Secure Flow Skill

This skill provides comprehensive security guidance to help AI coding agents generate secure code, perform security reviews, and implement security best practices. It is based on Secure Flow, a security framework that embeds secure-by-default practices into AI coding workflows.

When to Use This Skill

This skill should be activated when:

• Writing new code in any language
• Reviewing or modifying existing code
• Implementing security-sensitive features (authentication, cryptography, data handling, etc.)
• Working with user input, databases, APIs, or external services
• Configuring cloud infrastructure, CI/CD pipelines, or containers
• Handling sensitive data, credentials, or cryptographic operations
• Performing security assessments, threat modeling, or compliance validation
• Creating security tests or remediating vulnerabilities

How to Use This Skill

When writing or reviewing code:

1. Always-Apply Rules: Some rules MUST be checked on every code operation:

   • Security best practices for authentication and authorization
   • Input validation and sanitization
   • Secure credential management
   • Cryptographic best practices

2. Context-Specific Rules: Apply rules from /rules directory based on the task:

   • Code Generation: Use secure-flow-create-secure-template.md when creating new code templates
   • Security Testing: Use secure-flow-create-security-tests.md when generating security tests
   • Threat Modeling: Use secure-flow-create-threat-model.md when analyzing security threats
   • Vulnerability Remediation: Use secure-flow-security-remediation.md when fixing vulnerabilities
   • API Security: Use secure-flow-review-api-auth.md when reviewing API endpoints
   • Compliance: Use secure-flow-validate-compliance.md when validating compliance requirements
   • Docker Security: Use secure-flow-harden-dockerfile-fips.md when hardening containers
   • CI/CD Security: Use secure-flow-gate-critical-vulns.md when setting up security gates
   • CISA KEV: Use secure-flow-fix-exploitable-vulns.md when fixing exploited vulnerabilities
   • AI Security: Use secure-flow-explain-ai-threats.md when working with AI applications

3. Proactive Security: Don't just avoid vulnerabilities—actively implement secure patterns:

   • Use parameterized queries for database access
   • Validate and sanitize all user input
   • Apply least-privilege principles
   • Use modern cryptographic algorithms and libraries
   • Implement defense-in-depth strategies
   • Follow secure coding standards and best practices

Secure Flow Security Rules

The security rules are available in the rules/ directory.

Usage Workflow

When generating or reviewing code, follow this workflow:

1. Initial Security Check

Before writing any code:

• Check: Will this handle credentials? → Apply secure credential management practices
• Check: What language/framework am I using? → Identify applicable security rules
• Check: What security domains are involved? → Load relevant rule files

2. Code Generation

While writing code:

• Apply secure-by-default patterns from relevant Secure Flow rules
• Add security-relevant comments explaining choices
• Follow framework-specific security best practices

3. Security Review

After writing code:

• Review against implementation checklists in each rule
• Verify no hardcoded credentials or secrets
• Validate that all applicable security rules have been followed
• Explain which security rules were applied
• Highlight security features implemented

Available Workflows

Code Generation & Templates

• secure-flow-create-secure-template - Generate secure code templates with security best practices built-in

Security Testing

• secure-flow-create-security-tests - Create comprehensive security test cases and validation scripts

Threat Analysis

• secure-flow-create-threat-model - Generate threat models for applications and systems using STRIDE methodology
• secure-flow-explain-ai-threats - Explain AI-specific security threats and mitigations

Vulnerability Management

• secure-flow-security-remediation - Scan and fix high-impact vulnerabilities in the codebase
• secure-flow-fix-exploitable-vulns - Fix CISA Known Exploited Vulnerabilities (KEV) found in your codebase
• secure-flow-gate-critical-vulns - Set up CI/CD checks to block critical vulnerabilities

API & Service Security

• secure-flow-review-api-auth - Review and add authentication to API endpoints

Compliance & Validation

• secure-flow-validate-compliance - Validate compliance with security frameworks and standards (SOC 2, ISO 27001, HIPAA, PCI DSS)

Infrastructure Security

• secure-flow-harden-dockerfile-fips - Make Dockerfiles FIPS compliant with security hardening

Implementation Checklist

• Identified applicable security rules for the task
• Applied secure-by-default patterns
• Validated input and output handling
• Verified authentication and authorization
• Checked for hardcoded credentials
• Applied framework-specific security best practices
• Reviewed against security checklists
• Documented security decisions