baseline
Create or update the project security baseline, profile, suppressions file, and gitignore entries for security scans
Best use case
baseline is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Create or update the project security baseline, profile, suppressions file, and gitignore entries for security scans
Teams using baseline should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/baseline/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How baseline Compares
| Feature / Agent | baseline | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Create or update the project security baseline, profile, suppressions file, and gitignore entries for security scans
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Security Baseline
Create the local project profile that helps `/security:scan` classify severity and keep scan artifacts out of git.
## Step 1: Inspect Project
Run:
```bash
mkdir -p .security
"${CLAUDE_PLUGIN_ROOT}/scripts/recon.sh" . | tee .security/recon.json
"${CLAUDE_PLUGIN_ROOT}/scripts/detect-tools.sh" | tee .security/tools.json
```
Read `.security/recon.json`.
## Step 2: Ask for Security Profile
Ask concise questions when `.security/profile.json` does not exist or `--refresh` is passed:
- Application exposure: public internet, authenticated public, internal service, CLI/library.
- Production paths: directories or config files that represent production behavior.
- Test/example paths: directories that should usually be downgraded or treated as false positives.
- Sensitive operations: auth, payments, admin, secrets, file upload, SSRF-sensitive network access.
- Default severity posture: normal or strict.
## Step 3: Write Profile
Write `.security/profile.json`:
```json
{
"version": 1,
"exposure": "public-internet|authenticated-public|internal|cli-library",
"severity_posture": "normal|strict",
"production_paths": ["src/", "app/"],
"test_paths": ["tests/", "fixtures/", "examples/"],
"sensitive_operations": ["auth", "admin", "file-upload"],
"notes": []
}
```
## Step 4: Initialize Suppressions
If `.security/suppressions.json` does not exist, write:
```json
{
"version": 1,
"suppressions": []
}
```
## Step 5: Update .gitignore
Ensure `.gitignore` contains:
```text
.security/artifacts/
.security/report.md
.security/triaged.json
.security/correlated.json
.security/recon.json
.security/tools.json
.security/changed-files.json
```
Keep `.security/profile.json` and `.security/suppressions.json` trackable by default because they are project policy, not scan output. If the user says suppressions should stay local, add `.security/suppressions.json` to `.gitignore`.
## Step 6: Summary
Report:
- Profile path.
- Suppression file path.
- Gitignore changes.
- Tool coverage estimate.
- Next command: `/security:scan --deep`.Related Skills
Example Skill
Brief description of what this skill does and the domain expertise it provides.
vulnerability-patterns
Index of vulnerability detection pattern skills. Routes to core patterns (universal) and language-specific patterns for security scanning.
vuln-patterns-languages
Language-specific vulnerability detection patterns for JavaScript/TypeScript, Python, Go, Java, Ruby, and PHP. Provides regex patterns and grep commands for common security vulnerabilities.
vuln-patterns-core
Universal vulnerability detection patterns applicable across all programming languages. Includes hardcoded secrets, SQL/command injection, path traversal, and configuration file patterns.
scan
Run a security assessment using deterministic static analysis tools with LLM-powered triage
results
View the most recent security scan results without re-running the scan
remediation-library
Index of security remediation skills. Routes to specialized skills for injection, cryptography, authentication, and configuration vulnerabilities.
remediation-injection
Security fix patterns for injection vulnerabilities (SQL, Command, XSS). Provides language-specific code examples showing vulnerable and secure implementations.
remediation-crypto
Security fix patterns for cryptographic vulnerabilities (weak algorithms, insecure randomness, TLS issues). Provides language-specific secure implementations.
remediation-config
Security fix patterns for configuration and deployment vulnerabilities (path traversal, debug mode, security headers). Provides language-specific secure implementations.
remediation-auth
Security fix patterns for authentication and authorization vulnerabilities (credentials, JWT, deserialization, access control). Provides language-specific secure implementations.
fix
Fix or guide remediation for a specific security finding from the latest scan report