You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
After apiops extract, users have no guided way to check their extracted APIM artifacts against APIM best practices. The audit should look for anti-patterns (e.g. named values holding secrets that aren''t marked secret) that otherwise go unnoticed. We want a low-friction, Copilot-assisted audit that also offers to fix the issues it finds.
Proposed solution
Have apiops init generate an additional Copilot prompt file — e.g. .github/prompts/apiops-check-best-practices.prompt.md — following the same generation pattern as the existing identity-setup prompt (src/templates/copilot/identity-setup-prompt.ts, written in src/services/init-service.ts). When opened with GitHub Copilot, the prompt guides the user through auditing the artifacts in the repo against a focused set of APIM best practices.
Scope — only things apiops-cli tracks
Keep the checks centered on apiops-managed artifacts (policies, named values, backends, diagnostics/loggers, subscriptions, products). Explicitly out of scope: infra/SKU/networking/scale guidance from the WAF doc that doesn''t map to apiops artifacts.
Checks (initial set)
Hardcoded secrets in policy.xml (headline check) — detect literal secrets in policy XML (set-header auth/keys, set-query-parametercode/sig, authentication-basic password, validate-jwt keys, connection-string fragments).
apiops init (generates the prompt file); the prompt itself assists with apiops extract output.
Implementation notes
New template under src/templates/copilot/ (e.g. best-practices-prompt.ts) + embedded markdown, mirroring identity-setup-prompt.ts.
Write the file in init-service.ts alongside the identity prompt (conflict-check + add to generatedFiles.configs), and mention it in the init-command.ts next-steps output.
Problem or use case
After
apiops extract, users have no guided way to check their extracted APIM artifacts against APIM best practices. The audit should look for anti-patterns (e.g. named values holding secrets that aren''t marked secret) that otherwise go unnoticed. We want a low-friction, Copilot-assisted audit that also offers to fix the issues it finds.Proposed solution
Have
apiops initgenerate an additional Copilot prompt file — e.g..github/prompts/apiops-check-best-practices.prompt.md— following the same generation pattern as the existing identity-setup prompt (src/templates/copilot/identity-setup-prompt.ts, written insrc/services/init-service.ts). When opened with GitHub Copilot, the prompt guides the user through auditing the artifacts in the repo against a focused set of APIM best practices.Scope — only things apiops-cli tracks
Keep the checks centered on apiops-managed artifacts (policies, named values, backends, diagnostics/loggers, subscriptions, products). Explicitly out of scope: infra/SKU/networking/scale guidance from the WAF doc that doesn''t map to apiops artifacts.
Checks (initial set)
policy.xml(headline check) — detect literal secrets in policy XML (set-headerauth/keys,set-query-parametercode/sig,authentication-basicpassword,validate-jwtkeys, connection-string fragments).{{named-value}}, per https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-propertiessecret: trueor aren''t Key Vault–backed → flag and offer to mark/migrate.(Start with check #1; #2–#3 can follow.)
Reference
APIM best-practice guidance: https://learn.microsoft.com/en-us/azure/well-architected/service-guides/azure-api-management — used as a source, but the prompt should distill only the artifact-level items above rather than the full large-deployment guidance.
Affected command
apiops init(generates the prompt file); the prompt itself assists withapiops extractoutput.Implementation notes
src/templates/copilot/(e.g.best-practices-prompt.ts) + embedded markdown, mirroringidentity-setup-prompt.ts.init-service.tsalongside the identity prompt (conflict-check + add togeneratedFiles.configs), and mention it in theinit-command.tsnext-steps output.