Back to Details

security

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Security Skill

Security Skill

Purpose: Run repeatable security checks across code, scripts, hooks, and release gates.
Use this skill when you need deterministic security validation before merge/release, or recurring scheduled checks.
用途: 针对代码、脚本、钩子和发布门禁执行可重复的安全检查。
当你需要在合并/发布前进行确定性安全验证,或者需要定期重复检查时,可使用此技能。

Quick Start

快速开始

bash
/security                      # quick security gate
/security --full               # full gate with test-inclusive toolchain checks
/security --release            # full gate for release readiness
/security --json               # machine-readable report output
bash
/security                      # quick security gate
/security --full               # full gate with test-inclusive toolchain checks
/security --release            # full gate for release readiness
/security --json               # machine-readable report output

Execution Contract

执行约定

1) Pre-PR (fast)

1) Pre-PR (fast)

Run quick gate:
bash
scripts/security-gate.sh --mode quick
Expected behavior:
  • Fails on high/critical findings from available scanners.
  • Writes artifacts under 
    .agents/security/<run-id>/
    .
运行快速门禁检查:
bash
scripts/security-gate.sh --mode quick
预期行为:
  • 如果可用扫描器发现高/严重级别问题,则检查不通过。
  • 将产物写入 
    .agents/security/<run-id>/
    目录下。

2) Pre-Release (strict)

2) Pre-Release (strict)

Run full gate:
bash
scripts/security-gate.sh --mode full
Expected behavior:
  • Full scanner pass before release workflow can continue.
  • Artifacts retained for audit and incident response.
运行完整门禁检查:
bash
scripts/security-gate.sh --mode full
预期行为:
  • 只有通过完整扫描,发布流程才能继续。
  • 保留产物用于审计和事件响应。

3) Nightly (continuous)

3) Nightly (continuous)

Nightly workflow should run:
bash
scripts/security-gate.sh --mode full
Expected behavior:
  • Detects drift/regressions outside active PR windows.
  • Failing run creates actionable signal in workflow summary/issues.
夜间工作流应执行:
bash
scripts/security-gate.sh --mode full
预期行为:
  • 在PR活跃窗口之外检测代码漂移/回归问题。
  • 扫描失败时,会在工作流摘要/问题中生成可处理的提示。

Triage Guidance

问题排查指南

When gate fails:
  1. Open latest artifact in 
    .agents/security/
    and identify scanner + file.
  2. Classify severity (critical/high/medium).
  3. Fix immediately for critical/high or create tracked follow-up issue with owner.
  4. Re-run 
    scripts/security-gate.sh
    until gate passes.
当门禁检查不通过时:
  1. 打开 
    .agents/security/
    目录下的最新产物,确定扫描器和对应文件。
  2. 划分问题严重级别(严重/高/中)。
  3. 严重/高级别问题立即修复,或创建带有负责人的跟踪后续问题。
  4. 重新运行 
    scripts/security-gate.sh
    直到门禁检查通过。

Reporting Template

报告模板

markdown
Security gate run: <run-id>
Mode: <quick|full>
Result: <pass|blocked>
Top findings:
- <scanner> <severity> <file> <summary>
Actions:
- <fix or issue id>
markdown
Security gate run: <run-id>
Mode: <quick|full>
Result: <pass|blocked>
Top findings:
- <scanner> <severity> <file> <summary>
Actions:
- <fix or issue id>

Notes

注意事项

  • Use this as the canonical security runbook instead of ad-hoc scanner commands.
  • Keep workflow wiring aligned with this contract in: 
    • .github/workflows/validate.yml
    • .github/workflows/nightly.yml
    • .github/workflows/release.yml
  • 将此作为标准安全运行手册,替代临时的扫描器命令。
  • 确保以下文件中的工作流配置与此规范保持一致: 
    • .github/workflows/validate.yml
    • .github/workflows/nightly.yml
    • .github/workflows/release.yml