{"id":50674025,"url":"https://github.com/kaademos/secure-sdlc-agents","last_synced_at":"2026-06-08T14:04:11.189Z","repository":{"id":348724253,"uuid":"1183277543","full_name":"Kaademos/secure-sdlc-agents","owner":"Kaademos","description":"A team of Claude Code sub-agents that enforce security across the full SDLC, from ASVS requirements and threat modelling to SAST triage, IaC review, compliance attestation and release sign-off. Drop into any project. No security team required.","archived":false,"fork":false,"pushed_at":"2026-04-07T21:46:55.000Z","size":220,"stargazers_count":7,"open_issues_count":6,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-13T15:13:39.868Z","etag":null,"topics":["ai-agents","appsec","asvs","claude-code","compliance","devsecops","grc","infosec","llm","owasp","sast","secure-sdlc","security-engineering","threat-modeling"],"latest_commit_sha":null,"homepage":"https://owasp.org/www-project-application-security-verification-standard/","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Kaademos.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-16T12:58:36.000Z","updated_at":"2026-04-11T14:57:41.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/Kaademos/secure-sdlc-agents","commit_stats":null,"previous_names":["kaademos/secure-sdlc-agents"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/Kaademos/secure-sdlc-agents","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kaademos%2Fsecure-sdlc-agents","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kaademos%2Fsecure-sdlc-agents/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kaademos%2Fsecure-sdlc-agents/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kaademos%2Fsecure-sdlc-agents/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Kaademos","download_url":"https://codeload.github.com/Kaademos/secure-sdlc-agents/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kaademos%2Fsecure-sdlc-agents/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34065360,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-08T02:00:07.615Z","response_time":111,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai-agents","appsec","asvs","claude-code","compliance","devsecops","grc","infosec","llm","owasp","sast","secure-sdlc","security-engineering","threat-modeling"],"created_at":"2026-06-08T14:04:10.123Z","updated_at":"2026-06-08T14:04:11.173Z","avatar_url":"https://github.com/Kaademos.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"![License: MIT](https://img.shields.io/badge/License-MIT-green.svg)\n![Claude Code](https://img.shields.io/badge/Claude_Code-Sub--Agents-blueviolet)\n![Cursor MCP](https://img.shields.io/badge/Cursor-MCP%20Ready-blue)\n![OWASP ASVS](https://img.shields.io/badge/OWASP-ASVS%20L2-orange)\n![Works With](https://img.shields.io/badge/Works%20With-Claude%20%7C%20Cursor%20%7C%20Windsurf%20%7C%20Warp-brightgreen)\n\n# Secure SDLC Agents\n\n**8 AI security specialists. Invoked at the exact phase where each vulnerability would have been caught.**\n\nRequirements → threat modelling → code review → IaC → compliance → release gate.  \n\nWorks in Claude Code, Cursor, Windsurf, Warp, and any MCP-compatible tool.\n\n---\n\n## The 4-Minute Problem\n\nYou asked Claude Code to build a file upload feature. It wrote working code in 4 minutes.\n\nIt missed:\n\n| Vulnerability | Severity | Which agent catches it |\n|---|---|---|\n| SVG file with embedded `\u003cscript\u003e` stored and served without sanitisation | **CRITICAL** | `appsec-engineer` — MIME type validation, output encoding |\n| No file size limit or type allowlist | **HIGH** | `appsec-engineer` — input validation, magic byte checks |\n| S3 bucket provisioned with `public-read` ACL | **CRITICAL** | `cloud-platform-engineer` — IaC security review |\n| No rate limiting on the upload endpoint | **HIGH** | `appsec-engineer` — anti-automation controls |\n| Upload URL in API response leaks internal bucket path | **MEDIUM** | `dev-lead` — information disclosure review |\n\nEvery one of these has appeared in real breach post-mortems. AI agents optimise for *working code*, not *secure code*. This project embeds the specialists that close that gap — at the exact phase where each issue would have been caught.