Add threat_intel integration using AbuseIPDB API

[Copilot]

No existing integration in this repo uses a threat intelligence endpoint. This adds one — a check that queries the AbuseIPDB API for IP reputation data and ships results as logs.

Integration

• ThreatIntelCheck — extends AgentCheck, queries configured IP addresses against AbuseIPDB, emits structured logs with abuse scores, ISP/geo data, and report counts
• Service check threat_intel.can_connect — CRITICAL on any failed IP query, OK otherwise
• Config spec with api_key (secret), ip_addresses list, max_age_in_days (1–365, default 90)

# Core check loop
for ip_address in self.ip_addresses:
    result = self.query_ip(ip_address)  # self.http.get() → AbuseIPDB
    self.send_log({"timestamp": ..., "message": json.dumps(data), "ddsource": "threat_intel"})

Files

• check.py, constants.py — check implementation
• spec.yaml + auto-generated config_models/ via ddev validate
• manifest.json, service_checks.json, conf.yaml.example
• 10 unit tests covering config validation, successful queries, API errors, and partial failures

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• docs.datadoghq.com
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.