name	secure-flow
description	A comprehensive security skill that integrates with Secure Flow to help AI coding agents write secure code, perform security reviews, and implement security best practices. Use this skill when writing, reviewing, or modifying code to ensure secure-by-default practices are followed.
version	1.0.0
framework	Secure Flow
purpose	Embed secure-by-default practices into AI coding workflows

Secure Flow Skill

This skill provides comprehensive security guidance to help AI coding agents generate secure code, perform security reviews, and implement security best practices. It is based on Secure Flow, a security framework that embeds secure-by-default practices into AI coding workflows.

When to Use This Skill

This skill should be activated when:

Writing new code in any language
Reviewing or modifying existing code
Implementing security-sensitive features (authentication, cryptography, data handling, etc.)
Working with user input, databases, APIs, or external services
Configuring cloud infrastructure, CI/CD pipelines, or containers
Handling sensitive data, credentials, or cryptographic operations
Performing security assessments, threat modeling, or compliance validation
Creating security tests or remediating vulnerabilities

How to Use This Skill

When writing or reviewing code:

Always-Apply Rules: Some rules MUST be checked on every code operation:
- Security best practices for authentication and authorization
- Input validation and sanitization
- Secure credential management
- Cryptographic best practices
Context-Specific Rules: Apply rules from /rules directory based on the task:
- Code Generation: Use secure-flow-create-secure-template.md when creating new code templates
- Security Testing: Use secure-flow-create-security-tests.md when generating security tests
- Threat Modeling: Use secure-flow-create-threat-model.md when analyzing security threats
- Vulnerability Remediation: Use secure-flow-security-remediation.md when fixing vulnerabilities
- API Security: Use secure-flow-review-api-auth.md when reviewing API endpoints
- Compliance: Use secure-flow-validate-compliance.md when validating compliance requirements
- Docker Security: Use secure-flow-harden-dockerfile-fips.md when hardening containers
- CI/CD Security: Use secure-flow-gate-critical-vulns.md when setting up security gates
- CISA KEV: Use secure-flow-fix-exploitable-vulns.md when fixing exploited vulnerabilities
- AI Security: Use secure-flow-explain-ai-threats.md when working with AI applications
Proactive Security: Don't just avoid vulnerabilities—actively implement secure patterns:
- Use parameterized queries for database access
- Validate and sanitize all user input
- Apply least-privilege principles
- Use modern cryptographic algorithms and libraries
- Implement defense-in-depth strategies
- Follow secure coding standards and best practices

Secure Flow Security Rules

The security rules are available in the rules/ directory.

Usage Workflow

When generating or reviewing code, follow this workflow:

1. Initial Security Check

Before writing any code:

Check: Will this handle credentials? → Apply secure credential management practices
Check: What language/framework am I using? → Identify applicable security rules
Check: What security domains are involved? → Load relevant rule files

2. Code Generation

While writing code:

Apply secure-by-default patterns from relevant Secure Flow rules
Add security-relevant comments explaining choices
Follow framework-specific security best practices

3. Security Review

After writing code:

Review against implementation checklists in each rule
Verify no hardcoded credentials or secrets
Validate that all applicable security rules have been followed
Explain which security rules were applied
Highlight security features implemented

Available Workflows

Code Generation & Templates

secure-flow-create-secure-template - Generate secure code templates with security best practices built-in

Security Testing

secure-flow-create-security-tests - Create comprehensive security test cases and validation scripts

Threat Analysis

secure-flow-create-threat-model - Generate threat models for applications and systems using STRIDE methodology
secure-flow-explain-ai-threats - Explain AI-specific security threats and mitigations

Vulnerability Management

secure-flow-security-remediation - Scan and fix high-impact vulnerabilities in the codebase
secure-flow-fix-exploitable-vulns - Fix CISA Known Exploited Vulnerabilities (KEV) found in your codebase
secure-flow-gate-critical-vulns - Set up CI/CD checks to block critical vulnerabilities

API & Service Security

secure-flow-review-api-auth - Review and add authentication to API endpoints

Compliance & Validation

secure-flow-validate-compliance - Validate compliance with security frameworks and standards (SOC 2, ISO 27001, HIPAA, PCI DSS)

Infrastructure Security

secure-flow-harden-dockerfile-fips - Make Dockerfiles FIPS compliant with security hardening

Implementation Checklist

Identified applicable security rules for the task
Applied secure-by-default patterns
Validated input and output handling
Verified authentication and authorization
Checked for hardcoded credentials
Applied framework-specific security best practices
Reviewed against security checklists
Documented security decisions

name	secure-flow
description	A comprehensive security skill that integrates with Secure Flow to help AI coding agents write secure code, perform security reviews, and implement security best practices. Use this skill when writing, reviewing, or modifying code to ensure secure-by-default practices are followed.
version	1.0.0
framework	Secure Flow
purpose	Embed secure-by-default practices into AI coding workflows

