6ef9d3c4fd
* feat(instructions): update security, a11y, and performance to 2025-2026 standards Security: OWASP 2025 (55 anti-patterns, AI/LLM section, 6 frameworks) Accessibility: WCAG 2.2 AA (38 anti-patterns, legal context EAA/ADA, 4 frameworks) Performance: CWV (50 anti-patterns, Next.js 16, Angular 20, modern APIs) * fix(instructions): use globalThis.scheduler to prevent ReferenceError Access scheduler via globalThis to safely handle environments where the Scheduling API is not declared as a global variable. * fix(instructions): correct regex patterns and harden SSRF example - AU1: anchor jwt.verify lookahead inside parentheses - AU2: anchor jwt.sign lookahead, add expiresIn alternative - AU7: fix greedy .* before negative lookahead in OAuth state check - I5: resolve all DNS records, add TOCTOU production note - K2: add closing delimiters and multi-digit support to tabindex regex * fix(instructions): enhance SSRF IP validation with IPv4-mapped IPv6 Normalize IPv4-mapped IPv6 addresses (::ffff:127.0.0.1) before checking private ranges, preventing bypass via mapped addresses. * fix(instructions): add noscript fallback for deferred CSS pattern Without JS, the media="print" + onload pattern leaves the stylesheet inactive. The noscript tag loads it normally when JS is disabled. * fix(instructions): add execFileSync to I3 command injection detection The BAD example uses execFileSync but the regex only matched exec, execSync, and execFile — missing the sync variant. * fix(instructions): cover full IPv6 link-local range in SSRF check fe80::/10 spans fe80-febf (fe8*, fe9*, fea*, feb*). Previous regex only matched fe80::. Also use normalized variable for consistency. * fix(instructions): adjust SSRF wording and downgrade reduced-motion severity - SSRF: replace "full DNS/IP validation" with accurate wording that acknowledges TOCTOU limitation - V5: downgrade prefers-reduced-motion from IMPORTANT to SUGGESTION, remove 2.2.2 (A) reference since it's an AAA enhancement * fix(instructions): rename AU4 heading to include SHA-256 The heading said "Weak Password Hash (MD5/SHA1)" but the detection regex and BAD example both use SHA-256. Renamed to "Fast Hash for Passwords" which better describes the actual anti-pattern. * fix(instructions): clarify WCAG 2.2 SC 4.1.1 status as obsolete SC 4.1.1 Parsing is still present in the WCAG 2.2 spec but marked as obsolete (always satisfied). Changed wording from "removed" to "obsolete" for accuracy. * fix(instructions): rename I1 example vars to avoid TS redeclaration Copy-pasting the I1 SQL injection example as a single block failed with a TypeScript redeclaration error because both BAD and GOOD snippets used `const result`. Rename to `unsafeResult`/`safeResult` so the block remains copy-pasteable into a single scope. * fix(instructions): migrate I3 example to async execFile with bounds The I3 command injection example used `execFileSync` in both BAD and GOOD paths, which (a) redeclared `const output` in the same block and (b) blocks the Node event loop in server handlers, amplifying DoS impact. Switch the GOOD/BEST paths to a promisified `execFile` call with explicit `timeout` and `maxBuffer` bounds, and rename variables to `unsafeOutput`/`safeOutput` so the snippet stays copy-pasteable. Add a trailing note recommending async child_process APIs for server code. * fix(instructions): align AU6 heading with session fixation example The AU6 heading claimed "Session Not Invalidated on Password Change" but the mitigation example showed `req.session.regenerate`, which is the canonical defense against session fixation on login rather than bulk invalidation after a credential change. Rename the anti-pattern to "Missing Session Regeneration on Login (Session Fixation)" so it matches the example, and add a trailing note pointing to the complementary practice of invalidating other active sessions for the user on password change (e.g., via a `tokenVersion` counter). * fix(instructions): make L1 critical CSS pattern CSP-compatible The L1 "GOOD" snippet relied on an inline `onload="this.media='all'"` handler on a `<link>` tag. Under a strict CSP that disallows `'unsafe-inline'` / `script-src-attr 'unsafe-inline'`, inline event handlers are blocked, so the stylesheet would never activate and users would hit a styling regression. Replace the pattern with build-time critical CSS extraction (Critters/Beasties/Next.js `optimizeCss`) plus a normal `<link rel="preload" as="style">` and standard `<link rel="stylesheet">`. Add a trailing note explaining why the older inline-onload trick breaks under strict CSP and how to defer non-critical CSS with an external script when deferral is truly needed.
🤖 Awesome GitHub Copilot
A community-created collection of custom agents, instructions, skills, hooks, workflows, and plugins to supercharge your GitHub Copilot experience.
Tip
Explore the full collection on the website → awesome-copilot.github.com
The website offers full-text search and filtering across hundreds of resources, plus the Tools section for MCP servers and developer tooling, and the Learning Hub for guides and tutorials.
Using this collection in an AI agent? A machine-readable
llms.txtis available with structured listings of all agents, instructions, and skills.
📖 Learning Hub
New to GitHub Copilot customization? The Learning Hub on the website offers curated articles, walkthroughs, and reference material — covering everything from core concepts like agents, skills, and instructions to hands-on guides for hooks, agentic workflows, MCP servers, and the Copilot coding agent.
What's in this repo
| Resource | Description | Browse |
|---|---|---|
| 🤖 Agents | Specialized Copilot agents that integrate with MCP servers | All agents → |
| 📋 Instructions | Coding standards applied automatically by file pattern | All instructions → |
| 🎯 Skills | Self-contained folders with instructions and bundled assets | All skills → |
| 🔌 Plugins | Curated bundles of agents and skills for specific workflows | All plugins → |
| 🪝 Hooks | Automated actions triggered during Copilot agent sessions | All hooks → |
| ⚡ Agentic Workflows | AI-powered GitHub Actions automations written in markdown | All workflows → |
| 🍳 Cookbook | Copy-paste-ready recipes for working with Copilot APIs | — |
🛠️ Tools
Looking at how to use Awesome Copilot? Check out the Tools section of the website for MCP servers, editor integrations, and other developer tooling to get the most out of this collection.
Install a Plugin
For most users, the Awesome Copilot marketplace is already registered in the Copilot CLI/VS Code, so you can install a plugin directly:
copilot plugin install <plugin-name>@awesome-copilot
If you are using an older Copilot CLI version or a custom setup and see an error that the marketplace is unknown, register it once and then install:
copilot plugin marketplace add github/awesome-copilot
copilot plugin install <plugin-name>@awesome-copilot
Contributing
See CONTRIBUTING.md · AGENTS.md for AI agent guidance · Security · Code of Conduct
The customizations here are sourced from third-party developers. Please inspect any agent and its documentation before installing.
Contributors ✨
Thanks goes to these wonderful people (emoji key):
This project follows the all-contributors specification. Contributions of any kind welcome!
📚 Additional Resources
- VS Code Copilot Customization Documentation - Official Microsoft documentation
- GitHub Copilot Chat Documentation - Complete chat feature guide
- VS Code Settings - General VS Code configuration guide
™️ Trademarks
This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.