dpnmw/agents
1
0
Fork 0
mirror of https://github.com/wshobson/agents.git synced 2026-03-18 09:37:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

style: format all files with prettier

Browse Source
This commit is contained in:
Seth Hobson
2026-01-19 17:07:03 -05:00
parent 8d37048deb
commit 56848874a2
355 changed files with 15215 additions and 10241 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
plugins/security-scanning/commands/security-dependencies.md
View File

@@ -3,9 +3,11 @@
You are a security expert specializing in dependency vulnerability analysis, SBOM generation, and supply chain security. Scan project dependencies across multiple ecosystems to identify vulnerabilities, assess risks, and provide automated remediation strategies.
## Context
The user needs comprehensive dependency security analysis to identify vulnerable packages, outdated dependencies, and license compliance issues. Focus on multi-ecosystem support, vulnerability database integration, SBOM generation, and automated remediation using modern 2024/2025 tools.
## Requirements
$ARGUMENTS
## Instructions
@@ -308,7 +310,7 @@ on:
push:
branches: [main]
schedule:
- cron: '0 2 * * *'
- cron: "0 2 * * *"
jobs:
scan-dependencies:
@@ -345,7 +347,7 @@ jobs:
uses: actions/upload-artifact@v4
with:
name: scan-${{ matrix.ecosystem }}
path: '*.json'
path: "*.json"
- name: Check Thresholds
run: |

