secure-code-skill-cascade

Cascaded secure-coding skills for AI agents: OWASP, CWE, auth, data, dependencies, cloud, and AI-agent security checks.

This project is Mirogate's flagship open-source security contribution for AI-assisted software engineering. It ships a real Codex skill and portable Markdown modules for other agents.

Why Cascaded Skills

Security guidance becomes harder to maintain when every rule is copied into one giant prompt. This project keeps a small root skill and loads focused modules only when the task needs them.

flowchart TD
  A["User task"] --> B["secure-code root skill"]
  B --> C{"Relevant surface?"}
  C --> D["OWASP / ASVS / CWE"]
  C --> E["Auth / input / data"]
  C --> F["Dependencies / cloud"]
  C --> G["AI-agent security"]
  D --> H["Patch + test + residual risk"]
  E --> H
  F --> H
  G --> H

Loading

Quick Start

npm install
npm test
node scripts/compose.mjs --scenario web-api-auth

List available modules:

node scripts/compose.mjs --list

What Is Included

• skills/secure-code/SKILL.md: the Codex root skill.
• skills/secure-code/references/: focused security modules.
• portable/secure-code-cascade.md: portable bundle for Claude Code, Cursor, or other agents.
• examples/scenarios/: task-to-module examples.
• examples/vulnerable-patches/: before/after demos for common security mistakes.
• scripts/validate.mjs: checks module metadata, scenarios, required files, and demos.
• scripts/compose.mjs: assembles the root skill with selected modules for a scenario.

Module Map

Module	Use When
owasp-top10	Broad web application and API risk review.
asvs-baseline	Turning security intent into verification checks.
cwe-top25	Implementation weakness review.
auth-session	Login, sessions, JWT, password reset, authorization, tenants.
input-output	Injection, XSS, CSRF, SSRF, file upload, path, parsing.
data-secrets	Secrets, PII, logs, encryption, retention, tenant data.
dependencies-supply-chain	Packages, lockfiles, install scripts, actions, images.
cloud-deploy	Headers, CORS, CSP, redirects, environment variables, edge deploys.
ai-agent-security	Prompt injection, tool permissions, untrusted content, secret exposure.
verification	Tests, acceptance checks, and residual-risk language.

Example Scenarios

node scripts/compose.mjs --scenario web-api-auth
node scripts/compose.mjs --scenario form-input-handling
node scripts/compose.mjs --scenario dependency-update
node scripts/compose.mjs --scenario cloudflare-worker-deploy
node scripts/compose.mjs --scenario ai-agent-tooling

Each scenario intentionally loads a small set of modules. That is the point: security checks should be specific enough to edit and audit.

Limits

This is not a vulnerability scanner, penetration test, compliance certification, or affiliation with OWASP, MITRE, Claude, Cursor, or OpenAI. It is a practical skill architecture for AI-assisted secure coding.

Use the official references when making policy decisions:

• OWASP Top 10: https://owasp.org/www-project-top-ten/
• OWASP ASVS: https://owasp.org/www-project-application-security-verification-standard/
• CWE Top 25: https://cwe.mitre.org/top25/
• OWASP Cheat Sheet Series: https://cheatsheetseries.owasp.org/

Security

Please report security issues to security@mirogate.com. See SECURITY.md.