giuseppe-trisciuoglio/developer-kit
Comprehensive developer toolkit providing reusable skills for Java/Spring Boot, TypeScript/NestJS/React/Next.js, Python, PHP, AWS CloudFormation, AI/RAG, DevOps, and more.
89
89%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Risky
Do not use without reviewing
devkit.generate-security-assessment.mdplugins/developer-kit-core/commands/documentation/
- allowed-tools:
- Read, Write, Edit, Grep, Glob
- argument-hint:
- [language] [output-format]
- description:
- Generates comprehensive security assessment document after security audit completion. Use when you need to create a structured security report.
Overview
Generates comprehensive security assessment document after security audit completion. Use when you need to create a structured security report.
Usage
/devkit.generate-security-assessment $ARGUMENTSArguments
| Argument | Description |
|---|---|
$ARGUMENTS | Combined arguments passed to the command |
Execution Instructions
Agent Selection: To execute this generation task, use the following approach:
- Primary: Use
general-purposeagent with specialized knowledge of the task domain - Or use appropriate specialized agent if available for the specific generation task
Security Assessment Document Generation
Target Project: $ARGUMENTS
Document Analysis Setup
First, I'll analyze the project structure and security audit findings:
- Project Analysis: Examine codebase structure and technologies
- Security Review: Check recent security audit results
- Risk Assessment: Identify critical security areas
- Compliance Check: Verify regulatory requirements
Document Structure Generation
Based on security audit analysis, generating comprehensive assessment document with the following structure:
Security Assessment Document
Language: Language detection from arguments... Format: Output format configuration... Generation Date: Current timestamp...
1. Project Overview and Security Scope
Project Description
[Auto-generated based on codebase analysis]
Identified Technologies: [Framework detection from package.json/pom.xml] Application Size: [Lines of code, number of files] Application Type: [Web, API, Desktop, Mobile]
Security Scope
Assessment Perimeter:
- Authentication and Authorization
- Data Protection
- Security Architecture
- Incident Management
Exclusions: [Components not in scope]
2. Identity and Access Management
Authentication
[Analysis of authentication mechanisms]
- Identified Methods: JWT, OAuth2, Session-based
- Security Configurations: Spring Security, Passport.js, NextAuth
- Two-Factor Authentication: Implementation status
- Password Policies: Current password strength requirements
Authorization
[Access control analysis]
- Role-Based Access Control (RBAC): Implementation status
- Method-Level Security: @PreAuthorize, @Secured annotations
- API Protection: Endpoint security configuration
- Resource Access Control: File and data access policies
Session Management
[Session security evaluation]
- Session Timeout: Current timeout configurations
- Session Fixation Protection: Security measures implemented
- Concurrent Session Control: Multiple session policies
- Secure Cookie Configuration: HttpOnly, Secure, SameSite settings
3. Data Protection
Encryption
[Cryptography implementation analysis]
- Data in Transit: TLS/SSL configurations
- Data at Rest: Database encryption, file system encryption
- Algorithms Used: AES, RSA, bcrypt for passwords
- Key Management: Secret storage and rotation policies
Data Masking
[Sensitive data handling]
- PII Protection: Personal identifiable information masking
- Credit Card Data: PCI-DSS compliance measures
- Log Sanitization: Sensitive data removal from logs
- Database Field Encryption: Column-level encryption
Backup and Recovery
[Data backup strategies]
- Backup Schedule: Automated backup frequency
- Backup Encryption: Encrypted backup storage
- Recovery Testing: Regular restore procedure validation
- Disaster Recovery: Business continuity planning
4. Threat Protection
Firewall and WAF
[Network security configuration]
- Web Application Firewall: Implementation status
- Ingress/Egress Filtering: Network traffic controls
- DDoS Protection: Rate limiting and traffic monitoring
- API Gateway Security: Request validation and filtering
Common Attack Protection
[Attack prevention measures]
- SQL Injection: Parameterized queries, ORMs usage
- XSS Protection: Input sanitization, CSP headers
