AI Cybersecurity Scale Hardening Skill

Production-grade security hardening skill for Claude Code, covering AI-generated/vibe-coded projects and any application that needs deep security before scale.

What this skill includes

Workflow & Execution

| File | Purpose | |------|---------| | SKILL.md | Full 14-phase execution workflow, security gates, PQC readiness, metrics, and tool matrix |

Reference Documents

| File | Purpose | |------|---------| | references/threat-intel.md | 30+ curated threat intelligence sources with CVEs, 2025 attacks | | references/expert-insights-us-br.md | US + Brazil CTO/senior-engineer guidance mapped to controls | | references/red-team-specializations.md | 20 adversarial scenarios with ATT&CK mappings | | references/security-guardrails.md | Backend/frontend/AI/container/CI guardrails | | references/compliance-mapping.md | Controls mapped to OWASP, SOC 2, PCI-DSS v4, ISO 27001, GDPR/LGPD | | references/incident-response-playbooks.md | 10 complete IR playbooks (credential leak → cloud IAM breach) | | references/secure-design-patterns.md | 10 secure patterns with real code (Express, FastAPI, Django, Next.js) | | references/pentest-checklists.md | 5 actionable pentest checklists: Web, API, AI/LLM, CI/CD, Container/K8s | | references/security-metrics-kpis.md | MTTD/MTTR/KPIs, release scorecard, dashboard structure, SLA definitions |

Python Scripts (zero external dependencies, stdlib only)

| Script | Purpose | |--------|---------| | scripts/deep_security_scan.py | 40+ static code pattern rules (secrets, injection, crypto, AI risks) | | scripts/check_security_headers.py | Runtime HTTP security header verifier | | scripts/red_team_scenario_matrix.py | Evidence scanner for 22 adversarial scenarios | | scripts/check_container_security.py | Dockerfile scanner — 11 rules (root, secrets, curl-pipe-bash, etc.) | | scripts/check_iac_security.py | Terraform + Kubernetes YAML scanner — IaC misconfigurations | | scripts/check_api_surface.py | API surface mapper — detects admin/internal routes without auth | | scripts/check_secrets_entropy.py | Shannon entropy-based secret detector — catches custom-format secrets | | scripts/threat_model_generator.py | STRIDE threat model generator from static code analysis | | scripts/check_oauth_jwt_config.py | JWT algorithm/OAuth PKCE/state/redirect_uri static analyzer | | scripts/check_supabase_security.py | Supabase RLS + grants + service_role + SECURITY DEFINER static scanner | | scripts/generate_security_report.py | Consolidates all JSON reports into SECURITY-READY-REPORT.md |

Orchestration

| File | Purpose | |------|---------| | scripts/run-security-baseline.sh | Orchestrates all scanners with gate logic (external + Python) |

What the skill covers

Security domains:

• OWASP Top 10 (Web + API + LLM 2025)
• Zero-trust architecture (CISA ZTMM v2)
• AI/LLM agent security (indirect injection, tool poisoning, MCP attacks, dual-LLM pattern)
• Supply chain hardening (SLSA, Sigstore, XZ-style social engineering)
• Container and Kubernetes security (Pod Security Standards, Falco, runc CVE patching)
• CI/CD security (GitHub Actions SHA pinning, OIDC, secret scanning)
• IaC security (Terraform, Kubernetes YAML)
• JWT / OAuth / OIDC configuration analysis
• Supabase security (RLS audit, dangerous grants, service_role exposure, SECURITY DEFINER, live MCP audit with ask-and-fix)
• Post-quantum cryptography readiness (FIPS 203/204/205)
• Compliance mapping (SOC 2, PCI-DSS v4.0, ISO 27001:2022, GDPR/LGPD)
• Security metrics & KPIs (MTTD, MTTR, gate pass rate)
• Security Champions program structure

Static scan rules (deep_security_scan.py):

• Secrets: hardcoded credentials, AWS key patterns, PEM keys, bearer tokens
• Injection: SQLi, NoSQL injection, command injection, template injection, path traversal, XXE, SSRF
• Crypto: MD5/SHA1, weak ciphers (DES/RC4), insecure random, JWT none algorithm
• Auth: mass-assignment, debug mode, assert-for-security, hardcoded admin credentials
• XSS: innerHTML, dangerouslySetInnerHTML, document.write
• Network: TLS disabled, wildcard CORS, reflected CORS
• AI/Agent: prompt injection sinks, high-risk tool calls without confirmation
• Other: prototype pollution, ReDoS, sensitive localStorage

