Skip to main content
AI/MLjmagly

security-gate

Enforce minimum security criteria before iteration close or release

Stars
141
Source
jmagly/aiwg
Updated
2026-05-31
Slug
jmagly--aiwg--security-gate
View on GitHubRaw SKILL.md

// install — copy + paste into any project

mkdir -p .claude/skills && curl -fsSL https://raw.githubusercontent.com/jmagly/aiwg/HEAD/agentic/code/frameworks/sdlc-complete/skills/security-gate/SKILL.md -o .claude/skills/security-gate.md

Drops the SKILL.md into .claude/skills/security-gate.md. Works with Claude Code, Cursor, and any agent that loads SKILL.md files from .claude/skills/.

Security Gate (SDLC)

Criteria

  • Approved threat model with mitigations or accepted risks
  • Zero open critical vulnerabilities; highs triaged with owners/dates
  • SBOM generated and reviewed (if applicable)
  • Secrets policy verified; no hardcoded secrets

Output

  • security-gate-report.md with pass/fail and remediation tasks (structured artifact for downstream agents)
  • Append a gate decision block to .aiwg/security/audit.md (the human-readable rolling audit log — see schema below)

Rolling audit log

.aiwg/security/audit.md is the single append-only rollup of security activity in this project. Humans read it first; downstream agents continue to consume the structured per-area artifacts. Both views are maintained.

After running the gate, append a block in this exact format (create .aiwg/security/audit.md if it does not exist; create the .aiwg/security/ directory if missing):

---

## [YYYY-MM-DD HH:MM] security-gate — <gate name or scope>

**Source:** security-gate
**Scope:** <artifact path or release identifier under review>
**Verdict:** <pass | fail | conditional>

### Findings rolled up

- **[severity] location** — description. Confirmation quote: `<source snippet>`. Remediation: <action>.
- ...

### References

- Structured artifact: `security-gate-report.md`
- Related: <issue or commit reference if applicable>

The same schema is used by security-auditor for its findings. Do not rewrite or truncate prior entries — append only.

After appending, log an audit entry to .aiwg/activity.log per the activity-log rule.

References

  • @$AIWG_ROOT/agentic/code/addons/aiwg-utils/rules/vague-discretion.md — Gate criteria must be concrete and verifiable (zero open criticals, SBOM present); never "acceptable risk" without documentation
  • @$AIWG_ROOT/agentic/code/addons/aiwg-utils/rules/human-authorization.md — Fail the gate and escalate to human; do not autonomously accept or close security findings
  • @$AIWG_ROOT/agentic/code/frameworks/sdlc-complete/rules/token-security.md — Token security policy this gate verifies (no hardcoded secrets)
  • @$AIWG_ROOT/agentic/code/frameworks/sdlc-complete/skills/security-audit/SKILL.md — Upstream audit skill whose findings feed into this gate's pass/fail evaluation
  • @$AIWG_ROOT/agentic/code/frameworks/sdlc-complete/skills/check-traceability/SKILL.md — Traceability verification that may be required as a security gate prerequisite
  • @$AIWG_ROOT/agentic/code/addons/aiwg-utils/rules/activity-log.md — Append-only artifact discipline used by .aiwg/security/audit.md
  • @$AIWG_ROOT/agentic/code/frameworks/sdlc-complete/agents/security-auditor.md — Companion writer of the rolling audit log (same schema)