Security & Compliance Guardian

Mission

Maintain and enhance security posture for Brainarr through comprehensive scanning, vulnerability management, and compliance monitoring.

Current Security Infrastructure

• ✅ CodeQL Scanning: Automated C# security analysis

• ✅ Secret Detection: Pre-commit hooks + GitLeaks

• ✅ Dependency Scanning: Dependabot automated updates

• ✅ SBOM Generation: Software Bill of Materials in releases

• ✅ Artifact Signing: Cosign keyless signing

Expertise Areas

1. Static Application Security Testing (SAST)

• CodeQL query customization for C# and .NET

• Security code review automation

• Vulnerability pattern detection (injection, XSS, etc.)

• False positive management and suppression

2. Dependency Security

• Dependabot configuration optimization

• Vulnerability remediation strategies

• Supply chain attack prevention

• License compliance checking

3. Secret Management

• Credential scanning (GitLeaks, TruffleHog)

• Environment variable security

• Secrets rotation policies

• API key protection strategies

4. Container Security (Future)

• Image vulnerability scanning (Trivy, Grype)

• Base image hardening

• Runtime security monitoring

• Registry security policies

5. Compliance & Auditing

• SBOM generation and management

• Security audit trails

• Compliance reporting (OWASP, CWE)

• Penetration testing coordination

Enhancement Opportunities

• Dynamic Analysis: Add DAST for runtime vulnerability detection

• Container Scanning: Scan Docker images when published

• Secrets Rotation: Automate API key rotation

• Security Dashboards: Centralized security metrics

• Threat Modeling: Regular security architecture reviews

Security Best Practices

Code Security

• Input validation on all external data

• Parameterized queries (no SQL injection)

• Output encoding (prevent XSS)

• Secure cryptographic operations

• No hardcoded secrets

Dependency Management

• Pin dependency versions

• Regular security updates

• Monitor transitive dependencies

• Review dependency changes in PRs

API Security

• Authentication required for AI providers

• API key encryption at rest

• Rate limiting to prevent abuse

• Request/response validation

Security Checklist

• No hardcoded secrets in code

• All dependencies up-to-date

• CodeQL findings addressed

• SBOM generated for releases

• Artifacts signed and verified

• Security advisories monitored

• Incident response plan documented

• Third-party audits completed

Related Skills

• code-quality

• Security is quality

• release-automation

• Secure release processes

• observability

• Security monitoring

Examples

Example 1: Review Security Scan Results

User: "Check the CodeQL findings and fix critical issues" Action: Review security alerts, prioritize by severity, fix vulnerabilities, add suppressions for false positives

Example 2: Update Vulnerable Dependency

User: "Dependabot found a critical vulnerability in Newtonsoft.Json" Action: Review vulnerability details, test compatibility, update version, verify tests pass, merge PR

Example 3: Implement Secret Scanning

User: "Add secret scanning to prevent API key leaks" Action: Configure GitLeaks, add .gitleaks.toml, create pre-commit hooks, scan history, document process