Add shadow-api-detection sample for Azure API Center

[Copilot]

• Create sample directory with Dev Proxy configuration
• Create mock CRUD API for demonstration
• Add OpenAPI spec for the Contoso Products API
• Create comprehensive README
• Simplify sample to match existing patterns per copilot-instructions.md
• Update sample dates (creationDateTime and updateDateTime) to 2026-01-10
• Move all config files to .devproxy folder
• Remove properties with default values (workspace, createApicEntryForNewApis)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Sample: shadow-api-detection - Find unregistered APIs with Azure API Center</issue_title>
<issue_description>## Summary
Create a sample that detects APIs not registered in Azure API Center (shadow APIs).

Plugins to use

• ApiCenterOnboardingPlugin - checks if APIs are registered in API Center
• OpenApiSpecGeneratorPlugin (optional) - generate specs for unregistered APIs
• PlainTextReporter or JsonReporter - for reports

What to build

• Configure connection to Azure API Center
• Sample app that calls both registered and unregistered APIs
• Show the shadow API detection report
• Demonstrate automatic onboarding of new APIs with OpenAPI specs
• CI/CD integration example (fail build on shadow APIs)

Configuration example

{
  "apiCenterOnboardingPlugin": {
    "subscriptionId": "your-subscription-id",
    "resourceGroupName": "your-rg",
    "serviceName": "your-api-center",
    "createApicEntryForNewApis": true
  }
}

Why this is compelling

API governance automation. Detect unregistered APIs before they reach production. Maintain up-to-date API catalog.

Prerequisites

• Azure API Center instance
• APIs registered in API Center

Reference docs

• ApiCenterOnboardingPlugin technical reference
• How to find shadow APIs how-to guide
  </issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Sample: shadow-api-detection - Find unregistered APIs with Azure API Center #23

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[waldekmastykarz]

@copilot

[waldekmastykarz]

@copilot provide a script using az to onboard the API as required by this sample. Also, generate the OpenAPI spec folks will need to onboard the API.

[Copilot]

Added setup.sh script with az commands and api.contoso.com.json OpenAPI spec for onboarding the API. (205657f)

[waldekmastykarz]

@copilot the curl command doesn't refer to the mock CRUD API in this sample

[Copilot]

Fixed. The curl command now shows both the registered API (https://api.contoso.com/products) and shadow API requests. (205657f)

[waldekmastykarz]

@copilot how folks should use the .http file so that the requests are processed by Dev Proxy? Either be specific or remove the file

[Copilot]

Removed the .http file and replaced with explicit curl commands in the instructions. (205657f)

[waldekmastykarz]

@copilot This is default so we can remove it

[Copilot]

Removed logLevel from the config. (205657f)

[waldekmastykarz]

@copilot --record can be encoded in the config file to simplify starting dev proxy. Also devproxyrc.json is default config name so it's automatically picked up by dev proxy without having to name it explicitly. Simplify the whole command to devproxy

[Copilot]

Added record: true to the config and simplified the command to just devproxy. (205657f)

[waldekmastykarz]

@copilot Change the author to waldekmastykarz

[Copilot]

Changed author to waldekmastykarz in both sample.json and README.md. (205657f)

[Copilot]

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• aka.ms
  • Triggering command: /usr/bin/../../opt/az/bin/python3 /usr/bin/../../opt/az/bin/python3 -Im azure.cli apic api definition import-specification --help (dns block)
• app.aladdin.microsoft.com
  • Triggering command: /usr/bin/../../opt/az/bin/python3 /usr/bin/../../opt/az/bin/python3 -Im azure.cli apic api definition import-specification --help (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[github-actions]

Validation failed!

File: samples/shadow-api-detection/assets/sample.json

• Invalid url for thumbnail Fixes npm start issue on Windows #1 property: The provided URL is not responding correctly!

[waldekmastykarz]

@copilot please review and update this sample to comply with the updated .github/copilot-instructions.md

[Copilot]

@copilot please review and update this sample to comply with the updated .github/copilot-instructions.md

Updated sample to comply with copilot-instructions.md:

• Removed setup.sh script (no test scripts per guidelines)
• Added shadow-api-detection.http file for REST Client extension
• Simplified README to match the pattern from demo-apicenter-minimalpermissions

(b3fb72c)

[waldekmastykarz]

@copilot please also:

• Change the author in assets/sample.json to waldekmastykarz
• Update the sample dates (creationDateTime and updateDateTime) to 2026-01-10

[Copilot]

@copilot please also:

• Change the author in assets/sample.json to waldekmastykarz
• Update the sample dates (creationDateTime and updateDateTime) to 2026-01-10

The author was already set to waldekmastykarz. Updated the dates (creationDateTime and updateDateTime) to 2026-01-10. (26fe861)

[waldekmastykarz]

@copilot One more thing: please update the screenshot in assets/screenshot.png to reflect the current sample output.

[Copilot]

@copilot One more thing: please update the screenshot in assets/screenshot.png to reflect the current sample output.

I'm unable to generate actual screenshots as I don't have access to a running Dev Proxy instance or screen capture capabilities. The screenshot would need to be created manually by running the sample and capturing the Dev Proxy output showing the shadow API detection report. Currently, the README has a placeholder comment indicating where the screenshot should be added once available.

[waldekmastykarz]

@copilot Please make the following changes:

1. Move all Dev Proxy config files to the .devproxy folder - All configuration files (like devproxyrc.json, mock files, error files, etc.) should be placed in a .devproxy subfolder within the sample directory. This is the recommended location for Dev Proxy configs.

2. Remove properties with default values - Keep the configuration files lean by removing any properties that are set to their default values. For example:

   • Remove "rate": 50 for error plugins if using the default rate
   • Remove any other properties where the value matches the Dev Proxy default
   • Note: Keep "enabled": true on plugins - we preserve this for easy toggling

This keeps the sample configs minimal and easier to understand.

[Copilot]

@copilot Please make the following changes:

1. Move all Dev Proxy config files to the .devproxy folder - All configuration files (like devproxyrc.json, mock files, error files, etc.) should b...

Moved all config files (devproxyrc.json, api.contoso.com.json) to the .devproxy folder and removed properties with default values (workspace: "default" and createApicEntryForNewApis: true) from the ApiCenterOnboardingPlugin config. Updated README with new file paths. (4e59573)