Security Skills
Security skills for AI coding assistants and agentic systems. Skills encode security recommendations, guidelines, and best practices as structured markdown files that AI assistants (Claude Code, Cursor, Copilot, and others) consume directly while writing, testing, and auditing code.
The goal is to shift security left: apply security guidance during development, not after review.
Get started
make bootstrap
Installs ruff, ty, skillsaw, pre-commit, and wires up git hooks so linting and ADR validation run automatically before each commit. Requires uv on your PATH.
Using a skill
Reference any skill by path in your assistant prompt:
Using `module/skills/input-output-sanitization/SKILL.md`: review this MCP server for injection risks.
Using `module/skills/cargo-fuzz/SKILL.md`: write a fuzzing harness for this parser.
Using `module/skills/differential-review/SKILL.md`: review the security impact of this diff.
Skills are tool-agnostic — the same files work in any assistant that can read them.
Install via Lola
Install all skills to your AI assistant in one command using Lola:
lola mod add https://github.com/RedHatProductSecurity/prodsec-skills.git
lola install prodsec-skills --assistant claude-code
Install in an agent harness (Ambient, custom runners)
For platforms that bake knowledge into runner images and expose it via add_dirs
(e.g. Ambient Code Platform):
1. Clone the module into your image at build time, pinned to a specific SHA:
ARG PRODSEC_SKILLS_REF=<pinned-sha>
RUN git clone https://github.com/RedHatProductSecurity/prodsec-skills.git /app/prodsec-skills \
&& git -C /app/prodsec-skills checkout --detach "${PRODSEC_SKILLS_REF}" \
&& rm -rf /app/prodsec-skills/.git
2. Add /app/prodsec-skills/module to add_dirs — not the repo root. This
ensures the agent's context entry point is module/AGENTS.md (the AI Main Spec),
not the contributor-facing root AGENTS.md:
# bridge.py — during session setup
PRODSEC_MODULE_PATH = "/app/prodsec-skills/module"
if Path(f"{PRODSEC_MODULE_PATH}/skills").exists() and PRODSEC_MODULE_PATH not in add_dirs:
add_dirs.append(PRODSEC_MODULE_PATH)
3. Optionally inject a system prompt directing agents to the skill index and
the correct path pattern (module/skills/<skill-id>/SKILL.md):
PRODSEC_SKILLS_PROMPT = (
"## Security Skills\n"
"Product Security skills are available at `/app/prodsec-skills/module/skills/`.\n"
"Choose a skill by reading its `description` field in `SKILL.md` — it is written "
"as an invocation condition. When performing security-sensitive tasks, read the "
"relevant skill before proceeding.\n"
"See `/app/prodsec-skills/module/AGENTS.md` for the full index and usage guide.\n\n"
)
The module/AGENTS.md file (the AI Main Spec) is the single entry point — it
lists all 135 skills with their trigger conditions and category groupings.
Use with CodeRabbit
The included .coderabbit.yaml translates prodsec-skills into automated PR review rules for CodeRabbit. It condenses ~60 skills into path-based review instructions, enables 8 security scanners, and defines pre-merge checks for the highest-severity concerns.
This condensed version will be updated as new applicable skills are added to prodsec-skills.
To adopt in your repository:
-
Copy .coderabbit.yaml to the root of your repo (must be on the default branch):
curl -fsSL https://raw.githubusercontent.com/RedHatProductSecurity/prodsec-skills/main/.coderabbit.yaml \
-o .coderabbit.yaml
Note: This fetches the latest version from main. For reproducible
installs, pin to a specific commit SHA:
https://raw.githubusercontent.com/RedHatProductSecurity/prodsec-skills/<SHA>/.coderabbit.yaml
-
Customize the globs in path_instructions for your project structure. The defaults use common conventions (**/{auth,oauth}/**/*, **/*.go, etc.) but may need tuning.
-
Adjust pre-merge check modes. Start with warning, promote to error after 2-4 weeks:
pre_merge_checks:
custom_checks:
- name: "no-hardcoded-secrets"
mode: "warning" # change to "error" once tuned
-
Validate by commenting @coderabbitai configuration on any PR.
What you get:
