Paths: File paths (
shared/,references/,../ln-*) are relative to skills repo root. If not found at CWD, locate this SKILL.md directory and go up one level for repo root. Ifshared/is missing, fetch files via WebFetch fromhttps://raw.githubusercontent.com/levnikolaevich/claude-code-skills/master/skills/{path}.
Security Setup Coordinator
Type: L2 Domain Coordinator Category: 7XX Bootstrap
Purpose & Scope
- Coordinate secret scanning (ln-761) and dependency vulnerability audit (ln-625)
- Aggregate findings from both workers into unified report
- Generate security infrastructure: SECURITY.md, pre-commit hooks, CI workflow
- Provide overall security score and risk assessment
When to Use
- During project bootstrap (invoked by ln-700-project-bootstrap)
- Manual security audit request
- CI/CD pipeline initialization
Workflow
Phase 1: Pre-flight Check
Step 1: Detect Project Type
- Identify primary ecosystem(s): Node.js, .NET, Python, Go, etc.
- Check for existing security configs (
.gitleaks.toml,SECURITY.md)
Step 2: Check Tool Availability
- Verify gitleaks/trufflehog available for secret scanning
- Verify ecosystem-specific audit tools available
- Log warnings for missing tools (do not fail)
Step 3: Load Existing Configs
- If
.gitleaks.tomlexists: note for preservation - If
SECURITY.mdexists: note for update (not overwrite) - If
.pre-commit-config.yamlexists: check for gitleaks hook
Phase 2: Delegate Scans
Step 1: Invoke ln-761 Secret Scanner
- Delegate via Agent tool
- Receive: findings list, severity summary, remediation guidance
Step 2: Invoke ln-625 Dependencies Auditor (mode=vulnerabilities_only)
- Delegate via Agent tool (can run parallel with Step 1)
- Pass parameter:
mode=vulnerabilities_only - Receive: vulnerability list, CVSS scores, fix recommendations
Phase 3: Aggregate Reports
Step 1: Combine Findings
- Merge findings from both workers
- Group by severity (Critical first)
- Calculate overall security score
Step 2: Risk Assessment
- Critical findings: flag for immediate attention
- High findings: recommend fix within 48h
- Medium/Low: add to backlog
Step 3: Build Summary
- Files scanned count
- Secrets found (by severity)
- Vulnerabilities found (by severity)
- Overall pass/warn/fail status
Phase 4: Generate Outputs
Step 1: Create/Update SECURITY.md
- Use template from
references/security_md_template.md - If exists: update, preserve custom sections
- If new: generate with placeholders
Step 2: Configure Pre-commit Hooks
- If
.pre-commit-config.yamlmissing: create from template - If exists without gitleaks: recommend adding
- Template:
references/precommit_config_template.yaml
Step 3: Generate CI Workflow
- If
.github/workflows/security.ymlmissing: create from template - Template:
references/ci_workflow_template.yaml - Include ecosystem-specific audit jobs
Step 4: Update .gitignore
- Ensure secret-related patterns present:
.env,.env.*,!.env.example*.pem,*.key
- Preserve existing entries
Worker Invocation (MANDATORY)
CRITICAL: All delegations use Agent tool with
subagent_type: "general-purpose"for context isolation.
| Worker | Parallel | Purpose | |--------|----------|---------| | ln-761-secret-scanner | Yes | Hardcoded secret detection | | ln-625-dependencies-auditor | Yes | Vulnerability scanning (mode=vulnerabilities_only) |
Prompt template:
Agent(description: "Secret scanning via ln-761",
prompt: "Execute security scanner.
Step 1: Invoke worker:
Skill(skill: \"ln-761-secret-scanner\")
CONTEXT:
Project: {projectPath}",
subagent_type: "general-purpose")
Agent(description: "Dependency vulnerability scan via ln-625",
prompt: "Execute vulnerability scanner.
Step 1: Invoke worker:
Skill(skill: \"ln-625-dependencies-auditor\")
CONTEXT:
Project: {projectPath}
Mode: vulnerabilities_only (only CVE scan, skip outdated/unused checks)",
subagent_type: "general-purpose")
Pattern: Both workers can execute in parallel via Agent tool, then aggregate results.
Anti-Patterns:
- ❌ Direct Skill tool invocation without Agent wrapper
- ❌ Any execution bypassing subagent context isolation
- ❌ Calling ln-625 without mode parameter (would run full audit)
Definition of Done
- [ ] Both workers (ln-761, ln-625) invoked and completed
- [ ] Findings aggregated with severity classification
- [ ] SECURITY.md created/updated
- [ ] Pre-commit hook configured (or recommendation logged)
- [ ] CI workflow generated (or recommendation logged)
- [ ] .gitignore updated with secret patterns
- [ ] Summary report returned to parent orchestrator
TodoWrite format (mandatory)
- Phase 1: Invoke secret scanner ln-761 (pending)
- Phase 2: Invoke dependency auditor ln-625 (pending)
- Phase 3: Aggregate findings (pending)
- Phase 4: Generate security artifacts (pending)
- Phase 5: Return summary (pending)
Meta-Analysis
MANDATORY READ: Load shared/references/meta_analysis_protocol.md
Skill type: planning-coordinator. Run after all phases complete. Output to chat using the protocol format.
Reference Files
| File | Purpose |
|------|---------|
| references/security_md_template.md | Template for SECURITY.md generation |
| references/precommit_config_template.yaml | Pre-commit hooks configuration |
| references/ci_workflow_template.yaml | GitHub Actions security workflow |
Critical Rules
- Always pass
mode=vulnerabilities_onlyto ln-625 — full audit mode is not appropriate for bootstrap context - Preserve existing configs — if
.gitleaks.toml,SECURITY.md, or.pre-commit-config.yamlexist, update rather than overwrite - Use Agent tool with
subagent_type: "general-purpose"for all worker delegations (context isolation) - Never fail on missing tools — log warnings for unavailable scanners, continue with available ones
- Critical findings block completion — flag for immediate attention before returning to parent
Version: 3.0.0 Last Updated: 2026-02-05