Security

What it does

This skill provides repeatable security checks across code, scripts, hooks, and release gates using static analysis and threat modeling techniques. It enables AI agents to perform quick or full security validations before merging or releasing code, as well as recurring scheduled checks for detecting regressions. The skill uses predefined scripts (scripts/security-gate.sh) with different modes (quick, full) to execute various scanners.

When to use it

• Pre-Pull Request (PR): To quickly validate code before opening a PR and ensure basic security standards are met.
• Pre-Release: To perform a comprehensive security scan before a release to identify any potential vulnerabilities that could impact production.
• Nightly Checks: To detect security regressions or drift outside of active PR windows, ensuring ongoing code quality.

Key capabilities

• Runs security checks using scripts (scripts/security-gate.sh) with configurable modes (quick, full, release).
• Utilizes available scanners like semgrep, gosec, and gitleaks.
• Fails builds on high or critical security findings.
• Generates artifacts under $TMPDIR/agentops-security/<run-id>/ for review and auditing.
• Provides a reporting template to document scan results, including severity, file location, and remediation actions.

Example prompts

• /security - Runs a quick security gate.
• /security --full - Executes a full security gate with comprehensive toolchain checks.
• /security --release - Performs a full security gate specifically for release readiness.

Tips & gotchas

• The skill is intended to be used as the canonical security runbook, replacing ad-hoc scanner commands.
• Ensure workflow configurations (.github/workflows/*.yml) are aligned with the skill's execution contract.
• For binary or offline assurance and red teaming exercises, refer to skills/security-suite/SKILL.md. For dependency vulnerability scanning, use the "deps" skill instead.