/configure:security Check and configure security scanning tools for dependency audits, SAST, and secret detection. When to Use This Skill | Use this skill when... | Use another approach when... | |------------------------|------------------------------| | Setting up dependency auditing, SAST, or secret detection for a project | Running a one-off security scan (use or directly) | | Checking project compliance with security scanning standards | Reviewing code for application-level vulnerabilities (use security-audit agent) | | Configuring Dependabot, CodeQL, or TruffleHog in CI/CD | Managing Gi…

''\n]\n\nregexes = [\n '''example\\.com''',\n '''localhost''',\n]\n```\n\n### Gitleaks Workflow (`.github/workflows/gitleaks.yml`)\n\n```yaml\nname: Gitleaks\n\non: [push, pull_request]\n\njobs:\n scan:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n with:\n fetch-depth: 0\n\n - name: Gitleaks\n uses: gitleaks/gitleaks-action@v2\n env:\n GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n```\n\n## SECURITY.md Template\n\n```markdown\n# Security Policy\n\n## Supported Versions\n\nWe actively support the following versions with security updates:\n\n| Version | Supported |\n| ------- | ------------------ |\n| 1.x | :white_check_mark: |\n| \u003c 1.0 | :x: |\n\n## Reporting a Vulnerability\n\nWe take the security of our project seriously. If you believe you've found a security vulnerability, please report it to us as described below.\n\n**Please do not report security vulnerabilities through public GitHub issues.**\n\n### Reporting Process\n\n1. **Email**: Send details to [email protected]\n2. **Expected Response**: Within 48 hours\n3. **Disclosure**: Coordinated disclosure after fix\n\n### Information to Include\n\n- Type of vulnerability\n- Full paths of source file(s) affected\n- Location of affected source code (tag/branch/commit)\n- Step-by-step instructions to reproduce\n- Proof-of-concept or exploit code (if possible)\n- Impact of the vulnerability\n\n### What to Expect\n\n- Confirmation of receipt within 48 hours\n- Regular updates on progress\n- Credit in security advisory (if desired)\n- Coordinated disclosure timeline\n\n## Security Best Practices\n\n### For Users\n\n- Keep dependencies up to date\n- Use secrets management (never commit secrets)\n- Enable 2FA on accounts\n- Review security advisories\n\n### For Contributors\n\n- Run `npm audit` before submitting PRs\n- Never commit secrets or credentials\n- Use environment variables for configuration\n- Follow secure coding guidelines\n\n## Automated Security\n\nThis project uses:\n\n- **Dependabot**: Automated dependency updates\n- **CodeQL**: Static application security testing\n- **Gitleaks**: Pre-commit secret scanning\n- **TruffleHog**: Git history secret scanning\n\n## Security Advisories\n\nSecurity advisories are published through:\n- GitHub Security Advisories\n- Project release notes\n- Security mailing list (if applicable)\n\n## Contact\n\n- **Security Email**: [email protected]\n- **Encryption Key**: [Link to PGP key if applicable]\n```\n\n## CI Security Workflow (`.github/workflows/security.yml`)\n\n```yaml\nname: Security Scan\n\non:\n push:\n branches: [ main ]\n pull_request:\n branches: [ main ]\n schedule:\n - cron: '0 0 * * 1' # Weekly on Monday\n\npermissions:\n contents: read\n security-events: write\n\njobs:\n dependency-audit:\n name: Dependency Audit\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n\n - name: Setup Node\n uses: actions/setup-node@v4\n with:\n node-version: '22'\n\n - name: npm audit\n run: npm audit --audit-level=moderate\n continue-on-error: true\n\n secret-scan:\n name: Secret Scanning\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n with:\n fetch-depth: 0\n\n - name: TruffleHog\n uses: trufflesecurity/trufflehog@main\n with:\n path: ./\n base: ${{ github.event.repository.default_branch }}\n head: HEAD\n\n sast-scan:\n name: SAST Scan\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n\n - name: Initialize CodeQL\n uses: github/codeql-action/init@v3\n with:\n languages: javascript, python\n\n - name: Autobuild\n uses: github/codeql-action/autobuild@v3\n\n - name: Perform CodeQL Analysis\n uses: github/codeql-action/analyze@v3\n```\n\n## Results Report Format\n\n```\nSecurity Scanning Configuration Complete\n=========================================\n\nDependency Auditing:\n npm audit scripts configured\n Dependabot enabled\n Dependency review workflow added\n Auto-grouping configured\n\nSAST Scanning:\n CodeQL workflow added\n Languages: JavaScript, Python\n Queries: security-extended, security-and-quality\n Scheduled weekly scans\n\nSecret Detection:\n Gitleaks configured with .gitleaks.toml\n Pre-commit hook configured\n TruffleHog workflow added\n Git history scanned: CLEAN\n\nSecurity Policy:\n SECURITY.md created\n Reporting process documented\n Supported versions defined\n\nCI/CD Integration:\n