ai-security

Solid

Runs security gates: SAST with OWASP/CWE mapping, dependency vulnerability scans, secret detection, SBOM generation for compliance, pre-release security verdict. Trigger for 'is this secure', 'audit dependencies', 'check for secrets', 'security report', 'is this package safe', 'compliance review'. Not for governance process; use /ai-governance instead. Not for runtime payload inspection; use prompt-injection-guard hook instead.

AI & Automation 52 stars 3 forks Updated 4 days ago MIT

Install

View on GitHub

Quality Score: 89/100

Stars 20%

Recency 20%

100

Frontmatter 20%

Documentation 15%

100

Issue Health 10%

License 10%

100

Description 5%

100

Skill Content

# Security Scanning ## Quick start ``` /ai-security all # full sweep (static + deps + secrets + sbom) /ai-security deps # dependency audit only /ai-security secrets # gitleaks scan /ai-security sbom # CycloneDX SBOM for compliance /ai-security --fix # auto-remediate where safe ``` Unified security assessment for regulated industries. Modes: `static` (SAST with semgrep), `deps` (pip-audit/npm audit), `secrets` (gitleaks), `sbom` (CycloneDX). Zero tolerance for medium+ findings. Each finding includes severity, location, fix suggestion, and CWE reference. ## When to Use - Security review, pre-release gate, dependency audit, compliance reporting. - NOT for code quality metrics -- use `/ai-verify quality`. - NOT for governance compliance -- use `/ai-governance`. ## Process Step 0 (load contexts): read `.ai-engineering/manifest.yml` `providers.stacks`; load `.ai-engineering/overrides/<stack>/conventions.md` for each stack and `.ai-engineering/overrides/_shared/conventions.md`; load `.ai-engineering/team/*.md` for team conventions. ## Modes ### all -- Full Scan (default) The `all` mode runs static, deps, and secrets in sequence and produces an aggregated report. This is the default when `/ai-security` is invoked without a mode argument. ### static -- SAST 1. **Read stacks** -- read `.ai-engineering/manifest.yml` field `providers.stacks` for active languages. 2. **Secret detection** -- `gitleaks detect --source . --no-git`. Any finding is critical. N...

Details

Author: arcasilesgroup
Repository: arcasilesgroup/ai-engineering
Created: 4 months ago
Last Updated: 4 days ago
Language: Python
License: MIT

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Solid

ai-governance

Validates framework compliance, ownership boundaries, risk acceptance lifecycle, and manifest integrity for regulated environments. Trigger for 'are quality gates enforced', 'who owns this file', 'formally accept a known risk', 'pre-release compliance check', 'governance report for auditors'. Not for code quality; use /ai-verify instead. Not for security scanning; use /ai-security instead — this validates governance process, not code content.

52 Updated 4 days ago

arcasilesgroup

AI & Automation Listed

security

Scan for security vulnerabilities, exposed secrets, and broken authentication patterns before production deployment. Use when user says 'security audit', 'dependency scan', or 'find secrets'.

0 Updated 4 days ago

Git-Fg

Code & Development Listed

security

Use before shipping to production. Performs OWASP Top 10 audit and STRIDE threat modeling against the codebase. Supports --quick, --standard, --thorough modes. Also use when the user asks to check security, audit code, or review for vulnerabilities. Triggers on /security.

0 Updated today

Jihadyip286