Agent Skills: /configure:security

/configure:security

Check and configure security scanning tools for dependency audits, SAST, and secret detection.

When to Use This Skill

| Use this skill when... | Use another approach when... | |------------------------|------------------------------| | Setting up dependency auditing, SAST, or secret detection for a project | Running a one-off security scan (use gitleaks detect or npm audit directly) | | Checking project compliance with security scanning standards | Reviewing code for application-level vulnerabilities (use security-audit agent) | | Configuring Dependabot, CodeQL, or TruffleHog in CI/CD | Managing GitHub repository security settings via the web UI | | Creating or updating a SECURITY.md policy | Writing security documentation beyond the policy template | | Auditing which security tools are missing from a project | Investigating a specific CVE or vulnerability |

Context

• Package files: !find . -maxdepth 1 \( -name 'package.json' -o -name 'pyproject.toml' -o -name 'Cargo.toml' -o -name 'go.mod' \)
• Gitleaks config: !find . -maxdepth 1 -name \'.gitleaks.toml\'
• Pre-commit config: !find . -maxdepth 1 -name \'.pre-commit-config.yaml\'
• Workflows dir: !find . -maxdepth 1 -type d -name \'.github/workflows\'
• Dependabot config: !find . -maxdepth 1 -name \'.github/dependabot.yml\'
• CodeQL workflow: !find .github/workflows -maxdepth 1 -name 'codeql*'
• Security policy: !find . -maxdepth 1 -name \'SECURITY.md\' Security scanning layers:

1. Dependency auditing - Check for known vulnerabilities in dependencies
2. SAST (Static Application Security Testing) - Analyze code for security issues
3. Secret detection - Prevent committing secrets to version control

Parameters

Parse from command arguments:

• --check-only: Report status without offering fixes
• --fix: Apply all fixes automatically without prompting
• --type <type>: Focus on specific security type (dependencies, sast, secrets, all)

Execution

Execute this security scanning configuration check:

Step 1: Fetch latest tool versions

Verify latest versions before configuring:

1. Trivy: Check GitHub releases
2. Grype: Check GitHub releases
3. gitleaks: Check GitHub releases
4. pip-audit: Check PyPI
5. cargo-audit: Check crates.io
6. CodeQL: Check GitHub releases

Use WebSearch or WebFetch to verify current versions.

Step 2: Detect project languages and tools

Identify project languages and existing security tools:

| Indicator | Language/Tool | Security Tools | |-----------|---------------|----------------| | package.json | JavaScript/TypeScript | npm audit, Snyk | | pyproject.toml | Python | pip-audit, safety, bandit | | Cargo.toml | Rust | cargo-audit, cargo-deny | | .gitleaks.toml | gitleaks | Secret scanning | | .github/workflows/ | GitHub Actions | CodeQL, Dependabot |

Step 3: Analyze current security state

Check existing security configuration across three areas:

Dependency Auditing:

• Package manager audit configured
• Audit scripts in package.json/Makefile
• Dependabot enabled
• Dependency review action in CI
• Auto-merge for minor updates configured

SAST Scanning:

• CodeQL workflow exists
• Semgrep configured
• Bandit configured (Python)
• SAST in CI pipeline

Secret Detection:

• Gitleaks configured with .gitleaks.toml
• Pre-commit hook configured
• Git history scanned
• TruffleHog configured (optional complement)

Step 4: Generate compliance report

Print a formatted compliance report showing status for each security component across dependency auditing, SAST scanning, secret detection, and security policies.

If --check-only is set, stop here.

For the compliance report format, see REFERENCE.md.

Step 5: Configure dependency auditing (if --fix or user confirms)

Based on detected language:

JavaScript/TypeScript (npm/bun):

1. Add audit scripts to package.json
2. Create Dependabot config .github/dependabot.yml
3. Create dependency review workflow .github/workflows/dependency-review.yml

Python (pip-audit):

1. Install pip-audit: uv add --group dev pip-audit
2. Create audit script

Rust (cargo-audit):

1. Install cargo-audit: cargo install cargo-audit --locked
2. Configure in .cargo/audit.toml

For complete configuration templates, see REFERENCE.md.

Step 6: Configure SAST scanning (if --fix or user confirms)

1. Create CodeQL workflow .github/workflows/codeql.yml with detected languages
2. For Python projects, install and configure Bandit
3. Run Bandit: uv run bandit -r src/ -f json -o bandit-report.json

For CodeQL workflow and Bandit configuration templates, see REFERENCE.md.

Step 7: Configure secret detection (if --fix or user confirms)

1. Install gitleaks: brew install gitleaks (or go install github.com/gitleaks/gitleaks/v8@latest)
2. Create .gitleaks.toml with project-specific allowlists
3. Run initial scan: gitleaks detect --source .
4. Add pre-commit hook to .pre-commit-config.yaml
5. Optionally configure TruffleHog workflow for CI

For gitleaks, TruffleHog, and CI workflow configuration templates, see REFERENCE.md.

Step 8: Create security policy

Create SECURITY.md with:

• Supported versions table
• Vulnerability reporting process (email, expected response time, disclosure policy)
• Information to include in reports
• Security best practices for users and contributors
• Automated security tools list

For the SECURITY.md template, see REFERENCE.md.

Step 9: Configure CI/CD integration

Create comprehensive security workflow .github/workflows/security.yml with jobs for:

• Dependency audit
• Secret scanning (TruffleHog)
• SAST scan (CodeQL)

Schedule weekly scans in addition to push/PR triggers.

For the CI security workflow template, see REFERENCE.md.

Step 10: Update standards tracking

Update .project-standards.yaml:

components:
  security: "2025.1"
  security_dependency_audit: true
  security_sast: true
  security_secret_detection: true
  security_policy: true
  security_dependabot: true

Step 11: Report configuration results

Print a summary of all changes made across dependency auditing, SAST scanning, secret detection, security policy, and CI/CD integration. Include next steps for reviewing Dependabot PRs, CodeQL findings, and enabling private vulnerability reporting.

For the results report format, see REFERENCE.md.

Agentic Optimizations

| Context | Command | |---------|---------| | Quick compliance check | /configure:security --check-only | | Auto-fix all security gaps | /configure:security --fix | | Dependencies only | /configure:security --type dependencies | | Secret detection only | /configure:security --type secrets | | SAST scanning only | /configure:security --type sast | | Verify secrets scan | gitleaks detect --source . --verbose |

Flags

| Flag | Description | |------|-------------| | --check-only | Report status without offering fixes | | --fix | Apply all fixes automatically without prompting | | --type <type> | Focus on specific security type (dependencies, sast, secrets, all) |

Error Handling

• No package manager detected: Skip dependency auditing
• GitHub Actions not available: Warn about CI limitations
• Secrets found in history: Provide remediation guide
• CodeQL unsupported language: Skip SAST for that language

See Also

• /configure:workflows - GitHub Actions workflow standards
• /configure:pre-commit - Pre-commit hook configuration
• /configure:all - Run all compliance checks
• GitHub Security Features: https://docs.github.com/en/code-security
• gitleaks: https://github.com/gitleaks/gitleaks
• CodeQL: https://codeql.github.com