Stats
Actions
Tags
From security-engineer
Bootstrap the security documentation structure for a project. Creates docs/security/, generates initial templates and root SECURITY.md, and writes domain CLAUDE.md. Idempotent — merges missing sections into existing files without overwriting.
How this skill is triggered — by the user, by Claude, or both
Slash command
/security-engineer:bootstrapThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Bootstrap the security documentation structure for **$ARGUMENTS**.
Bootstrap the security documentation structure for $ARGUMENTS.
mkdir -p docs/security
For each file below, apply the safe merge pattern:
<!-- Merged from security-engineer bootstrap v0.1.0 -->SECURITY.md (project root)Create with this content:
# Security Policy
## Reporting a Vulnerability
If you discover a security vulnerability, please report it responsibly.
**Do NOT open a public GitHub issue for security vulnerabilities.**
### How to report
1. Email: [security contact email]
2. Include: description, reproduction steps, impact assessment
3. Expected response: acknowledgement within 48 hours
### What to expect
- Acknowledgement within 48 hours
- Assessment and severity rating within 5 business days
- Fix timeline communicated based on severity
- Credit given in release notes (unless you prefer anonymity)
## Supported Versions
| Version | Supported |
|---------|-----------|
| Latest | Yes |
| Previous major | Security fixes only |
## Security Practices
See `docs/security/CLAUDE.md` for detailed security conventions and processes.
docs/security/CLAUDE.mdCreate with this content (~110 lines):
# Security Domain
This directory contains security documentation: threat models, security review records, and security conventions.
## What This Domain Covers
- **Threat modelling** — STRIDE-based analysis of system threats
- **Security reviews** — structured code and architecture security assessments
- **Dependency audits** — third-party library vulnerability tracking
- **Supply chain security** — build pipeline and artifact integrity
- **Vulnerability management** — triage, remediation, and disclosure
## STRIDE Threat Modelling
Use STRIDE to categorise threats:
| Category | Threat | Example |
|----------|--------|---------|
| **S**poofing | Identity impersonation | Stolen API keys, session hijacking |
| **T**ampering | Data modification | SQL injection, MITM attacks |
| **R**epudiation | Denying actions | Missing audit logs |
| **I**nformation Disclosure | Data leaks | Exposed secrets, verbose errors |
| **D**enial of Service | Availability attacks | Resource exhaustion, DDoS |
| **E**levation of Privilege | Unauthorised access | Broken access control, privilege escalation |
### When to threat model
- New services or major features
- Changes to authentication/authorisation
- New external integrations
- Changes to data flow or storage of sensitive data
## OWASP ASVS Levels
Apply the appropriate OWASP Application Security Verification Standard level:
| Level | When | Scope |
|-------|------|-------|
| L1 | All applications | Basic security — low-hanging fruit |
| L2 | Apps handling sensitive data | Standard security — most applications |
| L3 | Critical/high-value apps | Advanced security — financial, healthcare |
Target **Level 2** as the default for most projects.
## CVSS Scoring
Use [CVSS v3.1](https://www.first.org/cvss/calculator/3.1) for vulnerability severity:
| Score | Rating | Response |
|-------|--------|----------|
| 9.0–10.0 | Critical | Fix immediately, notify stakeholders |
| 7.0–8.9 | High | Fix within current sprint |
| 4.0–6.9 | Medium | Fix within next sprint |
| 0.1–3.9 | Low | Backlog, fix when convenient |
## Security Review Process
1. **Trigger** — PR touches auth, crypto, data access, or external APIs
2. **Review** — Security engineer reviews using the security review template
3. **Findings** — Documented in `docs/security/reviews/`
4. **Remediation** — Issues tracked in GitHub Issues with `security` label
5. **Verification** — Re-review after fix
## Secure Coding Practices
- Never commit secrets — use environment variables and secret managers
- Validate all input at trust boundaries
- Use parameterised queries — never string concatenation for SQL
- Apply principle of least privilege for all access controls
- Log security events (auth attempts, access denied, privilege changes)
- Use HTTPS everywhere — no exceptions
- Pin dependency versions and verify checksums
## Tooling
| Tool | Purpose |
|------|---------|
