Exécutez n'importe quel Skill dans Manus
en un clic

Exécutez n'importe quel Skill dans Manus en un clic

security

Étoiles7

Forks0

Mis à jour7 février 2026 à 20:47

This skill should be used when the user asks about "security", "vulnerability scanning", "dependency audit", "supply chain security", "license compliance", "security audit", "CVE", "OWASP", "secrets scanning", "cargo-deny", "npm audit", or needs guidance on security requirements and vulnerability management.

Installation

Installer avec Codex ou Claude Copiez ce prompt, collez-le dans Codex, Claude ou un autre assistant, puis laissez-le vérifier la page du skill et l'installer pour vous.

Exécuter dans Manus

Source

zircote

zircote/sdlc-quality

Ouvrir le dépôt GitHub Voir les dépôts du créateur

Téléchargement

Exécuter dans Manus

Métiers associésSOC

Basé sur la classification professionnelle SOC

Analystes en sécurité de l'informationProfessions informatiques et mathématiques·SOC 15-1212

SKILL.md

readonly

name	security
description	This skill should be used when the user asks about "security", "vulnerability scanning", "dependency audit", "supply chain security", "license compliance", "security audit", "CVE", "OWASP", "secrets scanning", "cargo-deny", "npm audit", or needs guidance on security requirements and vulnerability management.
version	1.0.0

Security Standards

Guidance for implementing security requirements including dependency scanning, supply chain security, and vulnerability management.

Tooling

Available Tools: If using Claude Code, the pr-review-toolkit:silent-failure-hunter agent identifies security issues in error handling. Use security scanning tools native to your language ecosystem.

Dependency Security

Vulnerability Scanning (MUST)

Projects MUST use automated dependency vulnerability scanning.

Language	Tool	Command
Rust	cargo-audit	`cargo audit`
Node.js	npm audit	`npm audit`
Python	pip-audit, safety	`pip-audit`
Java	OWASP Dependency-Check	`dependency-check`
Go	govulncheck	`govulncheck ./...`

Scanning Schedule (MUST)

Scanning MUST occur:

On every pull request
On every push to protected branches
On a scheduled basis (daily minimum)

Vulnerability Response (MUST)

Critical and high severity vulnerabilities MUST block PR merges.

Vulnerability Exceptions

Known vulnerabilities that cannot be fixed MUST be:

Documented with justification
Listed in an ignore/allowlist with expiration dates
Reviewed quarterly

# Example: cargo-deny ignore
[advisories]
ignore = [
    # RUSTSEC-2024-0001: No fix available, mitigated by input validation
    # Expires: 2024-06-01, Review: Issue #123
    "RUSTSEC-2024-0001",
]

Supply Chain Security

Required Checks (MUST)

Check	Purpose
License compliance	Verify all dependencies use allowed licenses
Source verification	Ensure dependencies from trusted sources
Advisory database	Check against known vulnerability databases
Package bans	Block known problematic packages
Duplicate detection	Identify multiple versions of same package

Allowed Licenses (MUST)

Allowed licenses MUST be explicitly defined. Recommended allowed licenses:

License	Status
MIT	SHOULD allow
Apache-2.0	SHOULD allow
BSD-2-Clause	SHOULD allow
BSD-3-Clause	SHOULD allow
ISC	SHOULD allow
MPL-2.0	SHOULD allow
CC0-1.0	SHOULD allow
Unlicense	SHOULD allow
Zlib	SHOULD allow

Copyleft Licenses (MUST)

Copyleft licenses (GPL-3.0, AGPL-3.0) MUST be explicitly reviewed and approved before use.

Supply Chain Configuration

# Example: cargo-deny.toml
[licenses]
allow = [
    "MIT",
    "Apache-2.0",
    "BSD-2-Clause",
    "BSD-3-Clause",
    "ISC",
    "MPL-2.0",
    "CC0-1.0",
    "Unlicense",
    "Zlib",
]

[bans]
multiple-versions = "warn"
deny = [
    # Banned packages
]

[sources]
unknown-registry = "deny"
unknown-git = "deny"

Code Security

Security Scanning (MUST)

All code MUST be scanned for:

Hardcoded secrets
Security misconfigurations
Common vulnerability patterns (OWASP Top 10)

Secret Detection

Use secret scanning tools:

Tool	Usage
gitleaks	`gitleaks detect`
truffleHog	`trufflehog git file://./`
GitHub Secret Scanning	Enabled in repo settings

Security Dashboard (MUST)

Security scan results MUST be uploaded to a centralized security dashboard (e.g., GitHub Security tab).