\n\n---\n\n## What you get\n\n| What | Why it matters |\n|---|---|\n| **8 specialist agents** | AppSec, Product Manager, GRC Analyst, Cloud/Platform, Dev Lead, Release Manager, Security Champion, AI Security Engineer |\n| **MCP server** | Works in Cursor, Windsurf, Zed, Continue, and any MCP-compatible tool |\n| **CLI tool** (`secure-sdlc`) | Zero-friction setup, kickoff wizard, status dashboard, release gate |\n| **Cursor rules** | Automatic security context in every Cursor session |\n| **GitHub Actions workflow** | Artefact gate, secret scan, SAST (CodeQL), IaC scan (Checkov), dependency audit |\n| **Git hooks** | Pre-commit secret detection, security anti-pattern checks |\n| **Warp workflows** | Pre-built Warp automation for every SDLC phase |\n| **Stack profiles** | Deep, framework-specific guidance for Next.js, FastAPI, Django, Express, Rails |\n| **Document templates** | 8 fully structured templates for every phase artefact |\n| **Worked examples** | 3 complete feature walkthroughs (auth, REST API, file upload) |\n\n---\n\n## Agents\n\n| Agent | Role | When to invoke |\n|---|---|---|\n| [`product-manager`](.claude/agents/product-manager.md) | ASVS-mapped security requirements | Start of every feature |\n| [`appsec-engineer`](.claude/agents/appsec-engineer.md) | Threat modelling, SAST/DAST, vuln triage | Design, Build, Test |\n| [`grc-analyst`](.claude/agents/grc-analyst.md) | Compliance mapping, risk register, audit evidence | Plan through Release |\n| [`cloud-platform-engineer`](.claude/agents/cloud-platform-engineer.md) | IaC security, CSPM, secrets, hardening | Design, Build, Release |\n| [`dev-lead`](.claude/agents/dev-lead.md) | Secure coding, PR review, SCA | Every PR |\n| [`release-manager`](.claude/agents/release-manager.md) | Security sign-off, go/no-go gate | Pre-release |\n| [`security-champion`](.claude/agents/security-champion.md) | First-line security Q\u0026A and lightweight review | Any time, any phase |\n| [`ai-security-engineer`](.claude/agents/ai-security-engineer.md) | Prompt injection, agentic risks, LLM supply chain | Any feature using AI/LLMs |\n\n---\n\n## Who Do You Call?\n\n```\nWhat are you working on?\n│\n├── Starting a new feature?\n│   ├── product-manager  →  \"Define security requirements for X using ASVS L2\"\n│   └── grc-analyst      →  \"Initialise risk register, map to SOC2 / GDPR / PCI-DSS\"\n│\n├── Designing the architecture?\n│   ├── appsec-engineer          →  \"Threat model this design using STRIDE\"\n│   ├── cloud-platform-engineer  →  \"Review IaC for this feature\"\n│   └── ai-security-engineer     →  \"Security review — feature calls an LLM\"  ← always include this\n│\n├── Writing or merging code?\n│   ├── dev-lead       →  \"Review PR #N for secure coding issues and dependency risks\"\n│   └── appsec-engineer  →  \"Triage SAST findings for PR #N\"\n│\n├── Quick security question (any phase)?\n│   └── security-champion  →  \"Is this pattern / library safe? Context: ...\"\n│\n└── Ready to ship?\n    └── release-manager  →  \"Run pre-release security checklist for vX.Y.Z\"\n```\n\n---\n\n## Quick start\n\n### Option 0 — Claude Code Plugin Marketplace\n\n```bash\n/plugin marketplace add Kaademos/secure-sdlc-agents\n\n/plugin install secure-sdlc-agents@secure-sdlc-agents\n```\n\nAll 8 agents are immediately available in your session. No cloning, no npm, no file copying.\n\n---\n\n### Option A — Git clone (zero dependencies)\n\n```bash\ngit clone https://github.com/Kaademos/secure-sdlc-agents.git\ncp -r secure-sdlc-agents/.claude /your/project/\ncp secure-sdlc-agents/CLAUDE.md /your/project/\ncp -r secure-sdlc-agents/docs/templates /your/project/docs/\n```\n\nThen use agents directly:\n\n```bash\ncd /your/project\nclaude --agent product-manager \"Define security requirements for [your feature]\"\n```\n\n### Option B — CLI tool (recommended for teams)\n\nPublished on npm as **`@kaademos/secure-sdlc`**. Requires **Node.js 18+**.