Security guidelines for writing secure code. Use when writing code, reviewing code for vulnerabilities, or asking about secure coding practices like 'check for SQL injection' or 'review security'. IMPORTANT: Always consult this skill when writing or reviewing any code that handles user input, authentication, file operations, database queries, network requests, cryptography, or infrastructure configuration (Terraform, Kubernetes, Docker, GitHub Actions) — even if the user doesn't explicitly mention security. Also use when users ask to 'review my code', 'check this for bugs', or 'is this safe'.
Comprehensive security rules for writing secure code across 15+ languages. Covers OWASP Top 10, infrastructure security, and coding best practices with 28 rule categories.
Proactive mode — When writing or reviewing code, automatically check for relevant vulnerabilities based on the language and patterns present. You don't need to wait for the user to ask about security.
Reactive mode — When the user asks about security, use the categories below to find the relevant rule file, then read it for detailed vulnerable/secure code examples.
rules/ for detailed code examples in that languageWhen writing code in these languages, check these rules first:
| Language | Priority Rules to Check |
|---|---|
| Python | SQL injection, command injection, path traversal, code injection, SSRF, insecure crypto |
| JavaScript/TypeScript | XSS, prototype pollution, code injection, insecure transport, CSRF |
| Java | SQL injection, XXE, insecure deserialization, insecure crypto, SSRF |
| Go | SQL injection, command injection, path traversal, insecure transport |
| C/C++ | Memory safety, unsafe functions, command injection, path traversal |
| Ruby | SQL injection, command injection, code injection, insecure deserialization |
| PHP | SQL injection, XSS, command injection, code injection, path traversal |
| HCL/YAML | Terraform (AWS/Azure/GCP), Kubernetes, Docker, GitHub Actions |
rules/sql-injection.md) - Use parameterized queries, never concatenate user inputrules/command-injection.md) - Avoid shell commands with user input, use safe APIsrules/xss.md) - Escape output, use framework protectionsrules/xxe.md) - Disable external entities in XML parsersrules/path-traversal.md) - Validate and sanitize file pathsrules/insecure-deserialization.md) - Never deserialize untrusted datarules/code-injection.md) - Never eval() user inputrules/secrets.md) - Use environment variables or secret managersrules/memory-safety.md) - Prevent buffer overflows, use-after-free (C/C++)rules/insecure-crypto.md) - Use SHA-256+, AES-256, avoid MD5/SHA1/DESrules/insecure-transport.md) - Use HTTPS, verify certificatesrules/ssrf.md) - Validate URLs, use allowlistsrules/authentication-jwt.md) - Always verify signaturesrules/csrf.md) - Use CSRF tokens on state-changing requestsrules/prototype-pollution.md) - Validate object keys in JavaScriptrules/terraform-aws.md, rules/terraform-azure.md, rules/terraform-gcp.md) - Encryption, least privilege, no public accessrules/kubernetes.md) - No privileged containers, run as non-rootrules/docker.md) - Don't run as root, pin image versionsrules/github-actions.md) - Avoid script injection, pin action versionsrules/regex-dos.md) - Avoid catastrophic backtrackingrules/race-condition.md) - Use proper synchronizationrules/correctness.md) - Avoid common logic bugsrules/best-practice.md) - General secure coding patternsSee rules/_sections.md for the full index with CWE/OWASP references.
| Vulnerability | Key Prevention |
|---|---|
| SQL Injection | Parameterized queries |
| XSS | Output encoding |
| Command Injection | Avoid shell, use APIs |
| Path Traversal | Validate paths |
| SSRF | URL allowlists |
| Secrets | Environment variables |
| Crypto | SHA-256, AES-256 |