Semantic Code Analysis (SHOULD)

Projects SHOULD implement semantic code analysis:

CodeQL (GitHub)
Semgrep
SonarQube

Audit Schedule

Quarterly Audits (MUST)

Full dependency audits MUST be conducted quarterly.

Pre-release Monitoring (MUST)

Pre-release dependencies MUST be monitored and documented.

Remediation SLAs (MUST)

Audit findings MUST be tracked and remediated within defined SLAs:

Severity	Remediation Window
Critical	7 days
High	30 days
Medium	90 days
Low	Next major release

Implementation Checklist

Set up vulnerability scanning tool
Configure daily scheduled scans
Define allowed licenses
Configure supply chain checks
Set up secret scanning
Enable GitHub Security features
Document exception process
Establish quarterly audit schedule
Define remediation SLAs

Compliance Verification

# Run vulnerability scan
cargo audit          # Rust
npm audit            # Node.js
pip-audit            # Python

# Check license compliance
cargo deny check licenses

# Scan for secrets
gitleaks detect --source .

# Check for multiple versions
cargo deny check bans

Additional Resources

Reference Files

references/security-tools.md - Security tool configuration
references/license-guide.md - License compliance guide

Examples

examples/cargo-deny.toml - Rust supply chain config
examples/npm-audit-config.json - Node.js audit config
examples/gitleaks.toml - Secret scanning config

Plus depuis ce dépôt

même dépôt

zircote/sdlc-quality

This skill should be used when the user asks about "AI development", "AI coding", "AI assistant", "CLAUDE.md", "AI context", "AI guidelines", "code generation", "AI workflow", "AI review", "AI configuration", or needs guidance on configuring AI assistants and AI-assisted development workflows.

2026-02-077

zircote/sdlc-quality

This skill should be used when the user asks about "CI pipeline", "continuous integration", "GitHub Actions", "CI configuration", "CI jobs", "workflow", "CI caching", "CI environment", "pipeline structure", or needs guidance on setting up or configuring CI/CD pipelines.

2026-02-077

docs

zircote/sdlc-quality

This skill should be used when the user asks about "documentation", "README", "CHANGELOG", "CONTRIBUTING", "ADR", "architecture decision record", "changelog format", "keep a changelog", "doc comments", "API documentation", or needs guidance on project documentation requirements.

2026-02-077

observability

zircote/sdlc-quality

This skill should be used when the user asks about "observability", "logging", "metrics", "tracing", "monitoring", "structured logging", "log format", "log levels", "distributed tracing", "OpenTelemetry", "health checks", or needs guidance on implementing observability and monitoring requirements.

2026-02-077

quality

zircote/sdlc-quality

This skill should be used when the user asks about "code quality", "formatting", "linting", "lint rules", "code style", "error handling", "unsafe code", "documentation comments", "doc comments", "rustfmt", "prettier", "eslint", "clippy", or needs guidance on code quality enforcement and configuration.

2026-02-077

release

zircote/sdlc-quality

This skill should be used when the user asks about "release process", "versioning", "semantic versioning", "semver", "release automation", "publishing", "package publishing", "release checklist", "version bump", "release notes", or needs guidance on release workflows and version management.

2026-02-077

name	security
description	This skill should be used when the user asks about "security", "vulnerability scanning", "dependency audit", "supply chain security", "license compliance", "security audit", "CVE", "OWASP", "secrets scanning", "cargo-deny", "npm audit", or needs guidance on security requirements and vulnerability management.
version	1.0.0

Security Standards

Guidance for implementing security requirements including dependency scanning, supply chain security, and vulnerability management.

Tooling

Available Tools: If using Claude Code, the pr-review-toolkit:silent-failure-hunter agent identifies security issues in error handling. Use security scanning tools native to your language ecosystem.

