Security Toolkit Skill
"Assume Breach" security tooling for Python/TypeScript on GCP Cloud Run.
This skill provides ready-to-use configurations for enforcing BFF security boundaries in CI/CD and local scans.
Philosophy: Assume Breach Containment
Vulnerabilities happen. The goal is blast radius reduction, not just prevention.
When RCE occurs in the frontend:
- No database credentials to steal - credentials only in backend
- No lateral movement - network policies block everything except BFF API
- No persistence - read-only filesystem, distroless images
- Immediate detection - runtime monitoring catches anomalies
Quick Start
1. Copy Configs to Project Root
# From project root
cp ~/.codex/skills/security-toolkit/config/.gitleaks.toml .
cp ~/.codex/skills/security-toolkit/config/.pre-commit-config.yaml .
cp -r ~/.codex/skills/security-toolkit/config/.semgrep .
cp ~/.codex/skills/security-toolkit/config/.checkov.yaml .
cp ~/.codex/skills/security-toolkit/config/.hadolint.yaml .
cp ~/.codex/skills/security-toolkit/workflows/security-scan.yml .github/workflows/
2. Install Pre-commit Hooks
poetry add --group dev pre-commit
poetry run pre-commit install
3. Run Initial Scan
# Run all security checks
poetry run pre-commit run --all-files
# Or run specific tools
gitleaks detect --source . --verbose
poetry run semgrep --config .semgrep/ .
poetry run bandit -r apps/ -c pyproject.toml
trivy fs . --scanners vuln,secret,misconfig
What's Included
| File | Purpose |
|------|---------|
| .gitleaks.toml | Secret detection with GCP/Supabase custom rules |
| .pre-commit-config.yaml | Multi-tool security hooks (gitleaks + bandit + semgrep + hadolint + checkov) |
| .semgrep/bff-security.yaml | BFF boundary enforcement rules |
| .checkov.yaml | IaC security policies for Terraform/Docker/K8s |
| .hadolint.yaml | Dockerfile security linting |
| security-scan.yml | GitHub Actions workflow with SARIF integration |
Tool Stack (100% Free & Open Source)
| Category | Tool | License | |----------|------|---------| | Secret Detection | Gitleaks | MIT | | Python SAST | Bandit | Apache 2.0 | | Multi-lang SAST | Semgrep | LGPL 2.1 | | Container Scanning | Trivy | Apache 2.0 | | IaC Security | Checkov | Apache 2.0 | | Dockerfile Linting | Hadolint | GPL 3.0 | | Dependency Scanning | pip-audit, npm audit | Apache 2.0, Built-in |
Rule ↔ Tool Mapping
| Security Requirement | Enforcing Tool |
|---------------------|----------------|
| No direct DB access in frontend | Semgrep bff-no-frontend-database |
| No service credentials in frontend | Semgrep + Gitleaks |
| No child_process in frontend | Semgrep bff-no-frontend-child-process |
| No eval/Function in frontend | Semgrep bff-no-frontend-eval |
| Distroless base images | Hadolint + Trivy |
| Read-only filesystem | Checkov |
| Non-root container user | Hadolint DL3002 |
| Network policy default-deny | Checkov |
Files in This Skill
README.md- This fileinstallation.md- Detailed setup instructionscommands.md- Quick reference for all toolsassume-breach-checklist.md- Threat → Tool → Response mappingincident-response.md- Runbook templateconfig/- Ready-to-use configuration filesworkflows/- GitHub Actions workflows
When to Use This Skill
- Setting up security scanning for a new project
- Adding security checks to CI/CD pipeline
- Enforcing BFF security boundaries
- Responding to security incidents
- Auditing existing security posture
Related
- GCP Operations:
~/.codex/skills/gcp-operations/- Deployment and secrets management