configure-security
/configure:security
Check and configure security scanning tools for dependency audits, SAST, and secret detection.
When to Use This Skill
| Use this skill when... | Use another approach when... |
|---|---|
| Setting up dependency auditing, SAST, or secret detection for a project | Running a one-off security scan (use gitleaks detect or npm audit directly) |
| Checking project compliance with security scanning standards | Reviewing code for application-level vulnerabilities (use security-audit agent) |
| Configuring Dependabot, CodeQL, or TruffleHog in CI/CD | Managing GitHub repository security settings via the web UI |
| Creating or updating a SECURITY.md policy | Writing security documentation beyond the policy template |
| Auditing which security tools are missing from a project | Investigating a specific CVE or vulnerability |
Context
- Package files: !
find . -maxdepth 1 \( -name 'package.json' -o -name 'pyproject.toml' -o -name 'Cargo.toml' -o -name 'go.mod' \) - Gitleaks config: !
find . -maxdepth 1 -name \'.gitleaks.toml\' - Pre-commit config: !
find . -maxdepth 1 -name \'.pre-commit-config.yaml\' - Workflows dir: !
find . -maxdepth 1 -type d -name \'.github/workflows\' - Dependabot config: !
find . -maxdepth 1 -name \'.github/dependabot.yml\' - CodeQL workflow: !
find .github/workflows -maxdepth 1 -name 'codeql*' - Security policy: !
find . -maxdepth 1 -name \'SECURITY.md\'Security scanning layers:
- Dependency auditing - Check for known vulnerabilities in dependencies
- SAST (Static Application Security Testing) - Analyze code for security issues
- Secret detection - Prevent committing secrets to version control
Parameters
Parse from command arguments:
--check-only: Report status without offering fixes--fix: Apply all fixes automatically without prompting--type <type>: Focus on specific security type (dependencies, sast, secrets, all)
Execution
Execute this security scanning configuration check:
Step 1: Fetch latest tool versions
Verify latest versions before configuring:
- Trivy: Check GitHub releases
- Grype: Check GitHub releases
- gitleaks: Check GitHub releases
- pip-audit: Check PyPI
- cargo-audit: Check crates.io
- CodeQL: Check GitHub releases
Use WebSearch or WebFetch to verify current versions.
Step 2: Detect project languages and tools
Identify project languages and existing security tools:
| Indicator | Language/Tool | Security Tools |
|---|---|---|
package.json |
JavaScript/TypeScript | npm audit, Snyk |
pyproject.toml |
Python | pip-audit, safety, bandit |
Cargo.toml |
Rust | cargo-audit, cargo-deny |
.gitleaks.toml |
gitleaks | Secret scanning |
.github/workflows/ |
GitHub Actions | CodeQL, Dependabot |
Step 3: Analyze current security state
Check existing security configuration across three areas:
Dependency Auditing:
- Package manager audit configured
- Audit scripts in package.json/Makefile
- Dependabot enabled
- Dependency review action in CI
- Auto-merge for minor updates configured
SAST Scanning:
- CodeQL workflow exists
- Semgrep configured
- Bandit configured (Python)
- SAST in CI pipeline
Secret Detection:
- Gitleaks configured with
.gitleaks.toml - Pre-commit hook configured
- Git history scanned
- TruffleHog configured (optional complement)
Step 4: Generate compliance report
Print a formatted compliance report showing status for each security component across dependency auditing, SAST scanning, secret detection, and security policies.
If --check-only is set, stop here.
For the compliance report format, see REFERENCE.md.
Step 5: Configure dependency auditing (if --fix or user confirms)
Based on detected language:
JavaScript/TypeScript (npm/bun):
- Add audit scripts to
package.json - Create Dependabot config
.github/dependabot.yml - Create dependency review workflow
.github/workflows/dependency-review.yml
Python (pip-audit):
- Install pip-audit:
uv add --group dev pip-audit - Create audit script
Rust (cargo-audit):
- Install cargo-audit:
cargo install cargo-audit --locked - Configure in
.cargo/audit.toml
For complete configuration templates, see REFERENCE.md.
Step 6: Configure SAST scanning (if --fix or user confirms)
- Create CodeQL workflow
.github/workflows/codeql.ymlwith detected languages - For Python projects, install and configure Bandit
- Run Bandit:
uv run bandit -r src/ -f json -o bandit-report.json
For CodeQL workflow and Bandit configuration templates, see REFERENCE.md.
Step 7: Configure secret detection (if --fix or user confirms)
- Install gitleaks:
brew install gitleaks(orgo install github.com/gitleaks/gitleaks/v8@latest) - Create
.gitleaks.tomlwith project-specific allowlists - Run initial scan:
gitleaks detect --source . - Add pre-commit hook to
.pre-commit-config.yaml - Optionally configure TruffleHog workflow for CI
For gitleaks, TruffleHog, and CI workflow configuration templates, see REFERENCE.md.
Step 8: Create security policy
Create SECURITY.md with:
- Supported versions table
- Vulnerability reporting process (email, expected response time, disclosure policy)
- Information to include in reports
- Security best practices for users and contributors
- Automated security tools list
For the SECURITY.md template, see REFERENCE.md.
Step 9: Configure CI/CD integration
Create comprehensive security workflow .github/workflows/security.yml with jobs for:
- Dependency audit
- Secret scanning (TruffleHog)
- SAST scan (CodeQL)
Schedule weekly scans in addition to push/PR triggers.
For the CI security workflow template, see REFERENCE.md.
Step 10: Update standards tracking
Update .project-standards.yaml:
components:
security: "2025.1"
security_dependency_audit: true
security_sast: true
security_secret_detection: true
security_policy: true
security_dependabot: true
Step 11: Report configuration results
Print a summary of all changes made across dependency auditing, SAST scanning, secret detection, security policy, and CI/CD integration. Include next steps for reviewing Dependabot PRs, CodeQL findings, and enabling private vulnerability reporting.
For the results report format, see REFERENCE.md.
Agentic Optimizations
| Context | Command |
|---|---|
| Quick compliance check | /configure:security --check-only |
| Auto-fix all security gaps | /configure:security --fix |
| Dependencies only | /configure:security --type dependencies |
| Secret detection only | /configure:security --type secrets |
| SAST scanning only | /configure:security --type sast |
| Verify secrets scan | gitleaks detect --source . --verbose |
Flags
| Flag | Description |
|---|---|
--check-only |
Report status without offering fixes |
--fix |
Apply all fixes automatically without prompting |
--type <type> |
Focus on specific security type (dependencies, sast, secrets, all) |
Error Handling
- No package manager detected: Skip dependency auditing
- GitHub Actions not available: Warn about CI limitations
- Secrets found in history: Provide remediation guide
- CodeQL unsupported language: Skip SAST for that language
See Also
/configure:workflows- GitHub Actions workflow standards/configure:pre-commit- Pre-commit hook configuration/configure:all- Run all compliance checks- GitHub Security Features: https://docs.github.com/en/code-security
- gitleaks: https://github.com/gitleaks/gitleaks
- CodeQL: https://codeql.github.com