Dependency Security

Vulnerability Scanning (MUST)

Projects MUST use automated dependency vulnerability scanning.

Language	Tool	Command
Rust	cargo-audit	`cargo audit`
Node.js	npm audit	`npm audit`
Python	pip-audit, safety	`pip-audit`
Java	OWASP Dependency-Check	`dependency-check`
Go	govulncheck	`govulncheck ./...`

Scanning Schedule (MUST)

Scanning MUST occur:

On every pull request
On every push to protected branches
On a scheduled basis (daily minimum)

Vulnerability Response (MUST)

Critical and high severity vulnerabilities MUST block PR merges.

Vulnerability Exceptions

Known vulnerabilities that cannot be fixed MUST be:

Documented with justification
Listed in an ignore/allowlist with expiration dates
Reviewed quarterly

# Example: cargo-deny ignore
[advisories]
ignore = [
    # RUSTSEC-2024-0001: No fix available, mitigated by input validation
    # Expires: 2024-06-01, Review: Issue #123
    "RUSTSEC-2024-0001",
]

Supply Chain Security

Required Checks (MUST)

Check	Purpose
License compliance	Verify all dependencies use allowed licenses
Source verification	Ensure dependencies from trusted sources
Advisory database	Check against known vulnerability databases
Package bans	Block known problematic packages
Duplicate detection	Identify multiple versions of same package

Allowed Licenses (MUST)

Allowed licenses MUST be explicitly defined. Recommended allowed licenses:

License	Status
MIT	SHOULD allow
Apache-2.0	SHOULD allow
BSD-2-Clause	SHOULD allow
BSD-3-Clause	SHOULD allow
ISC	SHOULD allow
MPL-2.0	SHOULD allow
CC0-1.0	SHOULD allow
Unlicense	SHOULD allow
Zlib	SHOULD allow

Copyleft Licenses (MUST)

Copyleft licenses (GPL-3.0, AGPL-3.0) MUST be explicitly reviewed and approved before use.

Supply Chain Configuration

# Example: cargo-deny.toml
[licenses]
allow = [
    "MIT",
    "Apache-2.0",
    "BSD-2-Clause",
    "BSD-3-Clause",
    "ISC",
    "MPL-2.0",
    "CC0-1.0",
    "Unlicense",
    "Zlib",
]

[bans]
multiple-versions = "warn"
deny = [
    # Banned packages
]

[sources]
unknown-registry = "deny"
unknown-git = "deny"

Code Security

Security Scanning (MUST)

All code MUST be scanned for:

Hardcoded secrets
Security misconfigurations
Common vulnerability patterns (OWASP Top 10)

Secret Detection

Use secret scanning tools:

Tool	Usage
gitleaks	`gitleaks detect`
truffleHog	`trufflehog git file://./`
GitHub Secret Scanning	Enabled in repo settings

Security Dashboard (MUST)

Security scan results MUST be uploaded to a centralized security dashboard (e.g., GitHub Security tab).

Semantic Code Analysis (SHOULD)

Projects SHOULD implement semantic code analysis:

CodeQL (GitHub)
Semgrep
SonarQube

Audit Schedule

Quarterly Audits (MUST)

Full dependency audits MUST be conducted quarterly.

Pre-release Monitoring (MUST)

Pre-release dependencies MUST be monitored and documented.

Remediation SLAs (MUST)

Audit findings MUST be tracked and remediated within defined SLAs:

Severity	Remediation Window
Critical	7 days
High	30 days
Medium	90 days
Low	Next major release

Implementation Checklist

Set up vulnerability scanning tool
Configure daily scheduled scans
Define allowed licenses
Configure supply chain checks
Set up secret scanning
Enable GitHub Security features
Document exception process
Establish quarterly audit schedule
Define remediation SLAs

Compliance Verification

# Run vulnerability scan
cargo audit          # Rust
npm audit            # Node.js
pip-audit            # Python

# Check license compliance
cargo deny check licenses

# Scan for secrets
gitleaks detect --source .

# Check for multiple versions
cargo deny check bans