jmagly/security-gate
agentic/code/frameworks/sdlc-complete/skills/security-gate/SKILL.md
Enforce minimum security criteria before iteration close or release
$ install --global
skillsauthnpx skillsauth add jmagly/aiwg security-gateInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 19, 2026, 7:37 AM200.0s1 file scanned
SKILL.md
- namespace:
- aiwg
- name:
- security-gate
- platforms:
- [all]
- description:
- Enforce minimum security criteria before iteration close or release
- argumentHint:
- <docs/sdlc/artifacts/project> [--interactive] [--guidance "text"]
- allowedTools:
- Read, Write, Glob, Grep
- model:
- sonnet
- category:
- security-quality
Security Gate (SDLC)
Criteria
- Approved threat model with mitigations or accepted risks
- Zero open critical vulnerabilities; highs triaged with owners/dates
- SBOM generated and reviewed (if applicable)
- Secrets policy verified; no hardcoded secrets
Output
security-gate-report.mdwith pass/fail and remediation tasks (structured artifact for downstream agents)- Append a gate decision block to
.aiwg/security/audit.md(the human-readable rolling audit log — see schema below)
Rolling audit log
.aiwg/security/audit.md is the single append-only rollup of security activity in this project. Humans read it first; downstream agents continue to consume the structured per-area artifacts. Both views are maintained.
After running the gate, append a block in this exact format (create .aiwg/security/audit.md if it does not exist; create the .aiwg/security/ directory if missing):
---
## [YYYY-MM-DD HH:MM] security-gate — <gate name or scope>
**Source:** security-gate
**Scope:** <artifact path or release identifier under review>
**Verdict:** <pass | fail | conditional>
### Findings rolled up
- **[severity] location** — description. Confirmation quote: `<source snippet>`. Remediation: <action>.
- ...
### References
- Structured artifact: `security-gate-report.md`
- Related: <issue or commit reference if applicable>
The same schema is used by security-auditor for its findings. Do not rewrite or truncate prior entries — append only.
After appending, log an audit entry to .aiwg/activity.log per the activity-log rule.
References
- @$AIWG_ROOT/agentic/code/addons/aiwg-utils/rules/vague-discretion.md — Gate criteria must be concrete and verifiable (zero open criticals, SBOM present); never "acceptable risk" without documentation
- @$AIWG_ROOT/agentic/code/addons/aiwg-utils/rules/human-authorization.md — Fail the gate and escalate to human; do not autonomously accept or close security findings
- @$AIWG_ROOT/agentic/code/frameworks/sdlc-complete/rules/token-security.md — Token security policy this gate verifies (no hardcoded secrets)
- @$AIWG_ROOT/agentic/code/frameworks/sdlc-complete/skills/security-audit/SKILL.md — Upstream audit skill whose findings feed into this gate's pass/fail evaluation
- @$AIWG_ROOT/agentic/code/frameworks/sdlc-complete/skills/check-traceability/SKILL.md — Traceability verification that may be required as a security gate prerequisite
- @$AIWG_ROOT/agentic/code/addons/aiwg-utils/rules/activity-log.md — Append-only artifact discipline used by
.aiwg/security/audit.md - @$AIWG_ROOT/agentic/code/frameworks/sdlc-complete/agents/security-auditor.md — Companion writer of the rolling audit log (same schema)
Related Skills
jmagly/radar-status
data-ai
VerifiedTrustedCommunity
Report which research-corpus radar sidecars are overdue for refresh. Computes staleness (days since last refresh vs the cadence window) for every radar, sorted most-overdue-first. Runs via `aiwg corpus radar-status`.
140SKILL.mdUpdated May 28, 2026
jmagly/radar-report
data-ai
VerifiedTrustedCommunity
Aggregate research-corpus radar sidecars into a corpus or per-cluster freshness report — totals, overdue count, per-cluster / per-GRADE / per-trajectory breakdowns, an overdue table, and per-radar rationale snippets. Runs via `aiwg corpus radar-report`.
140SKILL.mdUpdated May 28, 2026
jmagly/radar-init
testing
VerifiedTrustedCommunity
Scaffold radar/freshness sidecars for research-corpus REFs. Pulls title/authors from the citation sidecar and GRADE from the analysis doc, defaults the refresh cadence from GRADE and the cluster from a corpus-local map, and stamps documentation/radar/REF-XXX-radar.md. Runs via `aiwg corpus radar-init`.
140SKILL.mdUpdated May 28, 2026
jmagly/profile-temporal
data-ai
VerifiedTrustedCommunity
Compute an entity's publication trajectory — per-year paper counts, topic drift, hot-streak detection (≥3 consecutive A-grade years), and career phase. Runs via `aiwg corpus profile-temporal`.
140SKILL.mdUpdated May 28, 2026