playbooks

home / skills / laurigates / claude-plugins / configure-security

configure-security skill

/configure-plugin/skills/configure-security

This skill helps you configure and audit security scanning across dependencies, SAST, and secrets to strengthen CI/CD workflows.

npx playbooks add skill laurigates/claude-plugins --skill configure-security

Review the files below or copy the command above to add this skill to your agents.

Files (2)
SKILL.md
8.4 KB
---
model: haiku
created: 2025-12-16
modified: 2026-02-11
reviewed: 2025-12-16
description: Check and configure security scanning (dependency audits, SAST, secrets)
allowed-tools: Glob, Grep, Read, Write, Edit, Bash, AskUserQuestion, TodoWrite, WebSearch, WebFetch
argument-hint: "[--check-only] [--fix] [--type <dependencies|sast|secrets|all>]"
name: configure-security
---

# /configure:security

Check and configure security scanning tools for dependency audits, SAST, and secret detection.

## When to Use This Skill

| Use this skill when... | Use another approach when... |
|------------------------|------------------------------|
| Setting up dependency auditing, SAST, or secret detection for a project | Running a one-off security scan (use `gitleaks detect` or `npm audit` directly) |
| Checking project compliance with security scanning standards | Reviewing code for application-level vulnerabilities (use security-audit agent) |
| Configuring Dependabot, CodeQL, or TruffleHog in CI/CD | Managing GitHub repository security settings via the web UI |
| Creating or updating a SECURITY.md policy | Writing security documentation beyond the policy template |
| Auditing which security tools are missing from a project | Investigating a specific CVE or vulnerability |

## Context

- Package files: !`find . -maxdepth 1 \( -name 'package.json' -o -name 'pyproject.toml' -o -name 'Cargo.toml' -o -name 'go.mod' \) 2>/dev/null`
- Gitleaks config: !`test -f .gitleaks.toml && echo "EXISTS" || echo "MISSING"`
- Pre-commit config: !`test -f .pre-commit-config.yaml && echo "EXISTS" || echo "MISSING"`
- Workflows dir: !`test -d .github/workflows && echo "EXISTS" || echo "MISSING"`
- Dependabot config: !`test -f .github/dependabot.yml && echo "EXISTS" || echo "MISSING"`
- CodeQL workflow: !`find .github/workflows -maxdepth 1 -name 'codeql*' 2>/dev/null`
- Security policy: !`test -f SECURITY.md && echo "EXISTS" || echo "MISSING"`
**Security scanning layers:**
1. **Dependency auditing** - Check for known vulnerabilities in dependencies
2. **SAST (Static Application Security Testing)** - Analyze code for security issues
3. **Secret detection** - Prevent committing secrets to version control

## Parameters

Parse from command arguments:

- `--check-only`: Report status without offering fixes
- `--fix`: Apply all fixes automatically without prompting
- `--type <type>`: Focus on specific security type (dependencies, sast, secrets, all)

## Execution

Execute this security scanning configuration check:

### Step 1: Fetch latest tool versions

Verify latest versions before configuring:

1. **Trivy**: Check [GitHub releases](https://github.com/aquasecurity/trivy/releases)
2. **Grype**: Check [GitHub releases](https://github.com/anchore/grype/releases)
3. **gitleaks**: Check [GitHub releases](https://github.com/gitleaks/gitleaks/releases)
4. **pip-audit**: Check [PyPI](https://pypi.org/project/pip-audit/)
5. **cargo-audit**: Check [crates.io](https://crates.io/crates/cargo-audit)
6. **CodeQL**: Check [GitHub releases](https://github.com/github/codeql-action/releases)

Use WebSearch or WebFetch to verify current versions.

### Step 2: Detect project languages and tools

Identify project languages and existing security tools:

| Indicator | Language/Tool | Security Tools |
|-----------|---------------|----------------|
| `package.json` | JavaScript/TypeScript | npm audit, Snyk |
| `pyproject.toml` | Python | pip-audit, safety, bandit |
| `Cargo.toml` | Rust | cargo-audit, cargo-deny |
| `.gitleaks.toml` | gitleaks | Secret scanning |
| `.github/workflows/` | GitHub Actions | CodeQL, Dependabot |

### Step 3: Analyze current security state

Check existing security configuration across three areas:

**Dependency Auditing:**
- Package manager audit configured
- Audit scripts in package.json/Makefile
- Dependabot enabled
- Dependency review action in CI
- Auto-merge for minor updates configured

**SAST Scanning:**
- CodeQL workflow exists
- Semgrep configured
- Bandit configured (Python)
- SAST in CI pipeline

**Secret Detection:**
- Gitleaks configured with `.gitleaks.toml`
- Pre-commit hook configured
- Git history scanned
- TruffleHog configured (optional complement)

### Step 4: Generate compliance report

Print a formatted compliance report showing status for each security component across dependency auditing, SAST scanning, secret detection, and security policies.

If `--check-only` is set, stop here.

For the compliance report format, see [REFERENCE.md](REFERENCE.md).

### Step 5: Configure dependency auditing (if --fix or user confirms)

Based on detected language:

**JavaScript/TypeScript (npm/bun):**
1. Add audit scripts to `package.json`
2. Create Dependabot config `.github/dependabot.yml`
3. Create dependency review workflow `.github/workflows/dependency-review.yml`

**Python (pip-audit):**
1. Install pip-audit: `uv add --group dev pip-audit`
2. Create audit script

**Rust (cargo-audit):**
1. Install cargo-audit: `cargo install cargo-audit --locked`
2. Configure in `.cargo/audit.toml`

For complete configuration templates, see [REFERENCE.md](REFERENCE.md).