| SonarCloud | SAST — static application security testing |
| GitHub Actions | Security scan CI gate |
| `npm audit` / `pip audit` | Dependency vulnerability scanning |
| GitHub Dependabot | Automated dependency updates |
## Available Skills
| Skill | Purpose |
|-------|---------|
| `/security-engineer:threat-model` | Create a STRIDE threat model |
| `/security-engineer:security-review` | Conduct a security review |
| `/security-engineer:dependency-audit` | Audit third-party dependencies |
| `/security-engineer:supply-chain-audit` | Audit build and supply chain security |
## Conventions
- Every service must have a threat model before production deployment
- Security findings are tracked in GitHub Issues with the `security` label
- Secrets scanning runs on every commit (CI gate)
- Dependency audit runs weekly (GitHub Actions scheduled workflow)
- Security reviews are required for auth/crypto/data-access changes
- Root `SECURITY.md` provides the public vulnerability reporting process
docs/security/threat-model-template.mdCreate with this content:
# Threat Model — [Feature/Service Name]
## Date
<!-- YYYY-MM-DD -->
## Participants
<!-- Who was involved in the threat modelling session -->
## System Overview
### Description
<!-- Brief description of the feature or service being modelled -->
### Data Flow Diagram
```mermaid
flowchart LR
User -->|HTTPS| API
API -->|Query| DB[(Database)]
API -->|Publish| Queue[Message Queue]
| Asset | Sensitivity | Storage |
|---|---|---|
| Threat | Likelihood | Impact | Mitigation |
|---|---|---|---|
| Threat | Likelihood | Impact | Mitigation |
|---|---|---|---|
| Threat | Likelihood | Impact | Mitigation |
|---|---|---|---|
| Threat | Likelihood | Impact | Mitigation |
|---|---|---|---|
| Threat | Likelihood | Impact | Mitigation |
|---|---|---|---|
| Threat | Likelihood | Impact | Mitigation |
|---|---|---|---|
| # | Threat | CVSS | Priority | Status |
|---|---|---|---|---|
| 1 |
#### File 4: `docs/security/security-review-template.md`
Create with this content:
```markdown
# Security Review — [PR/Feature Name]
## Metadata
| Field | Value |
|-------|-------|
| Reviewer | |
| Date | |
| PR/Feature | |
| Risk Level | Low / Medium / High / Critical |
## Checklist
### Authentication & Authorisation
- [ ] Authentication is enforced on all protected endpoints
- [ ] Authorisation checks use principle of least privilege
- [ ] Session management is secure (expiry, invalidation)
- [ ] API keys/tokens are not exposed in logs or responses
### Input Validation
- [ ] All user input is validated at trust boundaries
- [ ] SQL queries use parameterised statements
- [ ] File uploads are validated (type, size, content)
- [ ] No unsafe deserialisation of user input
### Data Protection
- [ ] Sensitive data is encrypted at rest and in transit
- [ ] PII is handled according to data classification policy
- [ ] Secrets are not hardcoded — environment variables or secret manager used
- [ ] Logs do not contain sensitive data
### Error Handling
- [ ] Errors do not leak internal details to users
- [ ] Security events are logged (auth failures, access denied)
- [ ] Error responses use consistent format
### Dependencies
- [ ] No known vulnerabilities in new/updated dependencies
- [ ] Dependencies are pinned to specific versions
- [ ] Licence compatibility verified
## Findings
| # | Severity | Description | Recommendation | Status |
|---|----------|-------------|----------------|--------|
| 1 | | | | |
## Decision
- [ ] **Approved** — no blocking findings
- [ ] **Approved with conditions** — must address findings before merge
- [ ] **Rejected** — blocking security issues found
After creating/merging all files, output a summary:
## Security Bootstrap Complete
### Files created
- `SECURITY.md` — public vulnerability reporting policy (project root)
- `docs/security/CLAUDE.md` — domain conventions and skill reference
- `docs/security/threat-model-template.md` — STRIDE threat model template
- `docs/security/security-review-template.md` — security review checklist
### Files merged
- (list any existing files where sections were appended)
### Next steps
- Update `SECURITY.md` with actual security contact email
- Use `/security-engineer:threat-model` for new services
- Configure SonarCloud security rules and Dependabot
Provides CDSS development patterns for drug interaction checking, dose validation, clinical scoring (NEWS2, qSOFA), and alert classification integrated into EMR workflows.
npx claudepluginhub hpsgd/turtlestack --plugin security-engineer