Security workflow configured\n All scans integrated\n\nNext Steps:\n 1. Review and approve Dependabot PRs:\n GitHub > Pull Requests > Filter by \"dependencies\"\n\n 2. Review CodeQL findings:\n GitHub > Security > Code scanning alerts\n\n 3. Enable private vulnerability reporting:\n GitHub > Settings > Security > Private vulnerability reporting\n\n 4. Set up security notifications:\n GitHub > Watch > Custom > Security alerts\n\n 5. Run initial scans:\n git push # Triggers workflows\n\nDocumentation: SECURITY.md\n```\n","content_type":"text/markdown; charset=utf-8","language":"markdown","size":12883,"content_sha256":"17b951e0fd01a4b15ba410692013ae34a08b776431e75d80001f2c653d746be8"}],"content_json":{"type":"doc","content":[{"type":"heading","attrs":{"level":1},"content":[{"text":"/configure:security","type":"text"}]},{"type":"paragraph","content":[{"text":"Check and configure security scanning tools for dependency audits, SAST, and secret detection.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"When to Use This Skill","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Use this skill when...","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Use another approach when...","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Setting up dependency auditing, SAST, or secret detection for a project","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Running a one-off security scan (use ","type":"text"},{"text":"gitleaks detect","type":"text","marks":[{"type":"code_inline"}]},{"text":" or ","type":"text"},{"text":"npm audit","type":"text","marks":[{"type":"code_inline"}]},{"text":" directly)","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Checking project compliance with security scanning standards","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Reviewing code for application-level vulnerabilities (use security-audit agent)","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Configuring Dependabot, CodeQL, or TruffleHog in CI/CD","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Managing GitHub repository security settings via the web UI","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Creating or updating a SECURITY.md policy","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Writing security documentation beyond the policy template","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Auditing which security tools are missing from a project","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Investigating a specific CVE or vulnerability","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Context","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Package files: !","type":"text"},{"text":"find . -maxdepth 1 \\( -name 'package.json' -o -name 'pyproject.toml' -o -name 'Cargo.toml' -o -name 'go.mod' \\)","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Gitleaks config: !","type":"text"},{"text":"find . -maxdepth 1 -name \\'.gitleaks.toml\\'","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Pre-commit config: !","type":"text"},{"text":"find . -maxdepth 1 -name \\'.pre-commit-config.yaml\\'","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Workflows dir: !","type":"text"},{"text":"find . -maxdepth 1 -type d -name \\'.github/workflows\\'","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Dependabot config: !","type":"text"},{"text":"find . -maxdepth 1 -name \\'.github/dependabot.yml\\'","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"CodeQL workflow: !","type":"text"},{"text":"find .github/workflows -maxdepth 1 -name 'codeql*'","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Security policy: !","type":"text"},{"text":"find . -maxdepth 1 -name \\'SECURITY.md\\'","type":"text","marks":[{"type":"code_inline"}]},{"text":" ","type":"text"},{"text":"Security scanning layers:","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Dependency auditing","type":"text","marks":[{"type":"strong"}]},{"text":" - Check for known vulnerabilities in dependencies","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"SAST (Static Application Security Testing)","type":"text","marks":[{"type":"strong"}]},{"text":" - Analyze code for security issues","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Secret detection","type":"text","marks":[{"type":"strong"}]},{"text":" - Prevent committing secrets to version control","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Parameters","type":"text"}]},{"type":"paragraph","content":[{"text":"Parse from command arguments:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"--check-only","type":"text","marks":[{"type":"code_inline"}]},{"text":": Report status without offering fixes","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"--fix","type":"text","marks":[{"type":"code_inline"}]},{"text":": Apply all fixes automatically without prompting","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"--type \u003ctype>","type":"text","marks":[{"type":"code_inline"}]},{"text":": Focus on specific security type (dependencies, sast, secrets, all)","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Execution","type":"text"}]},{"type":"paragraph","content":[{"text":"Execute this security scanning configuration check:","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 1: Fetch latest tool versions","type":"text"}]},{"type":"paragraph","content":[{"text":"Verify latest versions before configuring:","type":"text"}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Trivy","type":"text","marks":[{"type":"strong"}]},{"text":": Check ","type":"text"},{"text":"GitHub releases","type":"text","marks":[{"type":"link","attrs":{"href":"https://github.com/aquasecurity/trivy/releases","title":null}}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Grype","type":"text","marks":[{"type":"strong"}]},{"text":": Check ","type":"text"},{"text":"GitHub releases","type":"text","marks":[{"type":"link","attrs":{"href":"https://github.com/anchore/grype/releases","title":null}}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"gitleaks","type":"text","marks":[{"type":"strong"}]},{"text":": Check ","type":"text"},{"text":"GitHub releases","type":"text","marks":[{"type":"link","attrs":{"href":"https://github.com/gitleaks/gitleaks/releases","title":null}}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"pip-audit","type":"text","marks":[{"type":"strong"}]},{"text":": Check ","type":"text"},{"text":"PyPI","type":"text","marks":[{"type":"link","attrs":{"href":"https://pypi.org/project/pip-audit/","title":null}}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"cargo-audit","type":"text","marks":[{"type":"strong"}]},{"text":": Check ","type":"text"},{"text":"crates.io","type":"text","marks":[{"type":"link","attrs":{"href":"https://crates.io/crates/cargo-audit","title":null}}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"CodeQL","type":"text","marks":[{"type":"strong"}]},{"text":": Check ","type":"text"},{"text":"GitHub releases","type":"text","marks":[{"type":"link","attrs":{"href":"https://github.com/github/codeql-action/releases","title":null}}]}]}]}]},{"type":"paragraph","content":[{"text":"Use WebSearch or WebFetch to verify current versions.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 2: Detect project languages and tools","type":"text"}]},{"type":"paragraph","content":[{"text":"Identify project languages and existing security tools:","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Indicator","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Language/Tool","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Security Tools","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"package.json","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"JavaScript/TypeScript","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"npm audit, Snyk","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"pyproject.toml","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Python","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"pip-audit, safety, bandit","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Cargo.toml","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Rust","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"cargo-audit, cargo-deny","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":".gitleaks.toml","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"gitleaks","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Secret scanning","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":".github/workflows/","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"GitHub Actions","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"CodeQL, Dependabot","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 3: Analyze current security state","type":"text"}]},{"type":"paragraph","content":[{"text":"Check existing security configuration across three areas:","type":"text"}]},{"type":"paragraph","content":[{"text":"Dependency Auditing:","type":"text","marks":[{"type":"strong"}]}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Package manager audit configured","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Audit scripts in package.json/Makefile","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Dependabot enabled","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Dependency review action in CI","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Auto-merge for minor updates configured","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"SAST Scanning:","type":"text","marks":[{"type":"strong"}]}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"CodeQL workflow exists","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Semgrep configured","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Bandit configured (Python)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"SAST