Secure Flow Skill

When to Use This Skill

This skill should be activated when:

Writing new code in any language
Reviewing or modifying existing code
Implementing security-sensitive features (authentication, cryptography, data handling, etc.)
Working with user input, databases, APIs, or external services
Configuring cloud infrastructure, CI/CD pipelines, or containers
Handling sensitive data, credentials, or cryptographic operations
Performing security assessments, threat modeling, or compliance validation
Creating security tests or remediating vulnerabilities

How to Use This Skill

When writing or reviewing code:

Always-Apply Rules: Some rules MUST be checked on every code operation:
- Security best practices for authentication and authorization
- Input validation and sanitization
- Secure credential management
- Cryptographic best practices
Context-Specific Rules: Apply rules from /rules directory based on the task:
- Code Generation: Use secure-flow-create-secure-template.md when creating new code templates
- Security Testing: Use secure-flow-create-security-tests.md when generating security tests
- Threat Modeling: Use secure-flow-create-threat-model.md when analyzing security threats
- Vulnerability Remediation: Use secure-flow-security-remediation.md when fixing vulnerabilities
- API Security: Use secure-flow-review-api-auth.md when reviewing API endpoints
- Compliance: Use secure-flow-validate-compliance.md when validating compliance requirements
- Docker Security: Use secure-flow-harden-dockerfile-fips.md when hardening containers
- CI/CD Security: Use secure-flow-gate-critical-vulns.md when setting up security gates
- CISA KEV: Use secure-flow-fix-exploitable-vulns.md when fixing exploited vulnerabilities
- AI Security: Use secure-flow-explain-ai-threats.md when working with AI applications
Proactive Security: Don't just avoid vulnerabilities—actively implement secure patterns:
- Use parameterized queries for database access
- Validate and sanitize all user input
- Apply least-privilege principles
- Use modern cryptographic algorithms and libraries
- Implement defense-in-depth strategies
- Follow secure coding standards and best practices

Secure Flow Security Rules

The security rules are available in the rules/ directory.

Usage Workflow

When generating or reviewing code, follow this workflow:

1. Initial Security Check

Before writing any code:

Check: Will this handle credentials? → Apply secure credential management practices
Check: What language/framework am I using? → Identify applicable security rules
Check: What security domains are involved? → Load relevant rule files

2. Code Generation

While writing code:

Apply secure-by-default patterns from relevant Secure Flow rules
Add security-relevant comments explaining choices
Follow framework-specific security best practices

3. Security Review

After writing code:

Review against implementation checklists in each rule
Verify no hardcoded credentials or secrets
Validate that all applicable security rules have been followed
Explain which security rules were applied
Highlight security features implemented

Available Workflows

Code Generation & Templates

secure-flow-create-secure-template - Generate secure code templates with security best practices built-in

Security Testing

secure-flow-create-security-tests - Create comprehensive security test cases and validation scripts

Threat Analysis

secure-flow-create-threat-model - Generate threat models for applications and systems using STRIDE methodology
secure-flow-explain-ai-threats - Explain AI-specific security threats and mitigations

Vulnerability Management

secure-flow-security-remediation - Scan and fix high-impact vulnerabilities in the codebase
secure-flow-fix-exploitable-vulns - Fix CISA Known Exploited Vulnerabilities (KEV) found in your codebase
secure-flow-gate-critical-vulns - Set up CI/CD checks to block critical vulnerabilities

API & Service Security

secure-flow-review-api-auth - Review and add authentication to API endpoints

Compliance & Validation

secure-flow-validate-compliance - Validate compliance with security frameworks and standards (SOC 2, ISO 27001, HIPAA, PCI DSS)

Infrastructure Security

secure-flow-harden-dockerfile-fips - Make Dockerfiles FIPS compliant with security hardening

Implementation Checklist

Identified applicable security rules for the task
Applied secure-by-default patterns
Validated input and output handling
Verified authentication and authorization
Checked for hardcoded credentials
Applied framework-specific security best practices
Reviewed against security checklists
Documented security decisions

secure-flow

Secure Flow Skill

When to Use This Skill

How to Use This Skill

Secure Flow Security Rules

Usage Workflow

1. Initial Security Check

2. Code Generation

3. Security Review

Available Workflows

Code Generation & Templates

Security Testing

Threat Analysis

Vulnerability Management

API & Service Security

Compliance & Validation

Infrastructure Security

Implementation Checklist

Secure Flow Skill

When to Use This Skill

How to Use This Skill

Secure Flow Security Rules

Usage Workflow

1. Initial Security Check

2. Code Generation

3. Security Review

Available Workflows

Code Generation & Templates

Security Testing

Threat Analysis

Vulnerability Management

API & Service Security

Compliance & Validation

Infrastructure Security

Implementation Checklist