### Step 6: Configure SAST scanning (if --fix or user confirms)

1. Create CodeQL workflow `.github/workflows/codeql.yml` with detected languages
2. For Python projects, install and configure Bandit
3. Run Bandit: `uv run bandit -r src/ -f json -o bandit-report.json`

For CodeQL workflow and Bandit configuration templates, see [REFERENCE.md](REFERENCE.md).

### Step 7: Configure secret detection (if --fix or user confirms)

1. Install gitleaks: `brew install gitleaks` (or `go install github.com/gitleaks/gitleaks/v8@latest`)
2. Create `.gitleaks.toml` with project-specific allowlists
3. Run initial scan: `gitleaks detect --source .`
4. Add pre-commit hook to `.pre-commit-config.yaml`
5. Optionally configure TruffleHog workflow for CI

For gitleaks, TruffleHog, and CI workflow configuration templates, see [REFERENCE.md](REFERENCE.md).

### Step 8: Create security policy

Create `SECURITY.md` with:
- Supported versions table
- Vulnerability reporting process (email, expected response time, disclosure policy)
- Information to include in reports
- Security best practices for users and contributors
- Automated security tools list

For the SECURITY.md template, see [REFERENCE.md](REFERENCE.md).

### Step 9: Configure CI/CD integration

Create comprehensive security workflow `.github/workflows/security.yml` with jobs for:
- Dependency audit
- Secret scanning (TruffleHog)
- SAST scan (CodeQL)

Schedule weekly scans in addition to push/PR triggers.

For the CI security workflow template, see [REFERENCE.md](REFERENCE.md).

### Step 10: Update standards tracking

Update `.project-standards.yaml`:

```yaml
components:
  security: "2025.1"
  security_dependency_audit: true
  security_sast: true
  security_secret_detection: true
  security_policy: true
  security_dependabot: true
```

### Step 11: Report configuration results

Print a summary of all changes made across dependency auditing, SAST scanning, secret detection, security policy, and CI/CD integration. Include next steps for reviewing Dependabot PRs, CodeQL findings, and enabling private vulnerability reporting.

For the results report format, see [REFERENCE.md](REFERENCE.md).

## Agentic Optimizations

| Context | Command |
|---------|---------|
| Quick compliance check | `/configure:security --check-only` |
| Auto-fix all security gaps | `/configure:security --fix` |
| Dependencies only | `/configure:security --type dependencies` |
| Secret detection only | `/configure:security --type secrets` |
| SAST scanning only | `/configure:security --type sast` |
| Verify secrets scan | `gitleaks detect --source . --verbose` |

## Flags

| Flag | Description |
|------|-------------|
| `--check-only` | Report status without offering fixes |
| `--fix` | Apply all fixes automatically without prompting |
| `--type <type>` | Focus on specific security type (dependencies, sast, secrets, all) |

## Error Handling

- **No package manager detected**: Skip dependency auditing
- **GitHub Actions not available**: Warn about CI limitations
- **Secrets found in history**: Provide remediation guide
- **CodeQL unsupported language**: Skip SAST for that language

## See Also

- `/configure:workflows` - GitHub Actions workflow standards
- `/configure:pre-commit` - Pre-commit hook configuration
- `/configure:all` - Run all compliance checks
- **GitHub Security Features**: https://docs.github.com/en/code-security
- **gitleaks**: https://github.com/gitleaks/gitleaks
- **CodeQL**: https://codeql.github.com

Overview

This skill checks and configures project security scanning for dependency audits, SAST, and secret detection. It inspects repository files, CI workflows, and tooling configuration, then generates a compliance report and can apply recommended fixes. Use it to establish repeatable security checks in CI and to harden developer workflows against leaked secrets and vulnerable dependencies.

How this skill works

The skill scans the repository for package manifests, existing security configs (Dependabot, CodeQL, gitleaks, pre-commit), and GitHub Actions workflows. It maps detected languages to appropriate tools (npm audit, pip-audit, cargo-audit, CodeQL, Bandit, gitleaks) and evaluates three layers: dependency auditing, SAST, and secret detection. It then prints a compliance report and, if requested, creates or updates configuration files and CI workflows to enable audits, SAST jobs, and secret scanning. Optional flags let you run a check-only report or automatically apply fixes for selected layers.

When to use it

  • Setting up or hardening security scans for a repository (dependencies, SAST, secrets).
  • Auditing which security tools are missing from a project or CI pipeline.
  • Enabling automated dependency updates and review (Dependabot + dependency-review).
  • Adding secret detection and pre-commit hooks to prevent commits with credentials.
  • Running repeated scheduled security checks in CI (weekly scans).

Best practices

  • Run the skill with --check-only first to review findings before applying changes.
  • Choose automated fixes (--fix) in a separate branch or PR to review changes.
  • Enable CodeQL and dependency review in GitHub Actions for PR-level feedback.
  • Add gitleaks and pre-commit hooks to catch secrets locally and in CI.
  • Schedule weekly scans in CI and triage Dependabot and CodeQL results promptly.

Example use cases

  • Enable dependency auditing and create a Dependabot config for a JavaScript monorepo.
  • Add a CodeQL workflow and Bandit job for a Python project to run on PRs and schedule.
  • Create .gitleaks.toml, add a pre-commit hook, and run an initial secret scan.
  • Install and wire cargo-audit into CI for a Rust project and add audit scripts.
  • Generate a SECURITY.md with reporting contact, supported versions, and process.

FAQ

What does --check-only do?

It produces a compliance report showing missing or misconfigured security components without making any repository changes.

Can the skill auto-fix everything?

Use --fix to apply recommended configurations and templates; review the created files in a PR before merging to avoid unintended changes.