Embed badge
Show
Style
[](https://versuz.dev/skills/lostforwurdz-loom-skills-archived-security-gate)Free SKILL.md scraped from GitHub. Clone the repo or copy the file directly into your Claude Code skills directory.
npx versuz@latest install lostforwurdz-loom-skills-archived-security-gategit clone https://github.com/lostforwurdz/loom.gitcp loom/SKILL.MD ~/.claude/skills/lostforwurdz-loom-skills-archived-security-gate/SKILL.md---
name: security-gate-archived
description: >-
DEPRECATED. Converted to a vendor-neutral pipeline in
~/loom/pipelines/security-gate.json (kobramaz-lmn.53 sub-task #5,
2026-05-12). Any client invokes via `pool_pipeline_run security-gate`
through the loom-pool MCP. Original content kept below for reference.
---
> **DEPRECATED — kobramaz-lmn.53 sub-task #5 (2026-05-12).**
>
> Replaced by `~/loom/pipelines/security-gate.json`. Invoke from any MCP
> client via:
>
> ```jsonc
> // pool_pipeline_run
> { "pipeline_id": "security-gate" }
> ```
>
> Same behavior, vendor-neutral. 5 parallel security checks → 1 consolidator:
>
> - `semgrep-scan` — Semgrep CLI, auto-detect language + rulesets
> - `codeql-scan` — CodeQL CLI, security-and-quality + security-experimental
> - `supply-chain-audit` — npm/pip/cargo/go audit + maintainer-transfer + typosquat checks
> - `insecure-defaults-scan` — hardcoded secrets, fail-open ACLs, permissive CORS, TLS-off
> - `holistic-owasp-review` — `agent: security-auditor`, covers OWASP Top-10
> - `consolidate` — `agent: debugger`, `on_complete_all` of the 5; produces Critical/Important/Suggestions + final verdict
>
> Tool-unavailable handling: each scan step emits `TOOL_NOT_AVAILABLE: <tool>`
> when the CLI is missing. The consolidator surfaces the gap in its UNAVAILABLE
> TOOLS section — the gate cannot certify scope that wasn't scanned.
# Security Gate (historical content below)
Pre-merge security gate. Fans out parallel analysis across all registered security tools, then consolidates into a single severity verdict via `differential-review`.
## Trigger
Invoke when:
- A diff touches auth, secrets, payment flows, or API gateway code.
- A release tag is about to be created.
- Any change classified as high-risk in `workflows/code-writing.md`.
## Phase 1 — Parallel Fan-out
> [!CAUTION]
> **BLOCKING STEP.** Dispatch all 5 agents/skills in a SINGLE message with multiple Task tool calls. Do not dispatch sequentially — that defeats the purpose of the parallel gate.
Dispatch all 5 in a SINGLE message with multiple Task tool calls:
| Dispatch | Type | Output |
|---|---|---|
| `semgrep` skill | security scan | SARIF findings |
| `codeql` skill | deep taint analysis | SARIF findings |
| `supply-chain-risk-auditor` skill | dependency risk | markdown report |
| `insecure-defaults` skill | fail-open / hardcoded secrets | markdown findings |
| `security-auditor` agent | holistic OWASP review | markdown findings |
Wait for ALL 5 to complete before proceeding to Phase 2.
## Phase 2 — Consolidation (sequential)
Wait for Phase 1 to complete. Dispatch the `differential-review` skill with all Phase 1 outputs as input. Provide:
- All SARIF files and markdown findings from Phase 1.
- The diff or PR under review.
`differential-review` produces a consolidated severity verdict: **Critical / Important / Suggestions**.
> [!CAUTION]
> **BLOCKING STEP.** If `differential-review` returns any Critical finding, halt. Do not merge until all Critical findings are resolved and Phase 1 + Phase 2 are re-run.
## Verification
- [ ] All 5 Phase 1 outputs exist (SARIF or markdown per tool).
- [ ] `differential-review` verdict written to `.claude/security/SECURITY_GATE_<timestamp>.md`.
- [ ] No Critical findings in the consolidated verdict (or findings documented with resolution).
## References
- `workflows/code-writing.md` — normal reviewer gate for non-security changes
- `workflows/plan-and-execute.md` — Phase 7 applies this skill at security-sensitive phase boundaries