configure-security

Check and configure security scanning tools for dependency audits, SAST, and secret detection.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "configure-security" with this command: npx skills add laurigates/claude-plugins/laurigates-claude-plugins-configure-security

/configure:security

Check and configure security scanning tools for dependency audits, SAST, and secret detection.

When to Use This Skill

Use this skill when... Use another approach when...

Setting up dependency auditing, SAST, or secret detection for a project Running a one-off security scan (use gitleaks detect or npm audit directly)

Checking project compliance with security scanning standards Reviewing code for application-level vulnerabilities (use security-audit agent)

Configuring Dependabot, CodeQL, or TruffleHog in CI/CD Managing GitHub repository security settings via the web UI

Creating or updating a SECURITY.md policy Writing security documentation beyond the policy template

Auditing which security tools are missing from a project Investigating a specific CVE or vulnerability

Context

  • Package files: !find . -maxdepth 1 ( -name 'package.json' -o -name 'pyproject.toml' -o -name 'Cargo.toml' -o -name 'go.mod' )

  • Gitleaks config: !find . -maxdepth 1 -name '.gitleaks.toml'

  • Pre-commit config: !find . -maxdepth 1 -name '.pre-commit-config.yaml'

  • Workflows dir: !find . -maxdepth 1 -type d -name '.github/workflows'

  • Dependabot config: !find . -maxdepth 1 -name '.github/dependabot.yml'

  • CodeQL workflow: !find .github/workflows -maxdepth 1 -name 'codeql*'

  • Security policy: !find . -maxdepth 1 -name 'SECURITY.md'

Security scanning layers:

  • Dependency auditing - Check for known vulnerabilities in dependencies

  • SAST (Static Application Security Testing) - Analyze code for security issues

  • Secret detection - Prevent committing secrets to version control

Parameters

Parse from command arguments:

  • --check-only : Report status without offering fixes

  • --fix : Apply all fixes automatically without prompting

  • --type <type> : Focus on specific security type (dependencies, sast, secrets, all)

Execution

Execute this security scanning configuration check:

Step 1: Fetch latest tool versions

Verify latest versions before configuring:

  • Trivy: Check GitHub releases

  • Grype: Check GitHub releases

  • gitleaks: Check GitHub releases

  • pip-audit: Check PyPI

  • cargo-audit: Check crates.io

  • CodeQL: Check GitHub releases

Use WebSearch or WebFetch to verify current versions.

Step 2: Detect project languages and tools

Identify project languages and existing security tools:

Indicator Language/Tool Security Tools

package.json

JavaScript/TypeScript npm audit, Snyk

pyproject.toml

Python pip-audit, safety, bandit

Cargo.toml

Rust cargo-audit, cargo-deny

.gitleaks.toml

gitleaks Secret scanning

.github/workflows/

GitHub Actions CodeQL, Dependabot

Step 3: Analyze current security state

Check existing security configuration across three areas:

Dependency Auditing:

  • Package manager audit configured

  • Audit scripts in package.json/Makefile

  • Dependabot enabled

  • Dependency review action in CI

  • Auto-merge for minor updates configured

SAST Scanning:

  • CodeQL workflow exists

  • Semgrep configured

  • Bandit configured (Python)

  • SAST in CI pipeline

Secret Detection:

  • Gitleaks configured with .gitleaks.toml

  • Pre-commit hook configured

  • Git history scanned

  • TruffleHog configured (optional complement)

Step 4: Generate compliance report

Print a formatted compliance report showing status for each security component across dependency auditing, SAST scanning, secret detection, and security policies.

If --check-only is set, stop here.

For the compliance report format, see REFERENCE.md.

Step 5: Configure dependency auditing (if --fix or user confirms)

Based on detected language:

JavaScript/TypeScript (npm/bun):

  • Add audit scripts to package.json

  • Create Dependabot config .github/dependabot.yml

  • Create dependency review workflow .github/workflows/dependency-review.yml

Python (pip-audit):

  • Install pip-audit: uv add --group dev pip-audit

  • Create audit script

Rust (cargo-audit):

  • Install cargo-audit: cargo install cargo-audit --locked

  • Configure in .cargo/audit.toml

For complete configuration templates, see REFERENCE.md.

Step 6: Configure SAST scanning (if --fix or user confirms)

  • Create CodeQL workflow .github/workflows/codeql.yml with detected languages

  • For Python projects, install and configure Bandit

  • Run Bandit: uv run bandit -r src/ -f json -o bandit-report.json

For CodeQL workflow and Bandit configuration templates, see REFERENCE.md.

Step 7: Configure secret detection (if --fix or user confirms)

  • Install gitleaks: brew install gitleaks (or go install github.com/gitleaks/gitleaks/v8@latest )

  • Create .gitleaks.toml with project-specific allowlists

  • Run initial scan: gitleaks detect --source .

  • Add pre-commit hook to .pre-commit-config.yaml

  • Optionally configure TruffleHog workflow for CI

For gitleaks, TruffleHog, and CI workflow configuration templates, see REFERENCE.md.

Step 8: Create security policy

Create SECURITY.md with:

  • Supported versions table

  • Vulnerability reporting process (email, expected response time, disclosure policy)

  • Information to include in reports

  • Security best practices for users and contributors

  • Automated security tools list

For the SECURITY.md template, see REFERENCE.md.

Step 9: Configure CI/CD integration

Create comprehensive security workflow .github/workflows/security.yml with jobs for:

  • Dependency audit

  • Secret scanning (TruffleHog)

  • SAST scan (CodeQL)

Schedule weekly scans in addition to push/PR triggers.

For the CI security workflow template, see REFERENCE.md.

Step 10: Update standards tracking

Update .project-standards.yaml :

components: security: "2025.1" security_dependency_audit: true security_sast: true security_secret_detection: true security_policy: true security_dependabot: true

Step 11: Report configuration results

Print a summary of all changes made across dependency auditing, SAST scanning, secret detection, security policy, and CI/CD integration. Include next steps for reviewing Dependabot PRs, CodeQL findings, and enabling private vulnerability reporting.

For the results report format, see REFERENCE.md.

Agentic Optimizations

Context Command

Quick compliance check /configure:security --check-only

Auto-fix all security gaps /configure:security --fix

Dependencies only /configure:security --type dependencies

Secret detection only /configure:security --type secrets

SAST scanning only /configure:security --type sast

Verify secrets scan gitleaks detect --source . --verbose

Flags

Flag Description

--check-only

Report status without offering fixes

--fix

Apply all fixes automatically without prompting

--type <type>

Focus on specific security type (dependencies, sast, secrets, all)

Error Handling

  • No package manager detected: Skip dependency auditing

  • GitHub Actions not available: Warn about CI limitations

  • Secrets found in history: Provide remediation guide

  • CodeQL unsupported language: Skip SAST for that language

See Also

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

claude-security-settings

No summary provided by upstream source.

Repository SourceNeeds Review
53-laurigates
Security

meta-audit

No summary provided by upstream source.

Repository SourceNeeds Review
48-laurigates
Security

health-agentic-audit

No summary provided by upstream source.

Repository SourceNeeds Review
47-laurigates
Security

git-security-checks

No summary provided by upstream source.

Repository SourceNeeds Review
47-laurigates