Security Pipeline Skill
Version: 0.1.0
Purpose
Run the repository security scan and generate a deterministic master report outside the repo.
Rules
- •Always run
./scripts/security_scan.shfrom the target repository root. - •If
./scripts/security_scan.shis missing, instruct the user to runscripts/repo/install_into_repo.shfrom the security-toolbox repo. - •Never write report files inside the target repository.
- •Always write
SECURITY_MASTER_REPORT.mdinto~/SecurityScans/<repo_name>/latest/. - •Read scan outputs from
~/SecurityScans/<repo_name>/latest/. - •Include skill and script versions in the report.
- •Enrich findings with guidance from
security-best-practicesif available.
Workflow
- •Run the scan:
- •
bash ./scripts/security_scan.sh
- •
- •Determine
repo_name:- •Use
git remote get-url originif available; otherwise use the current directory name.
- •Use
- •Read outputs from:
- •
~/SecurityScans/<repo_name>/latest/
- •
- •Generate the report:
- •Write
~/SecurityScans/<repo_name>/latest/SECURITY_MASTER_REPORT.md
- •Write
Report Requirements
Include the following sections:
- •Scan timestamp
- •Repo name
- •Tool-by-tool status (gitleaks, npm audit, semgrep, trivy)
- •Findings grouped by severity: Critical, High, Medium, Low
- •Top remediation order (top 5)
- •Evidence paths (full paths to output files)
- •Versions used (skill version +
scripts/repo/security_scan.shversion) - •Best-practices guidance when available