security
Continuous repository security scanning and release gating. Triggers: "security scan", "security audit", "pre-release security", "run scanners", "check vulnerabilities".
Best use case
security is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Continuous repository security scanning and release gating. Triggers: "security scan", "security audit", "pre-release security", "run scanners", "check vulnerabilities".
Teams using security should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/security/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How security Compares
| Feature / Agent | security | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Continuous repository security scanning and release gating. Triggers: "security scan", "security audit", "pre-release security", "run scanners", "check vulnerabilities".
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Security Skill > **Purpose:** Run repeatable security checks across code, scripts, hooks, and release gates. Use this skill when you need deterministic security validation before merge/release, or recurring scheduled checks. ## Quick Start ```bash $security # quick security gate $security --full # full gate with test-inclusive toolchain checks $security --release # full gate for release readiness $security --json # machine-readable report output ``` ## Execution Contract ### 1) Pre-PR (fast) Run quick gate: ```bash scripts/security-gate.sh --mode quick ``` Expected behavior: - Fails on high/critical findings from available scanners. - Writes artifacts under `$TMPDIR/agentops-security/<run-id>/`. ### 2) Pre-Release (strict) Run full gate: ```bash scripts/security-gate.sh --mode full ``` Expected behavior: - Full scanner pass before release workflow can continue. - Artifacts retained for audit and incident response. ### 3) Nightly (continuous) Nightly workflow should run: ```bash scripts/security-gate.sh --mode full ``` Expected behavior: - Detects drift/regressions outside active PR windows. - Failing run creates actionable signal in workflow summary/issues. ## Triage Guidance When gate fails: 1. Open latest artifact in `$TMPDIR/agentops-security/` and identify scanner + file. 2. Classify severity (critical/high/medium). 3. Fix immediately for critical/high or create tracked follow-up issue with owner. 4. Re-run `scripts/security-gate.sh` until gate passes. ## Reporting Template ```markdown Security gate run: <run-id> Mode: <quick|full> Result: <pass|blocked> Top findings: - <scanner> <severity> <file> <summary> Actions: - <fix or issue id> ``` ## Notes - For OWASP A06 dependency vulnerability scanning, run `$deps vuln` to complement static analysis with dependency-level checks. - Use this as the canonical security runbook instead of ad-hoc scanner commands. - Keep workflow wiring aligned with this contract in: - `.github/workflows/validate.yml` - `.github/workflows/nightly.yml` - `.github/workflows/release.yml` - For binary/internal black-box assurance plus offline repo-surface redteam, use: - `skills/security-suite/SKILL.md` (includes `security_suite.py` and `prompt_redteam.py`) ## Examples ### Scenario: Quick Security Gate Before Opening a PR **User says:** `$security` **What happens:** 1. The skill runs `scripts/security-gate.sh --mode quick`, which executes available scanners (semgrep, gosec, gitleaks) against the current working tree and flags high/critical findings. 2. Scan artifacts are written to `$TMPDIR/agentops-security/<run-id>/` for review, and the gate reports a pass/blocked verdict. **Result:** The gate passes with no high/critical findings, confirming the branch is safe to open a PR. ### Scenario: Full Security Gate for a Release **User says:** `$security --release` **What happens:** 1. The skill runs `scripts/security-gate.sh --mode full`, which performs a comprehensive scan including all scanner passes, test-inclusive toolchain checks, and stricter severity thresholds. 2. Artifacts are retained under `$TMPDIR/agentops-security/<run-id>/` for audit trail and incident response, and a structured report is generated. **Result:** The full gate blocks the release on two medium-severity findings in `cli/internal/config.go`; the operator triages and fixes them before re-running the gate to get a clean pass. ## Troubleshooting | Problem | Cause | Solution | |---------|-------|----------| | Gate reports "scanner not found" and skips checks | Required scanner (semgrep, gosec, or gitleaks) is not installed | Install the missing scanner: `brew install semgrep`, `go install github.com/securego/gosec/v2/cmd/gosec@latest`, or `brew install gitleaks`. | | Gate passes locally but fails in CI | CI environment has additional scanners or stricter config | Compare `$TMPDIR/agentops-security/` artifacts from both environments; align scanner versions and config files across local and CI. | | False positive blocking the gate | Scanner flags a non-issue as high/critical severity | Add a scanner-specific inline suppression comment (e.g., `# nosemgrep: rule-id`) or update the scanner config to exclude the pattern, then document the suppression reason. | | Artifacts directory `$TMPDIR/agentops-security/` not created | Script lacks write permissions or `$TMPDIR` is not writable | Verify `$TMPDIR` is set and writable; the script auto-creates subdirectories on each run. | | Nightly scan not detecting regressions | Nightly workflow is not configured or is pointing at stale branch | Verify `.github/workflows/nightly.yml` runs `scripts/security-gate.sh --mode full` against the correct branch (typically `main`). | ## See Also - [deps](../deps/SKILL.md) — Dependency audit, vulnerability scanning, and license compliance ## Local Resources ### scripts/ - `scripts/security-gate.sh` - `scripts/validate.sh`
Related Skills
security-suite
Composable security suite for binary and prompt-surface assurance, static analysis, dynamic tracing, repo-native redteam scans, contract capture, baseline drift, and policy gating. Triggers: "binary security", "reverse engineer binary", "black-box binary test", "behavioral trace", "baseline diff", "prompt redteam", "security suite".
vibe
Comprehensive code validation. Runs complexity analysis then multi-model council. Answer: Is this code ready to ship? Triggers: "vibe", "validate code", "check code", "review code", "code quality", "is this ready".
validation
Full validation phase orchestrator. Vibe + post-mortem + retro + forge. Reviews implementation quality, extracts learnings, feeds the knowledge flywheel. Triggers: "validation", "validate", "validate work", "review and learn", "validation phase", "post-implementation review".
update
Reinstall all AgentOps skills globally from the latest source. Triggers: "update skills", "reinstall skills", "sync skills".
trace
Trace design decisions and concepts through session history, handoffs, and git. Triggers: "trace decision", "how did we decide", "where did this come from", "design provenance", "decision history".
test
Test generation, coverage analysis, and TDD workflow. Triggers: "test", "generate tests", "test coverage", "write tests", "tdd", "add tests", "test strategy", "missing tests", "coverage gaps".
status
Single-screen dashboard showing current work, recent validations, flywheel health, and suggested next action. Triggers: "status", "dashboard", "what am I working on", "where was I".
standards
Language-specific coding standards and validation rules. Provides Python, Go, Rust, TypeScript, Shell, YAML, JSON, and Markdown standards. Auto-loaded by $vibe, $implement, $doc, $bug-hunt, $complexity based on file types.
shared
Shared reference documents for multi-agent skills (not directly invocable)
scenario
Author and manage holdout scenarios for behavioral validation. Scenarios are stored in .agents/holdout/ where implementing agents cannot see them. Triggers: "$scenario", "holdout", "behavioral scenario", "create scenario", "list scenarios".
scaffold
Project scaffolding, component generation, and boilerplate setup. Triggers: "scaffold", "new project", "init project", "create project", "generate component", "setup project", "starter", "boilerplate".
rpi
Full RPI lifecycle orchestrator. Delegates to $discovery, $crank, $validation phase skills. One command, full lifecycle with complexity classification, --from routing, and optional loop. Triggers: "rpi", "full lifecycle", "research plan implement", "end to end".