home / skills / amnadtaowsoam / cerebraskills / security-scan-policy
This skill ensures automated security scanning in CI/CD by enforcing dependency audits, SAST, and secret detection before deployment.
npx playbooks add skill amnadtaowsoam/cerebraskills --skill security-scan-policyReview the files below or copy the command above to add this skill to your agents.
---
name: Security Scan Policy
description: Policy for automated security scanning in CI/CD pipeline including dependency audit, SAST, and secret detection
---
# Security Scan Policy
## Overview
Policy for automated security scanning - dependency vulnerabilities, code vulnerabilities, secrets - must pass before deploy
## Why This Matters
- **Prevent breaches**: Catch vulnerabilities before production
- **Compliance**: Meet security requirements
- **Automated**: Don't miss due to human error
- **Fast feedback**: Know immediately if there are issues
---
## Security Checks
### 1. Dependency Audit
```bash
# Check for vulnerable dependencies
npm audit --audit-level=high
# Must have 0 high/critical vulnerabilities
ā 0 vulnerabilities found
```
### 2. SAST (Static Analysis)
```bash
# Scan code for security issues
npm run security:scan
# Check for:
- SQL injection
- XSS vulnerabilities
- Insecure crypto
- Hardcoded secrets
```
### 3. Secret Detection
```bash
# Scan for leaked secrets
git-secrets --scan
# Check for:
- API keys
- Passwords
- Private keys
- Tokens
```
---
## CI Pipeline
```yaml
# .github/workflows/security.yml
name: Security Scan
on: [pull_request, push]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Dependency Audit
run: npm audit --audit-level=high
- name: SAST Scan
uses: github/codeql-action/analyze@v2
- name: Secret Scan
uses: trufflesecurity/trufflehog@main
- name: Container Scan
run: trivy image myapp:latest
```
---
## Severity Levels
| Level | Action | Example |
|-------|--------|---------|
| Critical | Block merge | RCE vulnerability |
| High | Block merge | SQL injection |
| Medium | Warning | Weak crypto |
| Low | Info only | Outdated dependency |
---
## Tools
```
Dependency: npm audit, Snyk
SAST: CodeQL, SonarQube
Secrets: TruffleHog, git-secrets
Container: Trivy, Grype
```
---
## Summary
**Security Scan:** Automated security checks
**Checks:**
- Dependency audit (npm audit)
- SAST (CodeQL)
- Secret detection (TruffleHog)
- Container scan (Trivy)
**Policy:**
- Critical/High: Block merge
- Medium: Warning
- Low: Info only
**No exceptions for Critical/High**
This skill defines an automated Security Scan Policy for CI/CD that enforces dependency audits, SAST, secret detection, and container scanning before deployment. It ensures high and critical findings block merges while medium and low findings are surfaced as warnings or info. The policy is designed to provide fast, repeatable security feedback and prevent vulnerabilities from reaching production.
The pipeline runs a dependency audit, a static application security test (SAST), secret detection, and container image scanning on each push or pull request. Each tool reports findings with severity levels; critical and high severities fail the job and block merges. Results are presented in the CI log and can be integrated into PR checks for visibility and remediation tracking.
Which severities should block a merge?
Critical and high severity findings must block merges and fail the pipeline; medium and low should be warnings or informational.
Which tools are recommended?
Use npm audit or Snyk for dependencies, CodeQL or SonarQube for SAST, git-secrets and TruffleHog for secrets, and Trivy or Grype for container scans.