dcyfr-security
CodeQL suppressions, security vulnerability troubleshooting, and security best practices
Best use case
dcyfr-security is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
CodeQL suppressions, security vulnerability troubleshooting, and security best practices
Teams using dcyfr-security should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/dcyfr-security/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How dcyfr-security Compares
| Feature / Agent | dcyfr-security | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
CodeQL suppressions, security vulnerability troubleshooting, and security best practices
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
## What I do
I guide security practices and CodeQL false positive suppression:
- **CodeQL suppressions** with LGTM syntax
- **Security vulnerability troubleshooting** (SSRF, CWE-918)
- **False positive patterns** and verification
- **Security testing** patterns
## When to use me
✅ **Use this skill when:**
- Suppressing CodeQL false positives
- Investigating security alerts
- Implementing security fixes
- Reviewing security-sensitive code
❌ **Don't use this skill for:**
- General code review (use dcyfr-validation)
- Performance issues (separate concern)
- Non-security bugs
## CodeQL Suppression Syntax
### Basic Suppression
```typescript
// lgtm[js/path-injection]
const filePath = path.join(baseDir, userInput);
```
### With Justification
```typescript
// lgtm[js/sql-injection]: Input validated by schema
const query = `SELECT * FROM users WHERE id = ${userId}`;
```
### Multiple Alerts
```typescript
// lgtm[js/path-injection,js/sql-injection]
const result = await processInput(userInput);
```
## Common False Positives
### 1. Path Injection (Safe)
```typescript
// lgtm[js/path-injection]: userInput validated against allowlist
const filePath = path.join(PUBLIC_DIR, userInput);
```
### 2. SQL Injection (Parameterized)
```typescript
// lgtm[js/sql-injection]: Using parameterized query
await db.query('SELECT * FROM users WHERE id = $1', [userId]);
```
### 3. XSS (React Auto-Escapes)
```typescript
// lgtm[js/xss]: React auto-escapes JSX content
<div>{userContent}</div>
```
## Security Testing Patterns
### API Endpoint Security Test
```typescript
describe('/api/secure-endpoint', () => {
it('rejects unauthorized requests', async () => {
const response = await fetch('/api/secure-endpoint');
expect(response.status).toBe(401);
});
it('validates input', async () => {
const response = await fetch('/api/secure-endpoint', {
method: 'POST',
body: JSON.stringify({ malicious: '<script>alert(1)</script>' }),
});
expect(response.status).toBe(400);
});
});
```
## SSRF Prevention
```typescript
// ✅ CORRECT: Validate URLs before fetching
const allowedDomains = ['api.trusted.com'];
const url = new URL(userProvidedUrl);
if (!allowedDomains.includes(url.hostname)) {
throw new Error('Invalid domain');
}
const response = await fetch(url.toString());
```
## Related Documentation
- **CodeQL suppressions**: `.github/agents/patterns/CODEQL_SUPPRESSIONS.md`
- **Security troubleshooting**: `.github/agents/patterns/SECURITY_VULNERABILITY_TROUBLESHOOTING.md`
## Approval Gates
Security compliance is **STRICT** (hard block):
- ❌ Cannot suppress without justification
- ❌ Cannot merge with HIGH/CRITICAL alerts
- ✅ Must verify suppressions are validRelated Skills
laravel-security-audit
Security auditor for Laravel applications. Analyzes code for vulnerabilities, misconfigurations, and insecure practices using OWASP standards and Laravel security best practices.
information-security-manager-iso27001
ISO 27001 ISMS implementation and cybersecurity governance for HealthTech and MedTech companies. Use for ISMS design, security risk assessment, control implementation, ISO 27001 certification, security audits, incident response, and compliance verification. Covers ISO 27001, ISO 27002, healthcare security, and medical device cybersecurity.
hardware-security
Hardware and embedded security research capabilities. Interface with JTAG debuggers, analyze SPI/I2C communications, dump and analyze firmware, support fault injection, side-channel analysis, and hardware exploitation research.
Global Security
Your approach to handling global security. Use this skill when working on files where global security comes into play.
dotnet-security-owasp
Hardens .NET apps per OWASP Top 10 -- injection, auth, XSS, deprecated security APIs.
devs:security-core
Comprehensive application security expertise covering authentication, authorization, OWASP Top 10, and security best practices. Use when (1) Implementing authentication (JWT, OAuth2, sessions, OAuth for CLI/TUI/desktop apps), (2) Adding authorization (RBAC, ABAC, RLS with Supabase/PostgreSQL), (3) Security auditing code or infrastructure, (4) Setting up security infrastructure (headers, CORS, CSP, rate limiting), (5) Managing secrets and credentials, (6) Preventing OWASP Top 10 vulnerabilities (injection, XSS, CSRF, etc.), (7) Reviewing code for security issues, (8) Configuring secure web applications in TypeScript, Python, or Rust. Automatically triggered when working with authentication/authorization systems, security reviews, or addressing security vulnerabilities.
data-security
Assess data security controls: classification, access, encryption, retention, and exposure risk.
container-security-scanner
Scan images and runtime for CVEs and policy violations.
Build Your Cloud Security Skill
Create your cloud security skill in one prompt, then learn to improve it throughout the chapter
azure-security-keyvault-keys-dotnet
Azure Key Vault Keys SDK for .NET. Client library for managing cryptographic keys in Azure Key Vault and Managed HSM. Use for key creation, rotation, encryption, decryption, signing, and verification.
aws-security-audit
Comprehensive AWS security posture assessment using AWS CLI and security best practices
awesome-copilot-root-stackhawk-security-onboarding
Automatically set up StackHawk security testing for your repository with generated configuration and GitHub Actions workflow Use when: the task directly matches stackhawk security onboarding responsibilities within plugin awesome-copilot-root. Do not use when: a more specific framework or task-focused skill is clearly a better match.