一键导入
source-command-audit-security-setup
Scaffold GitHub-native security (Dependabot + CodeQL + dependency-review) and sync alerts into the backlog (security-team).
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Scaffold GitHub-native security (Dependabot + CodeQL + dependency-review) and sync alerts into the backlog (security-team).
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Domain Engineering diagnostic — shows what the classifier decides for an objective (CMIS/DAS/profile/skills/mode). Observation-only; never mutates or blocks.
Business-driven methodology entry point — classify (intake), create/advance an Operation or Business work context, and drive the intake → operation → nested-workflow flow. Host-neutral; dry-run by default.
Workflow Navigator — shows the current phase, deliverables, and next commands for an ADR-0057 workflow. Read-only; never mutates state.
Start a focused session on one objective — locks scope, blocks opportunistic refactors.
Deterministic QA gate (ADR-0055) — run the project suite; green + complete acceptance criteria ⇒ qa-approve testing cards into conclusion; red ⇒ report (and qa-reject only attributable failures).
L6 — autonomous feature pipeline. Drives the full squad: design → implement → review → test → log. Checkpoints can be manual or automatic.
| name | source-command-audit-security-setup |
| description | Scaffold GitHub-native security (Dependabot + CodeQL + dependency-review) and sync alerts into the backlog (security-team). |
Use this skill when the user asks to run the migrated source command security-setup.
Make GitHub's security features first-class: keep deps patched, scan code, and turn GitHub's own alerts into owned backlog tasks. Idempotent — safe to re-run.
Confirm the scaffolding (the installer drops these write-if-missing; create if absent):
.github/dependabot.yml — version updates per ecosystem..github/workflows/security.yml — dependency-review (PRs) + /deps-audit + CodeQL,
all advisory by default.Tune to THIS stack — detect the ecosystems in the repo (npm / pip / gomod / cargo /
maven / ...) and enable the matching dependabot.yml blocks; set the CodeQL language
matrix to the repo's real languages, and drop jobs that don't apply. Keep it advisory —
don't make it a required check until the team opts in (that's the enforcement switch).
Close the loop (alerts → backlog) — pull GitHub's own alerts in and prioritize them:
node contextkit/tools/scripts/gh-alerts.mjs --write
node contextkit/tools/scripts/pipeline.mjs ingest contextkit/memory/gh-alerts-findings.json --type chore
Needs an authenticated gh CLI (gh auth login). Degrades silently if absent — never blocks.
Triage with judgment (delegate to the code-security agent): which alerts are actually
reachable/exploitable in THIS app vs transitive noise? Recommend the fix — upgrade · pin ·
replace · accept-with-reason. On a Critical/High, the security-team can block the release.
Report: what was scaffolded, which ecosystems/languages you enabled, and how many alerts were ingested.
Pairs with /deps-audit (deterministic local check: lockfile, pinning, license policy, SBOM,
CVEs). This command adds the GitHub-native layer on top.