in CI pipeline","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Secret Detection:","type":"text","marks":[{"type":"strong"}]}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Gitleaks configured with ","type":"text"},{"text":".gitleaks.toml","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Pre-commit hook configured","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Git history scanned","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"TruffleHog configured (optional complement)","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 4: Generate compliance report","type":"text"}]},{"type":"paragraph","content":[{"text":"Print a formatted compliance report showing status for each security component across dependency auditing, SAST scanning, secret detection, and security policies.","type":"text"}]},{"type":"paragraph","content":[{"text":"If ","type":"text"},{"text":"--check-only","type":"text","marks":[{"type":"code_inline"}]},{"text":" is set, stop here.","type":"text"}]},{"type":"paragraph","content":[{"text":"For the compliance report format, see ","type":"text"},{"text":"REFERENCE.md","type":"text","marks":[{"type":"link","attrs":{"href":"REFERENCE.md","title":null}}]},{"text":".","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 5: Configure dependency auditing (if --fix or user confirms)","type":"text"}]},{"type":"paragraph","content":[{"text":"Based on detected language:","type":"text"}]},{"type":"paragraph","content":[{"text":"JavaScript/TypeScript (npm/bun):","type":"text","marks":[{"type":"strong"}]}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Add audit scripts to ","type":"text"},{"text":"package.json","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Create Dependabot config ","type":"text"},{"text":".github/dependabot.yml","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Create dependency review workflow ","type":"text"},{"text":".github/workflows/dependency-review.yml","type":"text","marks":[{"type":"code_inline"}]}]}]}]},{"type":"paragraph","content":[{"text":"Python (pip-audit):","type":"text","marks":[{"type":"strong"}]}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Install pip-audit: ","type":"text"},{"text":"uv add --group dev pip-audit","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Create audit script","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Rust (cargo-audit):","type":"text","marks":[{"type":"strong"}]}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Install cargo-audit: ","type":"text"},{"text":"cargo install cargo-audit --locked","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Configure in ","type":"text"},{"text":".cargo/audit.toml","type":"text","marks":[{"type":"code_inline"}]}]}]}]},{"type":"paragraph","content":[{"text":"For complete configuration templates, see ","type":"text"},{"text":"REFERENCE.md","type":"text","marks":[{"type":"link","attrs":{"href":"REFERENCE.md","title":null}}]},{"text":".","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 6: Configure SAST scanning (if --fix or user confirms)","type":"text"}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Create CodeQL workflow ","type":"text"},{"text":".github/workflows/codeql.yml","type":"text","marks":[{"type":"code_inline"}]},{"text":" with detected languages","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"For Python projects, install and configure Bandit","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Run Bandit: ","type":"text"},{"text":"uv run bandit -r src/ -f json -o bandit-report.json","type":"text","marks":[{"type":"code_inline"}]}]}]}]},{"type":"paragraph","content":[{"text":"For CodeQL workflow and Bandit configuration templates, see ","type":"text"},{"text":"REFERENCE.md","type":"text","marks":[{"type":"link","attrs":{"href":"REFERENCE.md","title":null}}]},{"text":".","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 7: Configure secret detection (if --fix or user confirms)","type":"text"}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Install gitleaks: ","type":"text"},{"text":"brew install gitleaks","type":"text","marks":[{"type":"code_inline"}]},{"text":" (or ","type":"text"},{"text":"go install github.com/gitleaks/gitleaks/v8@latest","type":"text","marks":[{"type":"code_inline"}]},{"text":")","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Create ","type":"text"},{"text":".gitleaks.toml","type":"text","marks":[{"type":"code_inline"}]},{"text":" with project-specific allowlists","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Run initial scan: ","type":"text"},{"text":"gitleaks detect --source .","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Add pre-commit hook to ","type":"text"},{"text":".pre-commit-config.yaml","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Optionally configure TruffleHog workflow for CI","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"For