laurigates/configure-security
configure-plugin/skills/configure-security/SKILL.md
Security scanning: dependency audits, SAST, secrets detection. Use when setting up Dependabot, CodeQL, or TruffleHog in CI, or creating a SECURITY.md policy.
$ install --global
skillsauthnpx skillsauth add laurigates/claude-plugins configure-securityInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 11, 2026, 8:19 AM168.2s4 files scanned
SKILL.md
- created:
- 2025-12-16
- modified:
- 2026-06-10
- reviewed:
- 2026-06-10
- description:
- Security scanning: dependency audits, SAST, secrets detection. Use when setting up Dependabot, CodeQL, or TruffleHog in CI, or creating a SECURITY.md policy.
- allowed-tools:
- Glob, Grep, Read, Write, Edit, Bash, AskUserQuestion, TodoWrite, WebSearch, WebFetch
- args:
- [--check-only] [--fix] [--type <dependencies|sast|secrets|all>]
- argument-hint:
- [--check-only] [--fix] [--type <dependencies|sast|secrets|all>]
- name:
- configure-security
/configure:security
Check and configure security scanning tools for dependency audits, SAST, and secret detection.
When to Use This Skill
| Use this skill when... | Use another approach when... |
|------------------------|------------------------------|
| Setting up dependency auditing, SAST, or secret detection for a project | Running a one-off security scan (use gitleaks detect or npm audit directly) |
| Checking project compliance with security scanning standards | Reviewing code for application-level vulnerabilities (use security-audit agent) |
| Configuring Dependabot, CodeQL, or TruffleHog in CI/CD | Managing GitHub repository security settings via the web UI |
| Creating or updating a SECURITY.md policy | Writing security documentation beyond the policy template |
| Auditing which security tools are missing from a project | Investigating a specific CVE or vulnerability |
Context
- Package files: !
find . -maxdepth 1 \( -name 'package.json' -o -name 'pyproject.toml' -o -name 'Cargo.toml' -o -name 'go.mod' \) - Gitleaks config: !
find . -maxdepth 1 -name \'.gitleaks.toml\' - Pre-commit config: !
find . -maxdepth 1 -name \'.pre-commit-config.yaml\' - Workflows dir: !
find . -maxdepth 1 -type d -name \'.github/workflows\' - Dependabot config: !
find . -maxdepth 1 -name \'.github/dependabot.yml\' - CodeQL workflow: !
find .github/workflows -maxdepth 1 -name 'codeql*' - Security policy: !
find . -maxdepth 1 -name \'SECURITY.md\'Security scanning layers:
- Dependency auditing - Check for known vulnerabilities in dependencies
- SAST (Static Application Security Testing) - Analyze code for security issues
- Secret detection - Prevent committing secrets to version control
Parameters
Parse from command arguments:
--check-only: Report status without offering fixes--fix: Apply all fixes automatically without prompting--type <type>: Focus on specific security type (dependencies, sast, secrets, all)
Execution
Execute this security scanning configuration check:
Step 1: Fetch latest tool versions
Verify latest versions before configuring:
- Trivy: Check GitHub releases
- Grype: Check GitHub releases
- gitleaks: Check GitHub releases
- pip-audit: Check PyPI
- cargo-audit: Check crates.io
- CodeQL: Check GitHub releases
Use WebSearch or WebFetch to verify current versions.
Step 2: Detect project languages and security posture
Run the detection script to scan the project for language signals and the three security layers (dependency auditing / SAST / secret detection) plus a SECURITY.md policy:
bash "${CLAUDE_SKILL_DIR}/scripts/configure-security.sh" --home-dir "$HOME" --project-dir "$(pwd)"
Parse STATUS= and the ISSUES: block from the output. The KEY=VALUE lines
report language detection (LANG_JS, LANG_PYTHON, LANG_RUST, LANG_GO) and
the presence matrix (DEPENDABOT, CODEQL, GITLEAKS_CONFIG, SECURITY_POLICY,
TRUFFLEHOG, DEPENDENCY_REVIEW, SECURITY_LAYERS_PRESENT).
Step 3: Generate compliance report
Print a formatted compliance report showing status for each security component across dependency auditing, SAST scanning, secret detection, and security policies.
If --check-only is set, stop here.
For the compliance report format, see REFERENCE.md.