18
plugins/security-scanning/commands/security-hardening.md
View File

@@ -5,18 +5,21 @@ Implement comprehensive security hardening with defense-in-depth strategy throug
## Phase 1: Comprehensive Security Assessment
### 1. Initial Vulnerability Scanning
- Use Task tool with subagent_type="security-auditor"
- Prompt: "Perform comprehensive security assessment on: $ARGUMENTS. Execute SAST analysis with Semgrep/SonarQube, DAST scanning with OWASP ZAP, dependency audit with Snyk/Trivy, secrets detection with GitLeaks/TruffleHog. Generate SBOM for supply chain analysis. Identify OWASP Top 10 vulnerabilities, CWE weaknesses, and CVE exposures."
- Output: Detailed vulnerability report with CVSS scores, exploitability analysis, attack surface mapping, secrets exposure report, SBOM inventory
- Context: Initial baseline for all remediation efforts
### 2. Threat Modeling and Risk Analysis
- Use Task tool with subagent_type="security-auditor"
- Prompt: "Conduct threat modeling using STRIDE methodology for: $ARGUMENTS. Analyze attack vectors, create attack trees, assess business impact of identified vulnerabilities. Map threats to MITRE ATT&CK framework. Prioritize risks based on likelihood and impact."
- Output: Threat model diagrams, risk matrix with prioritized vulnerabilities, attack scenario documentation, business impact analysis
- Context: Uses vulnerability scan results to inform threat priorities
### 3. Architecture Security Review
- Use Task tool with subagent_type="backend-api-security::backend-architect"
- Prompt: "Review architecture for security weaknesses in: $ARGUMENTS. Evaluate service boundaries, data flow security, authentication/authorization architecture, encryption implementation, network segmentation. Design zero-trust architecture patterns. Reference threat model and vulnerability findings."
- Output: Security architecture assessment, zero-trust design recommendations, service mesh security requirements, data classification matrix
@@ -25,24 +28,28 @@ Implement comprehensive security hardening with defense-in-depth strategy throug
## Phase 2: Vulnerability Remediation
### 4. Critical Vulnerability Fixes
- Use Task tool with subagent_type="security-auditor"
- Prompt: "Coordinate immediate remediation of critical vulnerabilities (CVSS 7+) in: $ARGUMENTS. Fix SQL injections with parameterized queries, XSS with output encoding, authentication bypasses with secure session management, insecure deserialization with input validation. Apply security patches for CVEs."
- Output: Patched code with vulnerability fixes, security patch documentation, regression test requirements
- Context: Addresses high-priority items from vulnerability assessment
### 5. Backend Security Hardening
- Use Task tool with subagent_type="backend-api-security::backend-security-coder"
- Prompt: "Implement comprehensive backend security controls for: $ARGUMENTS. Add input validation with OWASP ESAPI, implement rate limiting and DDoS protection, secure API endpoints with OAuth2/JWT validation, add encryption for data at rest/transit using AES-256/TLS 1.3. Implement secure logging without PII exposure."
- Output: Hardened API endpoints, validation middleware, encryption implementation, secure configuration templates
- Context: Builds upon vulnerability fixes with preventive controls
### 6. Frontend Security Implementation
- Use Task tool with subagent_type="frontend-mobile-security::frontend-security-coder"
- Prompt: "Implement frontend security measures for: $ARGUMENTS. Configure CSP headers with nonce-based policies, implement XSS prevention with DOMPurify, secure authentication flows with PKCE OAuth2, add SRI for external resources, implement secure cookie handling with SameSite/HttpOnly/Secure flags."
- Output: Secure frontend components, CSP policy configuration, authentication flow implementation, security headers configuration
- Context: Complements backend security with client-side protections
### 7. Mobile Security Hardening
- Use Task tool with subagent_type="frontend-mobile-security::mobile-security-coder"
- Prompt: "Implement mobile app security for: $ARGUMENTS. Add certificate pinning, implement biometric authentication, secure local storage with encryption, obfuscate code with ProGuard/R8, implement anti-tampering and root/jailbreak detection, secure IPC communications."
- Output: Hardened mobile application, security configuration files, obfuscation rules, certificate pinning implementation
@@ -51,18 +58,21 @@ Implement comprehensive security hardening with defense-in-depth strategy throug
## Phase 3: Security Controls Implementation
### 8. Authentication and Authorization Enhancement
- Use Task tool with subagent_type="security-auditor"
