Skill Gallery
Back to list
epicpast

security-baseline

by epicpast

Organization-wide GitHub configuration for Epic Pastures: reusable CI/CD workflows, composite actions, AI agents and Copilot skills for regenerative agriculture and smart farm automation projects.

0🍴 0📅 Jan 19, 2026
agricultural-techai-agentsci-cdcomposite-actionscopilot-skillsdevopsesphomefarm-automation
View on GitHubRun in Manus

SKILL.md

name: security-baseline description: Audit and implement security best practices for GitHub repositories. USE THIS SKILL when user says "security audit", "check security", "add gitleaks", "secret scanning", "dependency audit", or needs security hardening. allowed-tools:

  • Bash
  • Read
  • Write
  • Edit
  • Glob
  • Grep

Security Baseline Skill

Implement and audit security controls for GitHub repositories.

Trigger Phrases

  • "audit repository security"
  • "add secret scanning"
  • "check for vulnerabilities"
  • "security hardening"
  • "add pre-commit hooks"
  • "configure dependabot"

Security Audit Checklist

GitHub Actions Security

  • All actions SHA-pinned
  • Minimal permissions: declared
  • No secrets in logs
  • OIDC instead of static credentials
  • Untrusted input sanitized

Repository Security

  • Branch protection enabled
  • Required reviews
  • Status checks required
  • Force pushes blocked
  • CODEOWNERS defined

Secret Management

  • No hardcoded secrets
  • .env files ignored
  • Gitleaks configured
  • GitHub secret scanning enabled
  • Pre-commit hooks installed

Dependency Security

  • Dependabot enabled
  • Lock files committed
  • No critical CVEs
  • Regular audits scheduled

SHA Pinning Validation

# Check for unpinned actions
grep -rn "uses:.*@v[0-9]" .github/workflows/
grep -rn "uses:.*@main" .github/workflows/

Safe Permission Patterns

# Minimal (default)
permissions:
  contents: read

# For PR comments
permissions:
  contents: read
  pull-requests: write

# For releases
permissions:
  contents: write
  packages: write

OIDC Authentication

# AWS
permissions:
  id-token: write
  contents: read

steps:
  - uses: aws-actions/configure-aws-credentials@...
    with:
      role-to-assume: arn:aws:iam::123456789:role/github-actions
      aws-region: us-east-1

Secret Scanning Setup

Gitleaks Configuration

# gitleaks.toml
[allowlist]
paths = [
  '''\.example$''',
  '''test/fixtures''',
]

Pre-commit Hook

# .pre-commit-config.yaml
repos:
  - repo: https://github.com/gitleaks/gitleaks
    rev: v8.18.0
    hooks:
      - id: gitleaks

Dependency Audit Commands

# Python
uv pip audit

# Node.js
pnpm audit

# Go
go list -json -m all | nancy sleuth

# Rust
cargo deny check advisories

Required Security Files

FilePurpose
SECURITY.mdVulnerability reporting
dependabot.ymlAutomated updates
.pre-commit-config.yamlPre-commit hooks
gitleaks.tomlSecret patterns
CODEOWNERSReview requirements

Vulnerability Response

SeverityResponse Time
CriticalImmediate
High24 hours
Medium1 week
LowNext release

Quick Security Commands

# Run gitleaks
gitleaks detect --source . --verbose

# Check git history
gitleaks detect --source . --log-opts="--all"

# Find workflows without permissions
for f in .github/workflows/*.yml; do
  grep -q "^permissions:" "$f" || echo "Missing: $f"
done

Score

Total Score

60/100

Based on repository quality metrics

SKILL.md

SKILL.mdファイルが含まれている

+20
LICENSE

ライセンスが設定されている

0/10
説明文

100文字以上の説明がある

+10
人気

GitHub Stars 100以上

0/15
最近の活動

1ヶ月以内に更新

+10
フォーク

10回以上フォークされている

0/5
Issue管理

オープンIssueが50未満

+5
言語

プログラミング言語が設定されている

0/5
タグ

1つ以上のタグが設定されている

+5

Reviews

💬

Reviews coming soon