- CSRF Protection: Anti-CSRF tokens
- File Upload Security: File type validation, virus scanning
Vulnerability Monitoring
[Security monitoring setup]
- Dependency Scanning: npm audit, OWASP Dependency Check
- Static Analysis: Code quality security tools
- Dynamic Testing: Security testing automation
- Security Headers: HSTS, X-Frame-Options, CSP
5. Code Security
Secure Development Guidelines
[Coding standards analysis]
- Input Validation: Validation frameworks usage
- Error Handling: Secure error response patterns
- Security Libraries: Cryptography, authentication libraries
- Code Quality: Static analysis tools integration
Code Review Process
[Security review practices]
- Security Code Review: Peer review for security
- Automated Security Testing: CI/CD security gates
- Security Standards: OWASP ASVS compliance
- Documentation: Security requirements documentation
Security Testing
[Security testing strategy]
- Unit Tests Security: Security-focused unit tests
- Integration Tests: End-to-end security validation
- Penetration Testing: Regular security assessments
- Security Monitoring: Runtime security monitoring
6. Incident Management
Incident Response Plan
[Incident response procedures]
- Detection: Security incident identification
- Response: Immediate response actions
- Containment: Incident containment strategies
- Recovery: Service restoration procedures
Reporting
[Incident reporting structure]
- Logging Strategy: Comprehensive logging setup
- Audit Trails: User action tracking
- Security Metrics: Key security indicators
- Compliance Reporting: Regulatory reporting requirements
Communication
[Stakeholder communication]
- Internal Notification: Team alerting mechanisms
- External Communication: Customer notification procedures
- Regulatory Reporting: Legal requirement compliance
- Public Relations: Crisis communication plan
7. Training and Awareness
Staff Training
[Security education programs]
- Developer Security: Secure coding practices training
- Security Awareness: Phishing awareness programs
- Compliance Training: Regulatory requirement education
- Regular Updates: Ongoing security education
Attack Simulations
[Security validation exercises]
- Phishing Simulations: Employee security awareness testing
- Penetration Testing: Regular security assessments
- Red Team Exercises: Adversarial simulation testing
- Security Drills: Incident response practice
8. Compliance and Regulations
Regulatory Compliance
[Compliance framework analysis]
- GDPR: General Data Protection Regulation compliance
- SOX: Sarbanes-Oxley Act requirements
- PCI-DSS: Payment Card Industry Data Security Standard
- ISO 27001: Information Security Management
Security Audits
[Audit procedures and results]
- Internal Audits: Regular security assessments
- External Audits: Third-party security evaluations
- Compliance Checks: Automated compliance validation
- Audit Findings: Security improvement recommendations
9. Maintenance and Updates
Patch Management
[Update and patch procedures]
- Vulnerability Scanning: Regular security scans
- Patch Schedule: Automated update procedures
- Testing Protocol: Pre-deployment testing
- Rollback Procedures: Update failure recovery
Continuous Monitoring
[Ongoing security monitoring]
- SIEM Integration: Security information and event management
- Real-time Alerting: Immediate threat notification
- Performance Monitoring: Security impact on performance
- Anomaly Detection: Behavioral analysis systems
10. Appendices
Glossary
- RBAC: Role-Based Access Control
- OWASP: Open Web Application Security Project
- TLS: Transport Layer Security
- PII: Personal Identifiable Information
Useful Resources
- OWASP Top 10: https://owasp.org/www-project-top-ten/
- Security Guidelines: Internal security documentation
- Tools: Security assessment tools used
- Contacts: Security team contact information
Document Generation Process
- Analyze Codebase Structure: Detect technologies, frameworks, and security implementations
- Review Security Audit Results: Parse findings from recent security assessments
- Generate Risk Assessment: Create project-specific security risk evaluation
- Format Document: Apply requested language and output format
- Include Recommendations: Provide actionable security improvement suggestions
- Add Compliance Mapping: Map to relevant security standards and regulations
Output: Complete security assessment document ready for stakeholder review and security planning.
Language: $ARGUMENTS Format: Based on user preference (Markdown default)
Examples
- `/developer-kit:devkit.generate-security-assessment en-US markdown` - Generate English assessment in Markdown
- `/developer-kit:devkit.generate-security-assessment it-IT pdf` - Generate Italian assessment in PDF
- `/developer-kit:devkit.generate-security-assessment docx` - Generate English assessment in DOCXdocs
plugins
developer-kit-ai
developer-kit-aws
agents
docs
skills
aws
aws-cli-beast
aws-cost-optimization
aws-drawio-architecture-diagrams
aws-sam-bootstrap
aws-cloudformation
aws-cloudformation-auto-scaling
aws-cloudformation-bedrock
aws-cloudformation-cloudfront
aws-cloudformation-cloudwatch
aws-cloudformation-dynamodb
aws-cloudformation-ec2
aws-cloudformation-ecs
aws-cloudformation-elasticache
references
aws-cloudformation-iam
references
aws-cloudformation-lambda
aws-cloudformation-rds
aws-cloudformation-s3
aws-cloudformation-security
aws-cloudformation-task-ecs-deploy-gh
aws-cloudformation-vpc
references
developer-kit-core
agents
commands
skills
developer-kit-devops
developer-kit-java
agents
commands
docs
skills
aws-lambda-java-integration
aws-rds-spring-boot-integration
aws-sdk-java-v2-bedrock
aws-sdk-java-v2-core
aws-sdk-java-v2-dynamodb
aws-sdk-java-v2-kms
aws-sdk-java-v2-lambda
aws-sdk-java-v2-messaging
aws-sdk-java-v2-rds
aws-sdk-java-v2-s3
aws-sdk-java-v2-secrets-manager
clean-architecture
graalvm-native-image
langchain4j-ai-services-patterns
references
langchain4j-mcp-server-patterns
references
langchain4j-rag-implementation-patterns
references
langchain4j-spring-boot-integration
langchain4j-testing-strategies
langchain4j-tool-function-calling-patterns
langchain4j-vector-stores-configuration
references
qdrant
references
spring-ai-mcp-server-patterns
spring-boot-actuator
spring-boot-cache
spring-boot-crud-patterns
spring-boot-dependency-injection
spring-boot-event-driven-patterns
spring-boot-openapi-documentation
spring-boot-project-creator
spring-boot-resilience4j
spring-boot-rest-api-standards
spring-boot-saga-pattern
spring-boot-security-jwt
assets
references
scripts
spring-boot-test-patterns
spring-data-jpa
references
spring-data-neo4j
references
unit-test-application-events
unit-test-bean-validation
unit-test-boundary-conditions
unit-test-caching
unit-test-config-properties
references
unit-test-controller-layer
unit-test-exception-handler
references
unit-test-json-serialization
unit-test-mapper-converter
references
unit-test-parameterized
unit-test-scheduled-async
references
unit-test-service-layer
references
unit-test-utility-methods
unit-test-wiremock-rest-api
references
developer-kit-php
developer-kit-project-management
developer-kit-python
developer-kit-specs
commands
docs
hooks
test-templates
tests
skills
developer-kit-tools
developer-kit-typescript
agents
docs
hooks
rules
skills
aws-cdk
aws-lambda-typescript-integration
better-auth
clean-architecture
drizzle-orm-patterns
dynamodb-toolbox-patterns
references
nestjs
nestjs-best-practices
nestjs-code-review
nestjs-drizzle-crud-generator
nextjs-app-router
nextjs-authentication
nextjs-code-review
nextjs-data-fetching
nextjs-deployment
nextjs-performance
nx-monorepo
react-code-review
react-patterns
shadcn-ui
tailwind-css-patterns
tailwind-design-system
references
turborepo-monorepo
typescript-docs
typescript-security-review
zod-validation-utilities
references
github-spec-kit