Focus on specific security type (dependencies, sast, secrets, all)
Execution
Execute this security scanning configuration check:
Step 1: Fetch latest tool versions
Verify latest versions before configuring:
Trivy
Check
GitHub releases
Grype
Check
GitHub releases
gitleaks
Check
GitHub releases
pip-audit
Check
PyPI
cargo-audit
Check
crates.io
CodeQL
Check
GitHub releases
Use WebSearch or WebFetch to verify current versions.
Step 2: Detect project languages and tools
Identify project languages and existing security tools:
Indicator
Language/Tool
Security Tools
package.json
JavaScript/TypeScript
npm audit, Snyk
pyproject.toml
Python
pip-audit, safety, bandit
Cargo.toml
Rust
cargo-audit, cargo-deny
.gitleaks.toml
gitleaks
Secret scanning
.github/workflows/
GitHub Actions
CodeQL, Dependabot
Step 3: Analyze current security state
Check existing security configuration across three areas:
Dependency Auditing:
Package manager audit configured
Audit scripts in package.json/Makefile
Dependabot enabled
Dependency review action in CI
Auto-merge for minor updates configured
SAST Scanning:
CodeQL workflow exists
Semgrep configured
Bandit configured (Python)
SAST in CI pipeline
Secret Detection:
Gitleaks configured with
.gitleaks.toml
Pre-commit hook configured
Git history scanned
TruffleHog configured (optional complement)
Step 4: Generate compliance report
Print a formatted compliance report showing status for each security component across dependency auditing, SAST scanning, secret detection, and security policies.
If
--check-only
is set, stop here.
For the compliance report format, see
REFERENCE.md
.
Step 5: Configure dependency auditing (if --fix or user confirms)
Based on detected language:
JavaScript/TypeScript (npm/bun):
Add audit scripts to
package.json
Create Dependabot config
.github/dependabot.yml
Create dependency review workflow
.github/workflows/dependency-review.yml
Python (pip-audit):
Install pip-audit:
uv add --group dev pip-audit
Create audit script
Rust (cargo-audit):
Install cargo-audit:
cargo install cargo-audit --locked
Configure in
.cargo/audit.toml
For complete configuration templates, see
REFERENCE.md
.
Step 6: Configure SAST scanning (if --fix or user confirms)
Create CodeQL workflow
.github/workflows/codeql.yml
with detected languages
For Python projects, install and configure Bandit
Run Bandit:
uv run bandit -r src/ -f json -o bandit-report.json
For CodeQL workflow and Bandit configuration templates, see
REFERENCE.md
.
Step 7: Configure secret detection (if --fix or user confirms)
Install gitleaks:
brew install gitleaks
(or
go install github.com/gitleaks/gitleaks/v8@latest
)
Create
.gitleaks.toml
with project-specific allowlists
Run initial scan:
gitleaks detect --source .
Add pre-commit hook to
.pre-commit-config.yaml
Optionally configure TruffleHog workflow for CI
For gitleaks, TruffleHog, and CI workflow configuration templates, see
REFERENCE.md
.
Step 8: Create security policy
Create
SECURITY.md
with:
Supported versions table
Vulnerability reporting process (email, expected response time, disclosure policy)
Information to include in reports
Security best practices for users and contributors
Automated security tools list
For the SECURITY.md template, see
REFERENCE.md
.
Step 9: Configure CI/CD integration
Create comprehensive security workflow
.github/workflows/security.yml
with jobs for:
Dependency audit
Secret scanning (TruffleHog)
SAST scan (CodeQL)
Schedule weekly scans in addition to push/PR triggers.
For the CI security workflow template, see
REFERENCE.md
.
Step 10: Update standards tracking
Update
.project-standards.yaml
:
components
:
security
:
"2025.1"
security_dependency_audit
:
true
security_sast
:
true
security_secret_detection
:
true
security_policy
:
true
security_dependabot
:
true
Step 11: Report configuration results
Print a summary of all changes made across dependency auditing, SAST scanning, secret detection, security policy, and CI/CD integration. Include next steps for reviewing Dependabot PRs, CodeQL findings, and enabling private vulnerability reporting.
For the results report format, see
REFERENCE.md
.
Agentic Optimizations
Context
Command
Quick compliance check
/configure:security --check-only
Auto-fix all security gaps
/configure:security --fix
Dependencies only
/configure:security --type dependencies
Secret detection only
/configure:security --type secrets
SAST scanning only
/configure:security --type sast
Verify secrets scan
gitleaks detect --source . --verbose
Flags
Flag
Description
--check-only
Report status without offering fixes
--fix
Apply all fixes automatically without prompting
--type
Focus on specific security type (dependencies, sast, secrets, all)
Error Handling
No package manager detected
Skip dependency auditing
GitHub Actions not available
Warn about CI limitations
Secrets found in history
Provide remediation guide
CodeQL unsupported language
Skip SAST for that language
See Also
/configure:workflows
- GitHub Actions workflow standards
/configure:pre-commit
- Pre-commit hook configuration
/configure:all
- Run all compliance checks
GitHub Security Features
:
https://docs.github.com/en/code-security
gitleaks
:
https://github.com/gitleaks/gitleaks
CodeQL
:
https://codeql.github.com