gitleaks, TruffleHog, and CI workflow configuration templates, see ","type":"text"},{"text":"REFERENCE.md","type":"text","marks":[{"type":"link","attrs":{"href":"REFERENCE.md","title":null}}]},{"text":".","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 8: Create security policy","type":"text"}]},{"type":"paragraph","content":[{"text":"Create ","type":"text"},{"text":"SECURITY.md","type":"text","marks":[{"type":"code_inline"}]},{"text":" with:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Supported versions table","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Vulnerability reporting process (email, expected response time, disclosure policy)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Information to include in reports","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Security best practices for users and contributors","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Automated security tools list","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"For the SECURITY.md template, see ","type":"text"},{"text":"REFERENCE.md","type":"text","marks":[{"type":"link","attrs":{"href":"REFERENCE.md","title":null}}]},{"text":".","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 9: Configure CI/CD integration","type":"text"}]},{"type":"paragraph","content":[{"text":"Create comprehensive security workflow ","type":"text"},{"text":".github/workflows/security.yml","type":"text","marks":[{"type":"code_inline"}]},{"text":" with jobs for:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Dependency audit","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Secret scanning (TruffleHog)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"SAST scan (CodeQL)","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Schedule weekly scans in addition to push/PR triggers.","type":"text"}]},{"type":"paragraph","content":[{"text":"For the CI security workflow template, see ","type":"text"},{"text":"REFERENCE.md","type":"text","marks":[{"type":"link","attrs":{"href":"REFERENCE.md","title":null}}]},{"text":".","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 10: Update standards tracking","type":"text"}]},{"type":"paragraph","content":[{"text":"Update ","type":"text"},{"text":".project-standards.yaml","type":"text","marks":[{"type":"code_inline"}]},{"text":":","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"yaml"},"content":[{"text":"components:\n security: \"2025.1\"\n security_dependency_audit: true\n security_sast: true\n security_secret_detection: true\n security_policy: true\n security_dependabot: true","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 11: Report configuration results","type":"text"}]},{"type":"paragraph","content":[{"text":"Print a summary of all changes made across dependency auditing, SAST scanning, secret detection, security policy, and CI/CD integration. Include next steps for reviewing Dependabot PRs, CodeQL findings, and enabling private vulnerability reporting.","type":"text"}]},{"type":"paragraph","content":[{"text":"For the results report format, see ","type":"text"},{"text":"REFERENCE.md","type":"text","marks":[{"type":"link","attrs":{"href":"REFERENCE.md","title":null}}]},{"text":".","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Agentic Optimizations","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Context","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Command","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Quick compliance check","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"/configure:security --check-only","type":"text","marks":[{"type":"code_inline"}]}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Auto-fix all security gaps","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"/configure:security --fix","type":"text","marks":[{"type":"code_inline"}]}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Dependencies only","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"/configure:security --type dependencies","type":"text","marks":[{"type":"code_inline"}]}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Secret detection only","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"/configure:security --type secrets","type":"text","marks":[{"type":"code_inline"}]}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"SAST scanning only","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"/configure:security --type sast","type":"text","marks":[{"type":"code_inline"}]}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Verify secrets scan","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"gitleaks detect --source . --verbose","type":"text","marks":[{"type":"code_inline"}]}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Flags","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Flag","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"--check-only","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Report