// Add security governance to a target repo - CODEOWNERS, SECURITY.md, CONTRIBUTING.md, LICENSE, .gitignore audit
Add comprehensive CI workflows to a target repo - lint, test, build, security scanning, dependabot, scorecard, action pinning
Bootstrap orchestrate skills into a target repo - making it self-sufficient for orchestrating its own related repos
Scan a repository to bootstrap new skills or audit and update existing ones
Skill management - create, validate, and improve Claude Code skills
Validate skill files meet the standard format and naming conventions
Create or edit skills with proper structure, task tracking, and naming conventions
| name | orchestrate:security |
| description | Add security governance to a target repo - CODEOWNERS, SECURITY.md, CONTRIBUTING.md, LICENSE, .gitignore audit |
flowchart TD
START(["/orchestrate:security"]) --> READ["Read plan + scan report"]:::orch
READ --> CODEOWNERS["Create CODEOWNERS"]:::orch
CODEOWNERS --> SECURITY_MD["Create SECURITY.md"]:::orch
SECURITY_MD --> CONTRIBUTING["Create CONTRIBUTING.md"]:::orch
CONTRIBUTING --> LICENSE["Verify/add LICENSE"]:::orch
LICENSE --> GITIGNORE["Audit .gitignore"]:::orch
GITIGNORE --> BRANCH_PROT["Document branch protection"]:::orch
BRANCH_PROT --> BRANCH["Create branch"]:::orch
BRANCH --> SIZE{Under 700 lines?}
SIZE -->|Yes| PR["Commit + open PR"]:::orch
SIZE -->|No| SPLIT["Split into sub-PRs"]:::orch
SPLIT --> PR
PR --> DONE([Phase complete])
classDef orch fill:#FF9800,stroke:#333,color:white
Follow this diagram as the workflow.
Add security governance files to a target repository. This is Phase 5 and
produces PR #4. Focuses on governance and policy files — CI-related security
(scanning, dependabot, scorecard) is handled by orchestrate:ci.
orchestrate:plan identifies security governance as a needed phase.repos/<target>/Create CODEOWNERS at repo root or .github/CODEOWNERS:
# Default owners for everything
* @org/team-leads
# Platform and CI
.github/ @org/platform
Makefile @org/platform
# Documentation
docs/ @org/docs-team
*.md @org/docs-team
Adapt teams and paths based on:
Create SECURITY.md with vulnerability reporting guidance:
# Security Policy
## Reporting a Vulnerability
Please report security vulnerabilities through GitHub Security Advisories:
**[Report a vulnerability](https://github.com/org/repo/security/advisories/new)**
Do NOT open public issues for security vulnerabilities.
## Response Timeline
- **Acknowledgment:** Within 48 hours
- **Initial assessment:** Within 7 days
- **Fix timeline:** Based on severity
## Security Controls
This repository uses:
- CI security scanning (Trivy, CodeQL)
- Dependency updates via Dependabot
- OpenSSF Scorecard monitoring
- Pre-commit hooks for local checks
Adapt the security controls list based on what orchestrate:ci actually
deployed to this repo.
Create CONTRIBUTING.md with development workflow:
# Contributing
## Development Setup
[Adapt to tech stack from scan report]
## Pull Request Process
1. Fork the repository
2. Create a feature branch from `main`
3. Make your changes with tests
4. Run pre-commit hooks: `pre-commit run --all-files`
5. Submit a pull request
## Commit Messages
Use conventional commit format:
- `feat:` New features
- `fix:` Bug fixes
- `docs:` Documentation changes
- `chore:` Maintenance tasks
All commits must be signed off (`git commit -s`).
## Code of Conduct
[Link to org-level CoC if exists]
Check if LICENSE exists. If missing:
Check for missing patterns and add them:
Secrets and credentials:
.env, .env.*, .env.local*.key, *.pem, *.p12, *.jkscredentials.*, secrets.*kubeconfig, *kubeconfig*IDE and OS files:
.idea/, .vscode/.DS_Store, Thumbs.dbBuild artifacts (language-specific):
__pycache__/, *.pyc, .ruff_cache/, dist/, *.egg-info/go.mod module pathnode_modules/, dist/, .next/Do not remove existing patterns. Only add missing ones.
Document in the PR description (can't auto-apply via PR):
Recommended branch protection rules for main:
orchestrate:ci)git -C .repos/<target> checkout -b orchestrate/security
git -C .repos/<target> diff --stat | tail -1
git -C .repos/<target> add -A
git -C .repos/<target> commit -s -m "feat: add security governance (CODEOWNERS, SECURITY.md, CONTRIBUTING.md, .gitignore)"
git -C .repos/<target> push -u origin orchestrate/security
gh pr create --repo org/repo --title "Add security governance files" --body "Phase 5 of repo orchestration. Adds CODEOWNERS, SECURITY.md, CONTRIBUTING.md, LICENSE verification, and .gitignore hardening."
Set security to complete in phase-status.md.
orchestrate — Parent routerorchestrate:ci — Previous phase (CI-related security is there)orchestrate:plan — Defines security phase tasksorchestrate:replicate — Next phase: bootstrap skills