agentskills.codes
SE

security-compliance

Establish comprehensive security scanning and compliance infrastructure from scratch. Use when working with security audits, vulnerability scanning, secret detection, CodeQL, Dependabot, or security hardening. Critical priority for Qobuzarr.

Install

mkdir -p .claude/skills/security-compliance-richertunes && curl -L -o skill.zip "https://agentskills.codes/api/skills/download/16509" && unzip -o skill.zip -d .claude/skills/security-compliance-richertunes && rm skill.zip

Installs to .claude/skills/security-compliance-richertunes

Activation

This is the description your AI agent reads to decide when to run this skill — the better it matches your request, the more reliably it fires.

Establish comprehensive security scanning and compliance infrastructure from scratch. Use when working with security audits, vulnerability scanning, secret detection, CodeQL, Dependabot, or security hardening. Critical priority for Qobuzarr.
241 chars✓ has a “when” trigger

About this skill

<!-- docval:ignore-workflow-refs -->

Security & Compliance Guardian

Mission

Build complete security infrastructure for Qobuzarr, implementing industry-standard scanning, monitoring, and compliance practices.

Current Security Status

  • GitLeaks: Secret scanning configured in security.yml
  • NuGet Scanning: Vulnerability detection in security workflow
  • ⚠️ CodeQL: NOT IMPLEMENTED - Critical gap
  • Dependabot: NOT CONFIGURED - Critical gap
  • Security Policy: No SECURITY.md file
  • Dependency Review: No PR security gates
  • SBOM: Not generated in releases
  • Artifact Signing: Not implemented

Critical Missing Components

1. CodeQL Static Analysis (CRITICAL)

Status: Missing entirely Impact: No automated vulnerability detection in code Action: Create .github/workflows/codeql.yml

2. Dependabot (CRITICAL)

Status: No configuration file Impact: Manual dependency updates, delayed security patches Action: Create .github/dependabot.yml

3. Security Policy (HIGH)

Status: No SECURITY.md Impact: No disclosure process for researchers Action: Create SECURITY.md with contact info and policy

4. Dependency Review (HIGH)

Status: Not configured Impact: PRs can introduce vulnerable dependencies Action: Add dependency-review-action to PR workflow

5. SBOM & Signing (MEDIUM)

Status: Not generated Impact: No supply chain transparency Action: Add to release workflow

Implementation Roadmap

Phase 1: Foundation (Week 1)

# Create .github/workflows/codeql.yml
name: CodeQL Security Scan
on:
  push:
    branches: [main, develop]
  pull_request:
  schedule:
    - cron: '0 3 * * 1'
jobs:
  analyze:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    steps:
      - uses: actions/checkout@v4
      - uses: github/codeql-action/init@v3
        with:
          languages: csharp
      - run: dotnet build -c Release
      - uses: github/codeql-action/analyze@v3

Phase 2: Automation (Week 1)

# Create .github/dependabot.yml
version: 2
updates:
  - package-ecosystem: nuget
    directory: "/"
    schedule:
      interval: weekly
      day: monday
      time: "09:00"
    open-pull-requests-limit: 10
    labels: ["dependencies", "automated"]
    assignees: ["RicherTunes"]

  - package-ecosystem: github-actions
    directory: "/"
    schedule:
      interval: weekly
    open-pull-requests-limit: 5

Phase 3: Documentation (Week 2)

# Create SECURITY.md
# Security Policy

## Reporting Security Issues

**DO NOT** open public GitHub issues for security vulnerabilities.

### Contact
- Email: [email protected]
- Response time: 48 hours
- PGP Key: [fingerprint]

## Supported Versions
| Version | Supported |
|---------|-----------|
| 0.0.x   | ✅ Active development |

## Security Features
- Secret scanning with GitLeaks
- Dependency vulnerability monitoring
- Static analysis with CodeQL (planned)
- Automated security updates via Dependabot (planned)

## Disclosure Process
1. Report received
2. Acknowledgment within 48 hours
3. Investigation and patch development
4. Coordinated disclosure
5. Security advisory published

Phase 4: PR Gates (Week 2)

# Add to .github/workflows/ci.yml
dependency-review:
  runs-on: ubuntu-latest
  if: github.event_name == 'pull_request'
  steps:
    - uses: actions/checkout@v4
    - uses: actions/dependency-review-action@v4
      with:
        fail-on-severity: high

Phase 5: Release Security (Week 3)

# Add to .github/workflows/release.yml
- name: Generate SBOM
  uses: anchore/sbom-action@v0
  with:
    format: spdx-json
    output-file: sbom.spdx.json

- name: Sign artifacts
  uses: sigstore/cosign-installer@v3
- run: cosign sign-blob --yes artifacts/Qobuzarr-${{ env.VERSION }}.zip

Quick Start Commands

# 1. Create security infrastructure
mkdir -p .github/workflows
cat > .github/workflows/codeql.yml << 'EOF'
[CodeQL workflow content]
EOF

cat > .github/dependabot.yml << 'EOF'
[Dependabot config]
EOF

cat > SECURITY.md << 'EOF'
[Security policy]
EOF

# 2. Commit and push
git add .github/workflows/codeql.yml .github/dependabot.yml SECURITY.md
git commit -m "security: add CodeQL, Dependabot, and security policy"
git push

# 3. Enable security features in GitHub repository settings
# Settings → Code security and analysis → Enable all

Related Skills

  • release-automation - Integrate security in releases
  • code-quality - Security through quality gates

Examples

Example 1: Complete Security Setup

User: "Set up complete security infrastructure for Qobuzarr" Action: Create CodeQL workflow, Dependabot config, SECURITY.md, dependency review action, enable GitHub security features

Example 2: Respond to Vulnerability

User: "Dependabot found critical vulnerability in dependency" Action: Review CVE details, assess impact, update dependency, run tests, merge PR expedited

Example 3: Security Audit Preparation

User: "Prepare for security audit" Action: Generate SBOM, document all dependencies, review CodeQL findings, update SECURITY.md, run penetration test

Search skills

Search the agent skills registry