\n\n**Global install** (command is still `secure-sdlc`):\n\n```bash\nnpm install -g @kaademos/secure-sdlc\nsecure-sdlc --version\nsecure-sdlc init\n```\n\n**No global install** (uses npx; pin a version in CI with `@1.0.0`):\n\n```bash\nnpx @kaademos/secure-sdlc@latest init\n```\n\n**After install — useful commands:**\n\n```bash\nsecure-sdlc paths              # print PACKAGE_ROOT and MCP server path (for Cursor MCP JSON)\nsecure-sdlc init --cursor      # scaffold project + .cursor/mcp.json pointing at bundled MCP\nsecure-sdlc install-mcp        # merge MCP server into ~/.cursor/mcp.json (and other tools)\nsecure-sdlc kickoff            # interactive feature wizard\nsecure-sdlc status\n```\n\n**Develop / run from a git clone** (no npm publish needed):\n\n```bash\ncd /path/to/secure-sdlc-agents\nnpm install\nnode cli/bin/secure-sdlc.js init\n# or: npm run sdlc -- init\n```\n\n### Option C — Cursor / Windsurf / Other MCP tools\n\n1. Get the absolute path to `mcp/src/server.js`:\n\n- **If you installed the CLI from npm:** run `secure-sdlc paths` and copy `MCP_SERVER`.\n- **If you use a git clone:** run `npm install` at the repo root (installs MCP SDK for the bundled server), then use  \n  `/absolute/path/to/secure-sdlc-agents/mcp/src/server.js`.\n\n2. Add to your MCP config:\n\n**Cursor** (`~/.cursor/mcp.json` or `.cursor/mcp.json` in project):\n```json\n{\n  \"mcpServers\": {\n    \"secure-sdlc\": {\n      \"command\": \"node\",\n      \"args\": [\"/absolute/path/from-secure-sdlc-paths/mcp/src/server.js\"]\n    }\n  }\n}\n```\n\n**Claude Code:**\n```bash\nclaude mcp add secure-sdlc -- node /absolute/path/to/secure-sdlc-agents/mcp/src/server.js\n```\n\n**Or install for all tools at once:**\n```bash\nnode cli/bin/secure-sdlc.js install-mcp --tool all\n```\n\n3. Copy the Cursor rules for automatic security context:\n```bash\ncp -r .cursor /your/project/\n```\n\n4. Use the `sdlc_*` tools in any chat:\n```\nUse sdlc_plan_feature to define security requirements for a new payment checkout feature.\nStack is Next.js + Stripe + PostgreSQL. ASVS L2. Compliance: PCI-DSS, SOC2.\n```\n\n---\n\n## The lifecycle — phase by phase\n\n```\nPLAN        product-manager (ASVS requirements)\n            + grc-analyst (risk register, compliance mapping)\n                    ↓\nDESIGN      appsec-engineer (STRIDE threat model)\n            + cloud-platform-engineer (IaC review)\n            + ai-security-engineer (if AI/LLM features)\n            + grc-analyst (compliance gate)\n                    ↓\nBUILD       dev-lead (PR review, SCA) — on every PR\n            + appsec-engineer (SAST triage)\n            + cloud-platform-engineer (secrets, pipeline)\n            + security-champion (quick questions any time)\n                    ↓\nTEST        appsec-engineer (DAST, pentest)\n            + dev-lead (regression)\n            + grc-analyst (audit evidence collection)\n                    ↓\nRELEASE     release-manager (go/no-go)\n            + grc-analyst (compliance attestation)\n            + cloud-platform-engineer (production hardening)\n```\n\n**Severity gates:**\n- **CRITICAL** — blocks all gates, no exceptions\n- **HIGH** — blocks Build→Test and Test→Release without documented accepted risk\n- **MEDIUM** — requires remediation plan or accepted risk before release\n- **LOW** — tracked in risk register, does not block\n\n---\n## Frequently Asked Questions\n\n**Q: Where do I put my OpenAI or Anthropic API key?**\nYou don't need to provide an API key to `secure-sdlc`. This project does not make LLM API calls directly. Instead, it acts as an MCP server and prompt-generation engine that feeds specialized security context to your \"host\" AI tool (Cursor, Windsurf, Claude Code). Your API keys and billing are handled entirely by your host application.\n\n**Q: Do I have to manually fill out the Markdown templates?**\nNo. While the project provides structured templates in `docs/templates/`, you do not fill them out by hand. When you invoke a tool like `sdlc_plan_feature`, the MCP server passes the blank template to your AI assistant, and the AI automatically writes the completed, project-specific markdown file directly to your `docs/` folder.\n\n**Q: Do the AI agents run automatically in my CI/CD pipeline?