIT License.