Step 4: Configure dependency auditing (if --fix or user confirms)
Based on detected language:
JavaScript/TypeScript (npm/bun):
- Add audit scripts to
package.json - Create Dependabot config
.github/dependabot.yml - Create dependency review workflow
.github/workflows/dependency-review.yml
Python (pip-audit):
- Install pip-audit:
uv add --group dev pip-audit - Create audit script
Rust (cargo-audit):
- Install cargo-audit:
cargo install cargo-audit --locked - Configure in
.cargo/audit.toml
For complete configuration templates, see REFERENCE.md.
Step 5: Configure SAST scanning (if --fix or user confirms)
- Create CodeQL workflow
.github/workflows/codeql.ymlwith detected languages - For Python projects, install and configure Bandit
- Run Bandit:
uv run bandit -r src/ -f json -o bandit-report.json
For CodeQL workflow and Bandit configuration templates, see REFERENCE.md.
Step 6: Configure secret detection (if --fix or user confirms)
- Install gitleaks:
brew install gitleaks(orgo install github.com/gitleaks/gitleaks/v8@latest) - Create
.gitleaks.tomlwith project-specific allowlists - Run initial scan:
gitleaks detect --source . - Add pre-commit hook to
.pre-commit-config.yaml - Optionally configure TruffleHog workflow for CI
For gitleaks, TruffleHog, and CI workflow configuration templates, see REFERENCE.md.
Step 7: Create security policy
Create SECURITY.md with:
- Supported versions table
- Vulnerability reporting process (email, expected response time, disclosure policy)
- Information to include in reports
- Security best practices for users and contributors
- Automated security tools list
For the SECURITY.md template, see REFERENCE.md.
Step 8: Configure CI/CD integration
Create comprehensive security workflow .github/workflows/security.yml with jobs for:
- Dependency audit
- Secret scanning (TruffleHog)
- SAST scan (CodeQL)
Schedule weekly scans in addition to push/PR triggers.
For the CI security workflow template, see REFERENCE.md.
Step 9: Update standards tracking
Update .project-standards.yaml:
components:
security: "2025.1"
security_dependency_audit: true
security_sast: true
security_secret_detection: true
security_policy: true
security_dependabot: true
Step 10: Report configuration results
Print a summary of all changes made across dependency auditing, SAST scanning, secret detection, security policy, and CI/CD integration. Include next steps for reviewing Dependabot PRs, CodeQL findings, and enabling private vulnerability reporting.
For the results report format, see REFERENCE.md.
Agentic Optimizations
| Context | Command |
|---------|---------|
| Quick compliance check | /configure:security --check-only |
| Auto-fix all security gaps | /configure:security --fix |
| Dependencies only | /configure:security --type dependencies |
| Secret detection only | /configure:security --type secrets |
| SAST scanning only | /configure:security --type sast |
| Verify secrets scan | gitleaks detect --source . --verbose |
Flags
| Flag | Description |
|------|-------------|
| --check-only | Report status without offering fixes |
| --fix | Apply all fixes automatically without prompting |
| --type <type> | Focus on specific security type (dependencies, sast, secrets, all) |
Error Handling
- No package manager detected: Skip dependency auditing
- GitHub Actions not available: Warn about CI limitations
- Secrets found in history: Provide remediation guide
- CodeQL unsupported language: Skip SAST for that language
See Also
/configure:workflows- GitHub Actions workflow standards/configure:pre-commit- Pre-commit hook configuration/configure:all- Run all compliance checks- GitHub Security Features: https://docs.github.com/en/code-security
- gitleaks: https://github.com/gitleaks/gitleaks
- CodeQL: https://codeql.github.com
Related Skills
laurigates/workflow-verify-before-filing
testing
VerifiedTrustedCommunity
Verify accumulated bug claims at upstream HEAD and dedup against trackers before filing issues. Use when filing upstream reports from backlogs, audit docs, or git-history findings.
38SKILL.mdUpdated Jun 12, 2026
laurigates/cold-read-gate
documentation
VerifiedTrustedCommunity
Gate outward-bound text (upstream issues, docs, PR bodies) through isolated haiku fresh-reader critique before publishing. Use when an artifact must survive a reader with zero project context.
38SKILL.mdUpdated Jun 12, 2026
laurigates/evaluate-improve
tools
VerifiedTrustedCommunity
Suggest improvements to SKILL.md content, descriptions, or tool config from eval results. Use when raising pass rates, fixing triggering, or iterating on a skill after evaluation.
38SKILL.mdUpdated Apr 16, 2026
laurigates/deadbranch
tools
VerifiedTrustedCommunity
deadbranch CLI for stale-branch cleanup — dry-run preview, TUI or non-interactive delete, protects main/develop/WIP. Use when asked to clean up branches, prune branches, or remove stale branches.
37SKILL.mdUpdated Jun 11, 2026