Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

starlake-ai/secure

Name: secure
Author: starlake-ai

.agents/skills/secure/SKILL.md

npx skillsauth add starlake-ai/starlake-skills secure

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Secure Skill

Applies Row Level Security (RLS) and Column Level Security (CLS) policies defined in your table configurations. Security policies control which users or groups can see which rows and columns.

Usage

starlake secure [options]

Options

--domains <value>: Comma-separated list of domains to apply security (default: all)
--tables <value>: Comma-separated list of tables to apply security (default: all)
--accessToken <value>: Access token for authentication (e.g. GCP)
--options k1=v1,k2=v2: Substitution arguments
--scheduledDate <value>: Scheduled date for the job, format: yyyy-MM-dd'T'HH:mm:ss.SSSZ
--reportFormat <value>: Report output format: console, json, or html

Configuration Context

Security policies are defined in table configuration files:

Row Level Security (RLS)

Filter rows based on user/group membership:

# In table.sl.yml
table:
  rls:
    - name: "USA only"
      predicate: "country = 'USA'"
      grants:
        - "group:usa_team"
    - name: "Recent data"
      predicate: "order_date > CURRENT_DATE - INTERVAL 90 DAY"
      grants:
        - "user:[email protected]"

Column Level Security (CLS) / Access Policies

Restrict access to sensitive columns:

# In table.sl.yml
table:
  attributes:
    - name: "email"
      type: "string"
      accessPolicy: "PII"
    - name: "credit_card"
      type: "string"
      accessPolicy: "SENSITIVE"

Access Control List (ACL)

Grant table-level permissions:

# In table.sl.yml
table:
  acl:
    - role: "roles/bigquery.dataViewer"
      grants:
        - "user:[email protected]"
        - "group:[email protected]"
        - "serviceAccount:[email protected]"

Privacy Transformations

Privacy transformations are applied during data loading to protect sensitive fields. Configure per attribute:

attributes:
  - name: "ssn"
    type: "string"
    privacy: "HIDE" # Never stored — column is dropped

  - name: "email"
    type: "string"
    privacy: "SHA256" # One-way hash

  - name: "ip_address"
    type: "string"
    privacy: "MD5" # Anonymize

  - name: "phone"
    type: "string"
    privacy: "AES" # Reversible encryption

Available Privacy Types

| Type | Description | Reversible | |---|---|---| | HIDE | Column is completely removed from output | N/A | | MD5 | MD5 hash of the value | No | | SHA1 | SHA-1 hash of the value | No | | SHA256 | SHA-256 hash of the value | No | | SHA512 | SHA-512 hash of the value | No | | AES | AES encryption (requires encryption key) | Yes |

BigQuery Access Policies Configuration

Configure Column-Level Security policies at the application level for BigQuery:

# metadata/application.sl.yml
application:
  accessPolicies:
    apply: true
    location: EU
    taxonomy: RGPD

This enables BigQuery Data Catalog policy tags. Attributes with accessPolicy will be tagged accordingly, restricting column access to authorized users.

Examples

Apply Security to All Tables

starlake secure

Apply Security to Specific Domain

starlake secure --domains starbake

Apply Security to Specific Tables

starlake secure --domains starbake --tables customers,orders

Related Skills

iam-policies - Apply IAM policies
load - Load data (security and privacy applied during load)
config - Configuration reference (application-level settings)

starlake-ai/secure

.agents/skills/secure/SKILL.md

Apply Row Level Security (RLS) and Column Level Security (CLS) policies

1 stars

testing

Updated Apr 16, 2026

$ install --global

skillsauth

npx skillsauth add starlake-ai/starlake-skills secure

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 16, 2026, 3:36 AM8.6s1 file scanned

SKILL.md

name:: secure
description:: Apply Row Level Security (RLS) and Column Level Security (CLS) policies

Secure Skill

Applies Row Level Security (RLS) and Column Level Security (CLS) policies defined in your table configurations. Security policies control which users or groups can see which rows and columns.