- Prompt: "Implement modern authentication system for: $ARGUMENTS. Deploy OAuth2/OIDC with PKCE, implement MFA with TOTP/WebAuthn/FIDO2, add risk-based authentication, implement RBAC/ABAC with principle of least privilege, add session management with secure token rotation."
- Output: Authentication service configuration, MFA implementation, authorization policies, session management system
- Context: Strengthens access controls based on architecture review
### 9. Infrastructure Security Controls
- Use Task tool with subagent_type="deployment-strategies::deployment-engineer"
- Prompt: "Deploy infrastructure security controls for: $ARGUMENTS. Configure WAF rules for OWASP protection, implement network segmentation with micro-segmentation, deploy IDS/IPS systems, configure cloud security groups and NACLs, implement DDoS protection with rate limiting and geo-blocking."
- Output: WAF configuration, network security policies, IDS/IPS rules, cloud security configurations
- Context: Implements network-level defenses
### 10. Secrets Management Implementation
- Use Task tool with subagent_type="deployment-strategies::deployment-engineer"
- Prompt: "Implement enterprise secrets management for: $ARGUMENTS. Deploy HashiCorp Vault or AWS Secrets Manager, implement secret rotation policies, remove hardcoded secrets, configure least-privilege IAM roles, implement encryption key management with HSM support."
- Output: Secrets management configuration, rotation policies, IAM role definitions, key management procedures
@@ -71,24 +81,28 @@ Implement comprehensive security hardening with defense-in-depth strategy throug
## Phase 4: Validation and Compliance
### 11. Penetration Testing and Validation
- Use Task tool with subagent_type="security-auditor"
- Prompt: "Execute comprehensive penetration testing for: $ARGUMENTS. Perform authenticated and unauthenticated testing, API security testing, business logic testing, privilege escalation attempts. Use Burp Suite, Metasploit, and custom exploits. Validate all security controls effectiveness."
- Output: Penetration test report, proof-of-concept exploits, remediation validation, security control effectiveness metrics
- Context: Validates all implemented security measures
### 12. Compliance and Standards Verification
- Use Task tool with subagent_type="security-auditor"
- Prompt: "Verify compliance with security frameworks for: $ARGUMENTS. Validate against OWASP ASVS Level 2, CIS Benchmarks, SOC2 Type II requirements, GDPR/CCPA privacy controls, HIPAA/PCI-DSS if applicable. Generate compliance attestation reports."
- Output: Compliance assessment report, gap analysis, remediation requirements, audit evidence collection
- Context: Ensures regulatory and industry standard compliance
### 13. Security Monitoring and SIEM Integration
- Use Task tool with subagent_type="incident-response::devops-troubleshooter"
- Prompt: "Implement security monitoring and SIEM for: $ARGUMENTS. Deploy Splunk/ELK/Sentinel integration, configure security event correlation, implement behavioral analytics for anomaly detection, set up automated incident response playbooks, create security dashboards and alerting."
- Output: SIEM configuration, correlation rules, incident response playbooks, security dashboards, alert definitions
- Context: Establishes continuous security monitoring
## Configuration Options
- scanning_depth: "quick" | "standard" | "comprehensive" (default: comprehensive)
- compliance_frameworks: ["OWASP", "CIS", "SOC2", "GDPR", "HIPAA", "PCI-DSS"]
- remediation_priority: "cvss_score" | "exploitability" | "business_impact"
@@ -96,6 +110,7 @@ Implement comprehensive security hardening with defense-in-depth strategy throug
- authentication_methods: ["oauth2", "saml", "mfa", "biometric", "passwordless"]
## Success Criteria
- All critical vulnerabilities (CVSS 7+) remediated
- OWASP Top 10 vulnerabilities addressed
- Zero high-risk findings in penetration testing
@@ -108,6 +123,7 @@ Implement comprehensive security hardening with defense-in-depth strategy throug
- Security tests integrated into CI/CD pipeline
## Coordination Notes
- Each phase provides detailed findings that inform subsequent phases
- Security-auditor agent coordinates with domain-specific agents for fixes
- All code changes undergo security review before implementation
@@ -115,4 +131,4 @@ Implement comprehensive security hardening with defense-in-depth strategy throug
- Security findings tracked in centralized vulnerability management system
- Regular security reviews scheduled post-implementation
Security hardening target: $ARGUMENTS
Security hardening target: $ARGUMENTS

75
plugins/security-scanning/commands/security-sast.md
View File

@@ -1,7 +1,31 @@
---
description: Static Application Security Testing (SAST) for code vulnerability analysis across multiple languages and frameworks
globs: ['**/*.py', '**/*.js', '**/*.ts', '**/*.java', '**/*.rb', '**/*.go', '**/*.rs', '**/*.php']
keywords: [sast, static analysis, code security, vulnerability scanning, bandit, semgrep, eslint, sonarqube, codeql, security patterns, code review, ast analysis]
globs:
[
"**/*.py",
"**/*.js",
"**/*.ts",
"**/*.java",
"**/*.rb",
"**/*.go",
"**/*.rs",
"**/*.php",
]
keywords:
[
sast,
static analysis,
code security,
vulnerability scanning,
bandit,
semgrep,
eslint,
sonarqube,
codeql,
security patterns,
code review,
ast analysis,
]
---
# SAST Security Plugin
@@ -34,9 +58,28 @@ bandit -r . -ll -ii -f json # High/Critical only
```
**Configuration**: `.bandit`
```yaml
exclude_dirs: ['/tests/', '/venv/', '/.tox/', '/build/']
tests: [B201, B301, B302, B303, B304, B305, B307, B308, B312, B323, B324, B501, B502, B506, B602, B608]
exclude_dirs: ["/tests/", "/venv/", "/.tox/", "/build/"]
tests:
[
B201,
B301,
B302,
B303,
B304,
B305,
B307,
B308,
B312,
B323,
B324,
B501,
B502,
B506,
B602,
B608,
]
skips: [B101]
```
@@ -48,6 +91,7 @@ eslint . --ext .js,.jsx,.ts,.tsx --format json > eslint-security.json
```
**Configuration**: `.eslintrc-security.json`
```json
{
"plugins": ["@eslint/plugin-security", "eslint-plugin-no-secrets"],
@@ -73,6 +117,7 @@ semgrep ci --config=auto # CI mode
```
**Custom Rules**: `.semgrep.yml`
```yaml
rules:
- id: sql-injection-format-string
@@ -144,6 +189,7 @@ rules:
**VULNERABLE**: String formatting/concatenation with user input in SQL queries
**SECURE**:
```python
# Parameterized queries
cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))
@@ -155,15 +201,16 @@ User.objects.filter(id=user_id) # ORM
**VULNERABLE**: Direct HTML manipulation with unsanitized user input (innerHTML, outerHTML, document.write)
**SECURE**:
```javascript
// Use textContent for plain text
element.textContent = userInput;
// React auto-escapes
<div>{userInput}</div>
<div>{userInput}</div>;
// Sanitize when HTML required
import DOMPurify from 'dompurify';
import DOMPurify from "dompurify";
element.innerHTML = DOMPurify.sanitize(userInput);
```
@@ -172,6 +219,7 @@ element.innerHTML = DOMPurify.sanitize(userInput);
**VULNERABLE**: Hardcoded API keys, passwords, tokens in source code
**SECURE**:
```python
import os
API_KEY = os.environ.get('API_KEY')
@@ -183,6 +231,7 @@ PASSWORD = os.getenv('DB_PASSWORD')
**VULNERABLE**: Opening files using unsanitized user input
**SECURE**:
```python
import os
ALLOWED_DIR = '/var/www/uploads'
@@ -200,6 +249,7 @@ with open(file_path, 'r') as f:
**VULNERABLE**: pickle.loads(), yaml.load() with untrusted data
**SECURE**:
```python
import json
data = json.loads(user_input) # SECURE
@@ -212,6 +262,7 @@ config = yaml.safe_load(user_input) # SECURE
**VULNERABLE**: os.system() or subprocess with shell=True and user input
**SECURE**:
```python
subprocess.run(['ping', '-c', '4', user_input]) # Array args
import shlex
@@ -223,6 +274,7 @@ safe_input = shlex.quote(user_input) # Input validation
**VULNERABLE**: random module for security-critical operations
**SECURE**:
```python
import secrets
token = secrets.token_hex(16)
@@ -236,6 +288,7 @@ session_id = secrets.token_urlsafe(32)
**VULNERABLE**: @csrf_exempt, DEBUG=True, weak SECRET_KEY, missing security middleware
**SECURE**:
```python
# settings.py
DEBUG = False
@@ -258,6 +311,7 @@ X_FRAME_OPTIONS = 'DENY'
**VULNERABLE**: debug=True, weak secret_key, CORS wildcard
**SECURE**:
```python
import os
from flask_talisman import Talisman
@@ -272,12 +326,13 @@ CORS(app, origins=['https://example.com'])
**VULNERABLE**: Missing helmet, CORS wildcard, no rate limiting
**SECURE**:
```javascript
const helmet = require('helmet');
const rateLimit = require('express-rate-limit');
const helmet = require("helmet");
const rateLimit = require("express-rate-limit");
app.use(helmet());
app.use(cors({ origin: 'https://example.com' }));
app.use(cors({ origin: "https://example.com" }));
app.use(rateLimit({ windowMs: 15 * 60 * 1000, max: 100 }));
```
@@ -416,7 +471,7 @@ jobs:
- uses: actions/checkout@v3
- uses: actions/setup-python@v4
with:
python-version: '3.11'
python-version: "3.11"
- name: Install tools
run: |