rails-cto-security

The security scanning skill. Runs Brakeman and bundler-audit on every code change and fixes high or medium confidence findings.

What it does

Two scanners, two responsibilities:

• Brakeman catches code-level vulnerabilities in Rails — SQL injection, mass assignment, XSS, CSRF, unsafe redirects, insecure deserialization, and more.
• bundler-audit catches known CVEs in your gem dependencies by checking your Gemfile.lock against the RubySec advisory database.

The skill runs both after code changes, reads the reports, and fixes any warning at high or medium confidence. Low-confidence warnings are reviewed and either fixed or added to the ignore list with justification.

It's a post-change gate, not a write blocker — the code is allowed to be written first, then the scanner runs, then fixes are applied, then the scanner re-runs to confirm the fix.

When it triggers

• After any .rb or .html.erb file is created or modified — runs as part of rails-cto-qa
• When you mention security, brakeman, bundle-audit, audit, vulnerability, XSS, SQL injection, CVE, advisory, mass assignment, or CSRF

Example

You: Add a search action that filters users by name.

Agent: [adds UsersController#search using params[:q]]
       [invokes /rails-cto-qa → /rails-cto-security runs]

       Brakeman warning (high confidence):
         SQL Injection in UsersController#search (line 14)
         User.where("name LIKE '%#{params[:q]}%'")

       Fixing:
         [rewrites as]
         User.where("name LIKE ?", "%#{params[:q]}%")

       [re-runs Brakeman → clean]
       [gate passes]

View source

skills/rails-cto-security/SKILL.md on GitHub →