status without offering fixes","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"--fix","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Apply all fixes automatically without prompting","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"--type \u003ctype>","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Focus on specific security type (dependencies, sast, secrets, all)","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Error Handling","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"No package manager detected","type":"text","marks":[{"type":"strong"}]},{"text":": Skip dependency auditing","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"GitHub Actions not available","type":"text","marks":[{"type":"strong"}]},{"text":": Warn about CI limitations","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Secrets found in history","type":"text","marks":[{"type":"strong"}]},{"text":": Provide remediation guide","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"CodeQL unsupported language","type":"text","marks":[{"type":"strong"}]},{"text":": Skip SAST for that language","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"See Also","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"/configure:workflows","type":"text","marks":[{"type":"code_inline"}]},{"text":" - GitHub Actions workflow standards","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"/configure:pre-commit","type":"text","marks":[{"type":"code_inline"}]},{"text":" - Pre-commit hook configuration","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"/configure:all","type":"text","marks":[{"type":"code_inline"}]},{"text":" - Run all compliance checks","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"GitHub Security Features","type":"text","marks":[{"type":"strong"}]},{"text":": https://docs.github.com/en/code-security","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"gitleaks","type":"text","marks":[{"type":"strong"}]},{"text":": https://github.com/gitleaks/gitleaks","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"CodeQL","type":"text","marks":[{"type":"strong"}]},{"text":": https://codeql.github.com","type":"text"}]}]}]},{"type":"hr","attrs":{"markup":"---"}}]},"metadata":{"args":"[--check-only] [--fix] [--type \u003cdependencies|sast|secrets|all>]","date":"2026-06-05","name":"configure-security","author":"@skillopedia","source":{"stars":35,"repo_name":"claude-plugins","origin_url":"https://github.com/laurigates/claude-plugins/blob/HEAD/configure-plugin/skills/configure-security/SKILL.md","repo_owner":"laurigates","body_sha256":"6772688b10bde8cfda4eff42f121821e56117356d00303be8384670d65e3afca","cluster_key":"33ec96c3fb4f9c216ecde913c6e95d8fe0d34c89fd7008b24834d10530e35f86","clean_bundle":{"format":"clean-skill-bundle-v1","source":"laurigates/claude-plugins/configure-plugin/skills/configure-security/SKILL.md","attachments":[{"id":"de6e8051-c22f-5ec8-9fc6-ab2de80db6f5","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/de6e8051-c22f-5ec8-9fc6-ab2de80db6f5/attachment.md","path":"REFERENCE.md","size":12883,"sha256":"17b951e0fd01a4b15ba410692013ae34a08b776431e75d80001f2c653d746be8","contentType":"text/markdown; charset=utf-8"}],"bundle_sha256":"cd8eb28e09b2da64d4222f368286f0012ddd306489ff8464d0c625435da6ed54","attachment_count":1,"text_attachments":1,"attachment_storage":"skillopedia-attachments-v1","binary_attachments":0,"excluded_attachments":[]},"cluster_size":1,"skill_md_path":"configure-plugin/skills/configure-security/SKILL.md","import_metadata":{"date":"2026-06-05","author":"@skillopedia","version":"v1","category":"security","category_label":"Security"},"exact_dupes_collapsed_into_this":0},"created":"2025-12-16T00:00:00.000Z","version":"v1","category":"security","modified":"2026-05-09T00:00:00.000Z","reviewed":"2025-12-16T00:00:00.000Z","import_tag":"clean-skills-v1","description":"Security scanning: dependency audits, SAST, secrets detection. Use when setting up Dependabot, CodeQL, or TruffleHog in CI, or creating a SECURITY.md policy.","allowed-tools":"Glob, Grep, Read, Write, Edit, Bash, AskUserQuestion, TodoWrite, WebSearch, WebFetch","argument-hint":"[--check-only] [--fix] [--type \u003cdependencies|sast|secrets|all>]"}},"renderedAt":1782980323314}

/configure:security Check and configure security scanning tools for dependency audits, SAST, and secret detection. When to Use This Skill | Use this skill when... | Use another approach when... | |------------------------|------------------------------| | Setting up dependency auditing, SAST, or secret detection for a project | Running a one-off security scan (use or directly) | | Checking project compliance with security scanning standards | Reviewing code for application-level vulnerabilities (use security-audit agent) | | Configuring Dependabot, CodeQL, or TruffleHog in CI/CD | Managing Gi…