home / skills / bobmatnyc / claude-mpm-skills / security-scanning

security-scanning skill

safe

This skill helps you perform CI security scans for secrets, dependencies, and SAST, ensuring traceability and timely remediation.

npx playbooks add skill bobmatnyc/claude-mpm-skills --skill security-scanning

Review the files below or copy the command above to add this skill to your agents.

Files (7)

SKILL.md

836 B

---
name: security-scanning
description: "CI security scanning: secrets, deps, SAST, triage, expiring exceptions"
license: MIT
compatibility: claude-code
metadata:
  version: 1.1.0
  category: universal
  author: Claude MPM Team
progressive_disclosure:
  entry_point:
    summary: "Baseline CI scans (secrets, deps, SAST) with triage and expiring exceptions"
tags: [security, scanning]
---

# Security Scanning

## Quick Start

- Secrets: fail fast; rotate on exposure.
- Dependencies: gate critical/high; automate updates.
- SAST: start high-signal; ratchet over time.
- Exceptions: require reason, owner, and expiry.

## Load Next (References)

- `references/tooling-matrix.md`
- `references/ci-workflows.md`
- `references/triage-and-remediation.md`
- `references/common-findings-and-fixes.md`
- `references/supply-chain-and-sbom.md`

Overview

This skill provides CI-focused security scanning for source code and build artifacts, covering secrets detection, dependency checks, SAST, triage workflows, and managed exceptions. It is designed to integrate into CI pipelines to surface high-confidence findings early and enforce gating for critical issues. The goal is to reduce risk by automating detection, prioritizing actionable results, and tracking remediation and exception expiry.

How this skill works

The skill runs a chain of scanners in CI: secrets scanners fail fast on high-confidence exposures, dependency scanners flag vulnerable or out-of-date packages, and SAST tools produce prioritized code findings. Findings are triaged with metadata (severity, owner, rationales) and can be recorded as time-limited exceptions that require an owner and expiry. The configuration supports progressive signal tuning so teams can start with high-signal checks and gradually expand coverage.

When to use it

When you need automated security gates in CI for secrets, dependencies, or code issues
When you want to enforce blocking for critical/high dependency vulnerabilities
When onboarding SAST into a legacy codebase and you need gradual ramp-up
When teams require documented, expiring exceptions with clear ownership
When you want consistent triage metadata to integrate with ticketing and remediation workflows

Best practices

Fail fast on secrets: treat exposures as immediate incidents and rotate keys promptly
Gate only critical/high issues initially and automate dependency updates for medium risk
Start SAST with high-precision rules and increase coverage as false-positive rates drop
Require every exception to include a reason, an owner, and a firm expiry date
Record triage decisions and link findings to remediation tickets for traceability

Example use cases

CI job that blocks merges when a new secret is accidentally committed
Automated dependency check that creates PRs to bump critical libraries and fails the build on high-risk CVEs
SAST pipeline step that produces high-confidence code issues for security reviewers
Triage dashboard that assigns owners and enforces expiry on accepted exceptions
Periodic audits that combine SBOM data and dependency scanning to catch supply-chain risks

FAQ

How should I handle false positives from SAST?

Start with a high-signal rule set, tune rules based on observed false positives, and use time-limited exceptions while you refine rules.

What information must an exception include?

Every exception should include a justification, a named owner responsible for remediation, and an explicit expiry date to avoid permanent bypasses.