**\nNo, the AI agents are designed to be used locally by developers during the coding process (e.g., in your IDE or terminal). The provided GitHub Actions workflow (`secure-sdlc-gate.yml`) does *not* invoke LLMs. Instead, it acts as a deterministic **gatekeeper**—it runs traditional tools (like Gitleaks, Checkov, CodeQL) and verifies that the AI-generated artifacts actually exist and are fully filled out before allowing a merge.\n\n**Q: Will this use a lot of API tokens/credits?**\nBecause this tool feeds comprehensive security frameworks (like OWASP ASVS), infrastructure checklists, and full file templates into your AI's context window, it can consume a significant number of tokens. Ensure your host application (like Claude Code or your Cursor subscription) has sufficient limits for handling large context prompts.\n\n**Q: Can I customize the templates for my own company's requirements?**\nYes. When you run `secure-sdlc init`, the default templates are copied into your local `docs/templates/` directory. You can modify these markdown files to include your own company's specific compliance headers, and the agents will use your customized versions going forward.\n\n---\n\n## MCP tools reference\n\nWhen using the MCP server (Cursor, Windsurf, etc.), these tools are available:\n\n| Tool | What it does |\n|---|---|\n| `sdlc_plan_feature` | ASVS requirements + risk register for a new feature |\n| `sdlc_threat_model` | STRIDE (+ LINDDUN) threat model |\n| `sdlc_review_pr` | Security review a PR — dev-lead + appsec-engineer |\n| `sdlc_review_infra` | IaC security review (Terraform, Helm, K8s, etc.) |\n| `sdlc_triage_sast` | Triage SAST findings from any tool |\n| `sdlc_release_gate` | Pre-release go/no-go security gate |\n| `sdlc_check_compliance` | Map controls to SOC 2, ISO 27001, GDPR, PCI DSS, etc. |\n| `sdlc_init_project` | Scaffold Secure SDLC structure in a project |\n| `sdlc_security_champion` | Quick security Q\u0026A and lightweight code review |\n| `sdlc_ai_security_review` | Security review for AI/LLM features |\n\n---\n\n## CLI commands reference\n\n```bash\nsecure-sdlc init           # Scaffold docs, hooks, CI, config in current project\nsecure-sdlc init --cursor  # Also install Cursor MCP config and rules\nsecure-sdlc kickoff        # Interactive wizard to start a new feature\nsecure-sdlc status         # Show current SDLC phase and artefact status\nsecure-sdlc review         # Security review a file or diff\nsecure-sdlc gate v1.2.0    # Run pre-release security gate check\nsecure-sdlc install-mcp    # Install MCP server for Cursor / Claude Code / Windsurf\nsecure-sdlc paths          # Show package root + MCP path (after npm install -g)\n```\n\n---\n\n## Git hooks\n\nIncluded in `hooks/`:\n\n- **`pre-commit`** — secret detection, lock file checks, security anti-pattern scan\n- **`pre-push`** — artefact gate for protected branches, open finding check\n\nInstall:\n```bash\nbash /path/to/secure-sdlc-agents/hooks/install.sh\n# OR via CLI:\nsecure-sdlc init  # installs hooks automatically\n```\n\n---\n\n## GitHub Actions\n\n`.github/workflows/secure-sdlc-gate.yml` adds:\n\n- **Artefact gate** — blocks PRs to main/master if required security docs are missing\n- **Secret scanning** (Gitleaks)\n- **Dependency audit** (npm audit, pip-audit)\n- **IaC scanning** (Checkov — Terraform, K8s, Docker)\n- **SAST** (CodeQL — JavaScript/TypeScript, Python)\n- **Release gate** — full pre-release checklist on `workflow_dispatch`\n\nCopy to your project:\n```bash\nmkdir -p .github/workflows\ncp /path/to/secure-sdlc-agents/.github/workflows/secure-sdlc-gate.yml .github/workflows/\n```\n\n---\n\n## Stack profiles\n\nDeep, framework-specific security guidance in `stacks/`:\n\n| Stack | Profile |\n|---|---|\n| Next.js | [`stacks/nextjs.md`](stacks/nextjs.md) — Server Actions, API routes, CSP, CORS |\n| FastAPI | [`stacks/fastapi.md`](stacks/fastapi.md) — Depends() auth, Pydantic, CORS, rate limiting |\n| Django | [`stacks/django.md`](stacks/django.md) — CSRF, strong params, ORM injection, production settings |\n| Express.js | [`stacks/express.md`](stacks/express.md) — helmet, rate limiting, CSRF, Zod validation |\n| Ruby on Rails | [`stacks/rails.md`](stacks/rails.md) — Brakeman, Pundit, strong parameters, credentials |\n\n---\n\n## Warp terminal workflows\n\nIn `warp-workflows/` — import into Warp for one-click SDLC automation:\n\n| Workflow | Trigger |\n|---|---|\n| Feature Kickoff | Start a new feature with requirements + risk register |\n| PR Security Review | dev-lead + appsec review on a PR |\n| Threat Model | STRIDE threat model on an architecture |\n| Release Gate | Full pre-release security gate |\n| SDLC Status | Check which phases are complete |\n\n---\n\n## Document templates\n\n`docs/templates/` contains pre-formatted templates for every artefact:\n\n| Template | Produced by | Phase |\n|---|---|---|\n| `security-requirements.md` | product-manager | Plan |\n| `risk-register.md` | grc-analyst | Plan → ongoing |\n| `threat-model.md` | appsec-engineer | Design |\n| `infra-security-review.md` | cloud-platform-engineer | Design |\n| `sast-findings.md` | appsec-engineer + dev-lead | Build |\n| `test-security-report.md` | appsec-engineer | Test |\n| `release-sign-off.md` | release-manager | Release |\n| `compliance-attestation.md` | grc-analyst | Release |\n\n---\n\n## Worked examples\n\n| Example | Feature type | Key security lessons |\n|---|---|---|\n| [`01-login-feature/`](examples/01-login-feature/) | Auth flow (bcrypt, MFA, sessions) | JWT alg:none, hardcoded secrets, cost factor |\n| [`02-api-endpoint/`](examples/02-api-endpoint/) | Public REST API | IDOR via UUID path param, IAM over-privilege |\n| [`03-file-upload/`](examples/03-file-upload/) | File upload to S3 | SVG XSS, magic byte validation, public bucket |\n\n---\n\n## Project configuration\n\nCreate `secure-sdlc.yaml` in your project root:\n\n```yaml\nproject:\n  name: \"my-app\"\n  stack: \"Next.js + PostgreSQL\"\n\nsecurity:\n  asvs_level: L2\n  frameworks: [SOC2, GDPR]\n  gates:\n    build_to_test:\n      block_on: [CRITICAL, HIGH]\n    test_to_release:\n      block_on: [CRITICAL, HIGH]\n```\n\nGenerate one automatically: `secure-sdlc init`\n\n---\n\n## A note on what these agents are — and aren't\n\nThese agents produce **guidance, not guarantees**.\n\nThey will help a team ask the right questions earlier, produce consistent artefacts,\nand catch common mistakes that would otherwise slip through. They will not replace a\nskilled AppSec engineer, a qualified GRC practitioner, or a thorough penetration test.\n\nEvery output should be reviewed by a human with relevant expertise before it is acted on\nor used as audit evidence. The threat model is a starting point, not a final document.\n\nSecurity practitioners are right to be sceptical of anything that claims to automate\nsecurity away. This project does not make that claim. It makes security practices easier\nto start, easier to maintain, and harder to skip — which is most of the battle.\n\nIf you find guidance in an agent file that is wrong or dangerously out of date,\nplease [open an issue](.github/ISSUE_TEMPLATE/guidance-correction.md).\n\n---\n\n## Prerequisites\n\n- [Claude Code](https://docs.anthropic.com/en/docs/claude-code) for sub-agent usage\n- Node.js 18+ for the CLI and MCP server\n- Optional: `npm install -g @kaademos/secure-sdlc` for the `secure-sdlc` command on your PATH\n- Any MCP-compatible AI tool for the `sdlc_*` tools\n\n---\n\n## Contributing\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md). High-value contributions:\n\n- Additional compliance frameworks (HIPAA, FedRAMP, NIS2)\n- Stack profiles for Go (Gin/Echo), .NET, Java Spring Boot\n- More worked examples (OAuth flows, payment processing, AI features)\n- Integration guides for specific SAST/DAST tools\n- Translations of agent prompts\n\n---\n\n## Related\n\n- [OWASP ASVS](https://owasp.org/www-project-application-security-verification-standard/)\n- [OWASP Top 10](https://owasp.org/www-project-top-ten/)\n- [OWASP Top 10 for LLMs 2025](https://owasp.org/www-project-top-10-for-large-language-model-applications/)\n- [NIST SSDF](https://csrc.nist.gov/projects/ssdf)\n- [Model Context Protocol](https://modelcontextprotocol.io)\n- [Claude Code documentation](https://docs.anthropic.com/en/docs/claude-code)\n\n---\n\n## Licence\n\nMIT — see [LICENSE](LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkaademos%2Fsecure-sdlc-agents","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkaademos%2Fsecure-sdlc-agents","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkaademos%2Fsecure-sdlc-agents/lists"}