Security Skill
Security validation, vulnerability scanning, and compliance checking.
Activation
Auto-activates on keywords: security, vulnerability, audit, OWASP, encryption, GPG, SSH, signing, secrets, scan, bandit
Workflows
Environment Validation
- validate-env.md: GPG/SSH key validation
Scanning
- scan.md: Security vulnerability scanning
Encryption
- encrypt.md: Secret encryption and management
Commands
# Validate GPG key
gpg --list-secret-keys
# Validate SSH key
ssh-add -l
# Check git signing configuration
git config --get user.signingkey
# Run Bandit security scanner
uv run bandit -r src/ -c pyproject.toml
# Check dependencies for vulnerabilities
uv run pip-audit
uv run safety check
# Run Semgrep security rules
uv run semgrep scan --config auto src/
Security Checklist
Pre-Commit
- [ ] No secrets in code (checked by gitleaks)
- [ ] Dependencies scanned for vulnerabilities
- [ ] Bandit security scan passes
Pre-Release
- [ ] All known vulnerabilities addressed
- [ ] Security advisory published (if applicable)
- [ ] Dependencies updated to secure versions
OWASP Top 10 Considerations
- Injection: Use parameterized queries, validate input
- Broken Authentication: Use secure session management
- Sensitive Data Exposure: Encrypt sensitive data at rest and in transit
- XML External Entities: Disable external entity processing
- Broken Access Control: Implement proper authorization checks
- Security Misconfiguration: Use secure defaults
- XSS: Escape output, use Content Security Policy
- Insecure Deserialization: Validate and sanitize serialized data
- Using Components with Known Vulnerabilities: Keep dependencies updated
- Insufficient Logging: Log security events, monitor for anomalies