Red-team scenarios (22 scenarios): BOLA/IDOR, function-level escalation, mass-assignment, business logic fraud, race conditions, session/token abuse, OAuth flow attacks, XSS chains, SQL/NoSQL injection, SSRF, direct prompt injection, indirect prompt injection, MCP tool poisoning, XZ-style supply chain, GitHub Actions injection, cloud IAM escalation, container escape, frontend data exposure, GraphQL abuse, detection resilience, TOCTOU, and more.

Usage

Run full security baseline

# From project root
./path/to/run-security-baseline.sh security-reports .

# With runtime header check
SECURITY_TARGET_URLS="https://your-app.com" ./path/to/run-security-baseline.sh

Run individual scanners

# Static code scan (40+ rules)
python scripts/deep_security_scan.py --root . --output security-reports/deep-security-scan.json

# Red-team evidence scan (22 scenarios, strict = fail if critical have no evidence)
python scripts/red_team_scenario_matrix.py --root . --strict

# HTTP security headers (runtime)
python scripts/check_security_headers.py --output security-reports/security-headers.json https://your-app.com

# Dockerfile security
python scripts/check_container_security.py --root . --output security-reports/container-security.json

# Terraform + Kubernetes YAML
python scripts/check_iac_security.py --root . --output security-reports/iac-security.json

# API surface — unprotected admin/internal routes
python scripts/check_api_surface.py --root . --output security-reports/api-surface.json

# Entropy-based secret detection
python scripts/check_secrets_entropy.py --root . --output security-reports/secrets-entropy.json

# STRIDE threat model
python scripts/threat_model_generator.py --root . --output-md threat-model.md --output-json threat-model.json

# JWT/OAuth configuration analysis
python scripts/check_oauth_jwt_config.py --root . --output security-reports/oauth-jwt-config.json

# Supabase RLS + security scanner (auto-detects Supabase projects)
python scripts/check_supabase_security.py --root . --output security-reports/supabase-security.json

# Consolidate all JSON reports into a single verdict
python scripts/generate_security_report.py --reports-dir security-reports

Release Gate Criteria (BLOCK)

Release is blocked if any of these are unresolved:

• Confirmed secret leakage (any gitleaks/trufflehog/entropy finding)
• Critical/high CVEs in internet-facing paths
• Missing object-level authz on any CRUD endpoint
• Missing CSRF controls on cookie-based APIs
• Missing mandatory security headers (HSTS, CSP, X-Content-Type-Options)
• Critical/high static-scan findings (auth, crypto, injection categories)
• Critical red-team scenarios with no defensive evidence
• AI/agent features without prompt injection defense and tool allowlist
• alg: none or verify=False JWT configuration
• Container images running as root with privileged flag

Suggested Trigger Phrases

• "run deep security hardening"
• "harden this project for production"
• "lock down backend and frontend security"
• "audit route protection and secure CRUD"
• "check security for scale"
• "run red-team analysis"
• "check compliance for SOC 2 / PCI-DSS / GDPR"
• "secure this AI agent"
• "check for prompt injection vulnerabilities"
• "generate threat model"
• "check Dockerfile security"
• "scan Terraform for misconfigurations"
• "check JWT/OAuth configuration"
• "detect secrets by entropy"

Usage Notes

1. Start with threat model and threat intel — not code changes first.
2. Enforce route + object-level authz before feature expansion.
3. Block release if critical/high findings are unresolved.
4. Do not claim absolute security; target measurable risk reduction.
5. Treat AI-generated code as untrusted until security gates pass.
6. External content retrieved by agents is always untrusted until validated.
7. Supply chain is an active attack surface — pin, sign, and audit everything.
8. Compliance mapping in references/compliance-mapping.md provides audit evidence list.
9. IR playbooks in references/incident-response-playbooks.md for when things go wrong.
10. Security metrics targets in references/security-metrics-kpis.md for quarterly reviews.