CtrlK
BlogDocsLog inGet started
Tessl Logo

common-security-standards

Enforce universal security protocols for safe, resilient software. Use when implementing authentication, encryption, authorization, input validation, secret management, or any security-sensitive feature across any language or framework. (triggers: **/*.ts, **/*.tsx, **/*.go, **/*.dart, **/*.java, **/*.kt, **/*.swift, **/*.py, security, encrypt, authenticate, authorize)

76

Quality

69%

Does it follow best practices?

Impact

Pending

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

Optimize this skill with Tessl

npx tessl skill review --optimize ./.agent/skills/common/common-security-standards/SKILL.md
SKILL.md
Quality
Evals
Security

Security Standards

Priority: P0 (CRITICAL)

Always-Apply Rules

Apply these on every code write, regardless of context:

  • No hardcoded secrets: Use environment variables or secret managers. Never commit keys, passwords, or tokens to source control.
  • No raw SQL strings: Use parameterized queries or ORMs — WHERE id = ${userId} is always wrong.
  • No stacktraces in prod: Return generic error codes; log full detail server-side only.

Workflow

Activate when: implementing auth, encryption, authorization, input handling, or any security-sensitive feature.

  1. Identify trust boundaries — map every data entry point (API, UI, CSV, webhook).
  2. Validate and sanitize all external input at each boundary.
  3. Apply least privilege to users, services, and containers.
  4. Verify with SAST/DAST scanners in CI before merge.

Context-Specific Rules

Data Safeguarding

  • Zero Trust: Never trust external input. Sanitize and validate every data boundary.
  • Least Privilege: Grant minimum necessary permissions to users, services, and containers.
  • Encryption: AES-256 for data-at-rest; TLS 1.3 for data-in-transit.
  • PII Logging: Never log PII (email, phone, names). Mask sensitive fields before logging.

See implementation examples for parameterized queries and secret management.

Secure Coding

  • Injection Prevention: Use parameterized queries or ORMs to stop SQL, Command, and XSS injections.
  • Dependency Management: Regularly scan (npm audit, pip audit) and update third-party libraries to patch CVEs.
  • Secure Auth: Implement Multi-Factor Authentication (MFA) and secure session management.
  • Error Privacy: Never leak stack traces or internal implementation details to the end-user.

Continuous Security

  • Shift Left: Integrate security scanners (SAST/DAST) early in the CI/CD pipeline.
  • Data Minimization: Collect and store only the minimum data required for business logic.
  • Audit Logging: Maintain logs for sensitive operations (Auth, Deletion, Admin changes).

Anti-Patterns

  • No default passwords: Force rotation on first use with strong entropy requirements.

References

Repository
HoangNguyen0403/agent-skills-standard
Commit

19a1140

Last updated
Created

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.

Claim skill