Usage

starlake secure [options]

Options

--domains <value>: Comma-separated list of domains to apply security (default: all)
--tables <value>: Comma-separated list of tables to apply security (default: all)
--accessToken <value>: Access token for authentication (e.g. GCP)
--options k1=v1,k2=v2: Substitution arguments
--scheduledDate <value>: Scheduled date for the job, format: yyyy-MM-dd'T'HH:mm:ss.SSSZ
--reportFormat <value>: Report output format: console, json, or html

Configuration Context

Security policies are defined in table configuration files:

Row Level Security (RLS)

Filter rows based on user/group membership:

# In table.sl.yml
table:
  rls:
    - name: "USA only"
      predicate: "country = 'USA'"
      grants:
        - "group:usa_team"
    - name: "Recent data"
      predicate: "order_date > CURRENT_DATE - INTERVAL 90 DAY"
      grants:
        - "user:[email protected]"

Column Level Security (CLS) / Access Policies

Restrict access to sensitive columns:

# In table.sl.yml
table:
  attributes:
    - name: "email"
      type: "string"
      accessPolicy: "PII"
    - name: "credit_card"
      type: "string"
      accessPolicy: "SENSITIVE"

Access Control List (ACL)

Grant table-level permissions:

# In table.sl.yml
table:
  acl:
    - role: "roles/bigquery.dataViewer"
      grants:
        - "user:[email protected]"
        - "group:[email protected]"
        - "serviceAccount:[email protected]"

Privacy Transformations

Privacy transformations are applied during data loading to protect sensitive fields. Configure per attribute:

attributes:
  - name: "ssn"
    type: "string"
    privacy: "HIDE" # Never stored — column is dropped

  - name: "email"
    type: "string"
    privacy: "SHA256" # One-way hash

  - name: "ip_address"
    type: "string"
    privacy: "MD5" # Anonymize

  - name: "phone"
    type: "string"
    privacy: "AES" # Reversible encryption

Available Privacy Types

BigQuery Access Policies Configuration

Configure Column-Level Security policies at the application level for BigQuery:

# metadata/application.sl.yml
application:
  accessPolicies:
    apply: true
    location: EU
    taxonomy: RGPD

This enables BigQuery Data Catalog policy tags. Attributes with accessPolicy will be tagged accordingly, restricting column access to authorized users.

Examples

Apply Security to All Tables

starlake secure

Apply Security to Specific Domain

starlake secure --domains starbake

Apply Security to Specific Tables

starlake secure --domains starbake --tables customers,orders

Related Skills

iam-policies - Apply IAM policies
load - Load data (security and privacy applied during load)
config - Configuration reference (application-level settings)

Related Skills

starlake-ai/starflow-transform-design

development

VerifiedTrustedCommunity

Design SQL transformations for data pipelines with quality checks and dependency management. Use when the user says "design transforms" or "create SQL transformations".

1SKILL.mdUpdated Apr 16, 2026

starlake-ai/starflow-transform-design

starlake-ai/starflow-sprint-planning

devops

VerifiedTrustedCommunity

Plan and track sprint progress for data pipeline implementation. Use when the user says "sprint planning" or "plan data sprint".

1SKILL.mdUpdated Apr 16, 2026

starlake-ai/starflow-sprint-planning

starlake-ai/starflow-source-analysis

testing

VerifiedTrustedCommunity

Analyze data sources in depth: schema, quality, volume, and extraction strategy. Use when the user says "analyze data source" or "profile this data source".

1SKILL.mdUpdated Apr 16, 2026

starlake-ai/starflow-source-analysis

starlake-ai/starflow-schema-design

data-ai

VerifiedTrustedCommunity

Design Starlake-compatible table schemas with types, constraints, privacy, and expectations. Use when the user says "design schema" or "create table definition".

1SKILL.mdUpdated Apr 16, 2026

starlake-ai/starflow-schema-design

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/starlake-ai/starlake-skills.git

# Copy into Claude Code skills folder (global)
cp -r starlake-skills/.agents/skills/secure ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

starlake-ai/starlake-skills

1 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT