name: ci-cd
description: |
Security-hardening skill for CI/CD pipelines and pre-commit hooks. Scans codebases to detect missing security infrastructure and generates configurations. Use when:
(1) Setting up CI/CD for a new project ("add CI", "setup GitHub Actions", "create workflow")
(2) Adding pre-commit hooks ("add husky", "setup pre-commit", "add git hooks")
(3) Security hardening ("add SAST", "setup CodeQL", "add dependabot", "security scan")
(4) Auditing existing CI/CD ("check my workflows", "what security am I missing")
(5) Adding commit standards ("add commitlint", "enforce conventional commits")
Triggers: "CI/CD", "GitHub Actions", "pre-commit", "husky", "CodeQL", "Semgrep", "dependabot", "SAST", "security scanning", "lint-staged", "commitlint", "git hooks"

CI/CD Security Hardening

Overview

This skill detects your project's technology stack, identifies missing CI/CD security infrastructure, and generates production-ready configurations. Targets vibecoded/AI-generated projects that often lack proper security tooling.

Key capabilities:
- Stack detection (Node.js, Python, Go, Rust, multi-language)
- Pre-commit hook setup (Husky, lint-staged, pre-commit framework)
- GitHub Actions workflows (CI, CodeQL, Semgrep, dependency scanning)
- Commit message standards (Conventional Commits)
- Gap analysis against security best practices
- Local workflow testing with act (macOS/Linux)

Core Workflow

Phase 1: Detection

Scan the codebase to identify:

1. Language/Framework Detection
   Check for: package.json, requirements.txt, pyproject.toml, go.mod, Cargo.toml Also: tsconfig.json, setup.py, poetry.lock, Pipfile

2. Existing CI/CD Infrastructure
   ```
   Look for:

3. .github/workflows/*.yml
4. .gitlab-ci.yml
5. Jenkinsfile
6. .circleci/config.yml

7. .travis.yml
   ```

8. Existing Pre-commit Setup
   ```
   Look for:

9. .husky/ directory (Node.js)
10. .pre-commit-config.yaml (Python/universal)
11. .git/hooks/ (manual hooks)

12. lint-staged config in package.json
    ```

13. Existing Security Tools
    ```
    Check for:

14. .github/dependabot.yml
15. .github/workflows/codeql*.yml
16. semgrep.yml or .semgrep/
17. .gitleaks.toml
18. eslint-plugin-security (Node.js)
19. bandit.yml (Python)
    ```

Phase 2: Gap Analysis

Compare detected infrastructure against security checklist:

Pre-commit Checklist

• [ ] Pre-commit hooks installed and configured
• [ ] Linting runs on staged files
• [ ] Formatting runs on staged files
• [ ] Type checking (if applicable)
• [ ] Secret detection (detect-secrets, gitleaks)
• [ ] Commit message validation (commitlint/commitizen)

CI/CD Checklist

• [ ] Build workflow exists
• [ ] Tests run in CI
• [ ] Linting runs in CI
• [ ] SAST scanning (CodeQL or Semgrep)
• [ ] Dependency scanning (Dependabot or Snyk)
• [ ] Secret scanning enabled
• [ ] Branch protection configured
• [ ] Concurrency controls (prevent duplicate runs)

Security Checklist

• [ ] Security-focused linting enabled
• [ ] OWASP dependency check or equivalent
• [ ] License compliance scanning
• [ ] Container scanning (if Dockerized)

See references/checklists.md for detailed checklists.

Phase 3: Configuration Generation

Based on detected stack, generate appropriate configurations:

Important principles:
- Prefer tools already in the ecosystem (ESLint for Node, Ruff for Python)
- Keep configurations minimal but secure
- Use caching in CI for performance
- Add concurrency controls to prevent duplicate workflow runs

Phase 4: Verification

After generating configurations:

1. Validate YAML syntax - Run yamllint or equivalent
2. Test pre-commit hooks - Run pre-commit run --all-files or equivalent
3. Verify CI workflow - Check for common issues:
4. Missing checkout step
5. Wrong Node/Python version
6. Missing environment variables
7. Incorrect file paths
8. Run linters - Ensure no immediate failures on existing code
9. Test workflows locally with act (if available) - See Local Testing

Phase 5: Local Testing with Act (Optional)

Act runs GitHub Actions locally using Docker, eliminating the commit-push-wait cycle.

Check if act is available:

# Check for act
command -v act > /dev/null 2>&1 && echo "act is installed" || echo "act is NOT installed"

# Check Docker is running (required)
docker info > /dev/null 2>&1 && echo "Docker is running" || echo "Docker is NOT running"

If act is not installed, ask the user:

"act is not installed. Would you like to install it to test workflows locally?
- macOS: brew install act
- Linux: curl -s https://raw.githubusercontent.com/nektos/act/master/install.sh | sudo bash
- Other options: See local-testing.md"

Quick validation with act:

# List workflows (validates YAML)
act -l

# Dry run (see execution plan without running)
act -n

# Test specific job
act -j lint
act -j test

# Full workflow test
act -W .github/workflows/ci.yml

# With secrets
act -s GITHUB_TOKEN="$(gh auth token)" --secret-file .secrets

See references/local-testing.md for comprehensive act usage.

Language-Specific Setup

Node.js / TypeScript

See references/node.md for complete configuration.

Quick setup:

# Install dependencies
npm install -D husky lint-staged @commitlint/cli @commitlint/config-conventional

# Initialize Husky (v9+)
npx husky init

# Configure lint-staged in package.json

Generated files:
- .husky/pre-commit - Runs lint-staged
- .husky/commit-msg - Runs commitlint
- commitlint.config.js - Conventional commits
- package.json - lint-staged configuration

Python

See references/python.md for complete configuration.

Quick setup:

# Install pre-commit
pip install pre-commit

# Create config
# (skill generates .pre-commit-config.yaml)

# Install hooks
pre-commit install
pre-commit install --hook-type commit-msg

Generated files:
- .pre-commit-config.yaml - All hooks configuration
- pyproject.toml - Tool configurations (Ruff, mypy)

Go

See references/go.md for complete configuration.

Quick setup:

# Install golangci-lint
go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest

# Install pre-commit
pip install pre-commit
pre-commit install

Generated files:
- .golangci.yml - Linter configuration with gosec
- .pre-commit-config.yaml - Go-specific hooks

Rust

See references/rust.md for complete configuration.

Quick setup:

# Install cargo-audit
cargo install cargo-audit

# Configure in CI
# (skill generates workflow)

GitHub Actions Workflows

See references/workflows.md for complete templates.

Core Workflows to Generate

1. ci.yml - Build, lint, test
2. Runs on push and PR
3. Caching for dependencies
4. Concurrency controls

5. Matrix builds if needed

6. codeql.yml - Security scanning

7. Scheduled + on push to main
8. Extended security queries

9. Language-specific configuration

10. dependabot.yml - Dependency updates

11. Weekly schedule
12. Package ecosystem detection
13. GitHub Actions updates

Security Tools Comparison

See references/security-tools.md for detailed comparison.

Common Tasks

"Set up CI/CD for this project"

1. Run detection phase
2. Show gap analysis results
3. Ask about preferences (CodeQL vs Semgrep, etc.)
4. Generate all configurations
5. Provide setup commands
6. Offer to test locally with act (if Docker available)

"Add pre-commit hooks"

1. Detect language/framework
2. Generate appropriate hook configuration
3. Provide installation commands
4. Test hooks work

"What security am I missing?"

1. Run full detection phase
2. Compare against checklists
3. Prioritize gaps by severity
4. Recommend specific tools for each gap

"Add Dependabot"

1. Detect package ecosystems
2. Generate .github/dependabot.yml
3. Include github-actions ecosystem
4. Set appropriate schedule

"Enforce conventional commits"

1. Detect language for tooling choice
2. Generate commitlint config (Node) or commitizen config (Python)
3. Add commit-msg hook
4. Provide examples of valid commits

"Test my workflows locally"

1. Check if act is installed (command -v act)
2. If not installed, offer installation options for user's platform
3. Check if Docker is running
4. Run act -l to list and validate workflows
5. Run act -n for dry run
6. Test specific jobs: act -j lint, act -j test
7. Help debug any failures

When to Ask the User

Ask before proceeding when:

• Tool preference: "CodeQL or Semgrep for SAST? CodeQL is deeper, Semgrep is faster."
• Strictness level: "Strict or lenient linting rules? Strict may require fixing existing code."
• Existing code issues: "Pre-commit hooks will fail on current code. Fix first or bypass initially?"
• Multiple ecosystems: "Detected Node.js and Python. Set up hooks for both?"
• Breaking changes: "Adding type checking will require changes. Proceed?"
• Local testing setup: "act is not installed. Would you like to install it to test workflows locally?"
• Docker not running: "Docker is required for act. Would you like me to help start it?"

Quality Checklist

Before marking setup complete:

• [ ] Pre-commit hooks run successfully
• [ ] CI workflow passes on current code
• [ ] SAST scanning configured and running
• [ ] Dependency scanning enabled
• [ ] Commit message validation works
• [ ] No secrets in repository
• [ ] Branch protection recommended (if not set)
• [ ] All generated YAML is valid
• [ ] Workflows tested locally with act (if available)