Stats
Actions
Tags
'%20stop-opacity%3D'0.16'%2F%3E%3Cstop%20offset%3D'1'%20stop-color%3D'rgb(200%2C90%2C60)'%20stop-opacity%3D'0.03'%2F%3E%3C%2FlinearGradient%3E%3C%2Fdefs%3E%3Crect%20width%3D'320'%20height%3D'200'%20fill%3D'url(%23g)'%2F%3E%3Ccircle%20cx%3D'250'%20cy%3D'56'%20r%3D'92'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.06'%2F%3E%3Ccircle%20cx%3D'64'%20cy%3D'172'%20r%3D'58'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.05'%2F%3E%3C%2Fsvg%3E)
From configure-plugin
Checks and configures security scanning for dependency audits, SAST, and secrets. Supports package.json, pyproject.toml, Cargo.toml, go.mod; sets up Dependabot, CodeQL, Gitleaks.
How this skill is triggered — by the user, by Claude, or both
Slash command
/configure-plugin:configure-securityThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Check and configure security scanning tools for dependency audits, SAST, and secret detection.
Check and configure security scanning tools for dependency audits, SAST, and secret detection.
| Use this skill when... | Use another approach when... |
|---|---|
| Setting up dependency auditing, SAST, or secret detection for a project | Running a one-off security scan (use gitleaks detect or npm audit directly) |
| Checking project compliance with security scanning standards | Reviewing code for application-level vulnerabilities (use security-audit agent) |
| Configuring Dependabot, CodeQL, or TruffleHog in CI/CD | Managing GitHub repository security settings via the web UI |
| Creating or updating a SECURITY.md policy | Writing security documentation beyond the policy template |
| Auditing which security tools are missing from a project | Investigating a specific CVE or vulnerability |
find . -maxdepth 1 \( -name 'package.json' -o -name 'pyproject.toml' -o -name 'Cargo.toml' -o -name 'go.mod' \)find . -maxdepth 1 -name \'.gitleaks.toml\'find . -maxdepth 1 -name \'.pre-commit-config.yaml\'find . -maxdepth 1 -type d -name \'.github/workflows\'find . -maxdepth 1 -name \'.github/dependabot.yml\'find .github/workflows -maxdepth 1 -name 'codeql*'find . -maxdepth 1 -name \'SECURITY.md\'
Security scanning layers:Parse from command arguments:
--check-only: Report status without offering fixes--fix: Apply all fixes automatically without prompting--type <type>: Focus on specific security type (dependencies, sast, secrets, all)Execute this security scanning configuration check:
Verify latest versions before configuring:
Use WebSearch or WebFetch to verify current versions.
Identify project languages and existing security tools:
| Indicator | Language/Tool | Security Tools |
|---|---|---|
package.json | JavaScript/TypeScript | npm audit, Snyk |
pyproject.toml | Python | pip-audit, safety, bandit |
Cargo.toml | Rust | cargo-audit, cargo-deny |
.gitleaks.toml | gitleaks | Secret scanning |
.github/workflows/ | GitHub Actions | CodeQL, Dependabot |
Check existing security configuration across three areas:
Dependency Auditing:
SAST Scanning:
Secret Detection:
.gitleaks.tomlPrint a formatted compliance report showing status for each security component across dependency auditing, SAST scanning, secret detection, and security policies.
If --check-only is set, stop here.
For the compliance report format, see REFERENCE.md.
Based on detected language:
JavaScript/TypeScript (npm/bun):
package.json.github/dependabot.yml.github/workflows/dependency-review.ymlPython (pip-audit):
uv add --group dev pip-auditRust (cargo-audit):
cargo install cargo-audit --locked.cargo/audit.tomlFor complete configuration templates, see REFERENCE.md.
.github/workflows/codeql.yml with detected languagesuv run bandit -r src/ -f json -o bandit-report.jsonFor CodeQL workflow and Bandit configuration templates, see REFERENCE.md.
brew install gitleaks (or go install github.com/gitleaks/gitleaks/v8@latest).gitleaks.toml with project-specific allowlistsgitleaks detect --source ..pre-commit-config.yamlFor gitleaks, TruffleHog, and CI workflow configuration templates, see REFERENCE.md.
Create SECURITY.md with:
For the SECURITY.md template, see REFERENCE.md.
Create comprehensive security workflow .github/workflows/security.yml with jobs for:
Schedule weekly scans in addition to push/PR triggers.
For the CI security workflow template, see REFERENCE.md.
Update .project-standards.yaml:
components:
security: "2025.1"
security_dependency_audit: true
security_sast: true
security_secret_detection: true
security_policy: true
security_dependabot: true
Print a summary of all changes made across dependency auditing, SAST scanning, secret detection, security policy, and CI/CD integration. Include next steps for reviewing Dependabot PRs, CodeQL findings, and enabling private vulnerability reporting.
For the results report format, see REFERENCE.md.
| Context | Command |
|---|---|
| Quick compliance check | /configure:security --check-only |
| Auto-fix all security gaps | /configure:security --fix |
| Dependencies only | /configure:security --type dependencies |
| Secret detection only | /configure:security --type secrets |
| SAST scanning only | /configure:security --type sast |
| Verify secrets scan | gitleaks detect --source . --verbose |
| Flag | Description |
|---|---|
--check-only | Report status without offering fixes |
--fix | Apply all fixes automatically without prompting |
--type <type> | Focus on specific security type (dependencies, sast, secrets, all) |
/configure:workflows - GitHub Actions workflow standards/configure:pre-commit - Pre-commit hook configuration/configure:all - Run all compliance checksnpx claudepluginhub laurigates/claude-plugins --plugin configure-pluginIntegrates SAST, DAST, and SCA into CI/CD pipelines using Semgrep, Trivy, OWASP ZAP, and Gitleaks for automated security scanning.
Integrates SAST (Semgrep), DAST (OWASP ZAP), SCA/container scanning (Trivy), and secrets detection (Gitleaks) into CI/CD pipelines using GitHub Actions, GitLab CI, or Jenkins. For DevSecOps setup and shift-left security.
This skill should be used when the user says "security audit", "check for vulnerabilities", "security review", "harden project", "dependency audit", "credential scan", "check for secrets", "scan for secrets", "OWASP review", "security checklist", "audit dependencies", "find vulnerabilities", or wants to review their project for security issues, exposed credentials, or vulnerable dependencies.