Back to Articles

> cat ./blog/product-security-ai-skills.md

Introducing Product Security AI Skills: The Toolkit for Modern AppSec

February 14, 2026

Product Security AI Skills — comprehensive catalog of 36 AI-powered security skills, tools, and targets

Security tooling has always been fragmented. SAST scanners, SCA analyzers, container auditors, secret detectors, IaC linters, DAST engines, cloud posture assessments — each one lives in its own silo with its own CLI, configuration format, and output schema. What if your AI coding assistant could run all of them on demand, interpret the results, and deliver actionable remediation guidance?

That’s exactly what Product Security AI Skills delivers. It’s an open-source repository of 36 ready-to-use AI agent skills spanning the complete application security toolchain — built for Claude Code, Cursor, GitHub Copilot, and any AI coding assistant that supports the skills format.

Quick Start

Install all 36 skills in one command:

$ npx skills add vchirrav/product-security-ai-skills

Or install individual skills as needed:

$ npx skills add vchirrav/product-security-ai-skills@sast-semgrep

All skills are also available on the Vercel Skills Store — browse, search, and install directly from the web.

16 Security Categories, 36 Skills

Every major security domain is covered — from code-level analysis to cloud infrastructure posture. Each skill wraps a best-in-class open-source tool, handles execution, parses output, and delivers findings with remediation guidance.

Secure Coding

2 skills
secure-coding-auditsecure-coding-generate

Tools: OWASP Rules  |  Targets: All (Rule-based & Gen)

SAST

10 skills
sast-semgrepsast-banditsast-eslint-securitysast-spotbugssast-gosecsast-flawfindersast-brakemansast-psalmsast-cargo-auditsast-detekt

Tools: Semgrep, Bandit, ESLint, SpotBugs, gosec, Flawfinder, Brakeman, Psalm, cargo-audit, detekt  |  Targets: 30+ Languages: Python, JS/TS, Java, Go, C/C++, Ruby, PHP, Rust, Kotlin

SCA

4 skills
sca-osv-scannersca-grypesca-npm-auditsca-pip-audit

Tools: OSV-Scanner, Grype, npm audit, pip-audit  |  Targets: All Ecosystems: Node.js, Python, npm, PyPI, Maven

Secret Scanning

2 skills
secret-scan-gitleakssecret-scan-trufflehog

Tools: Gitleaks, TruffleHog  |  Targets: Git Repos, Files, S3

Container Security

3 skills
container-scan-trivycontainer-scan-hadolintcontainer-scan-dockle

Tools: Trivy, Hadolint, Dockle  |  Targets: Docker/OCI Images, Dockerfiles, CIS Benchmarks

Infrastructure as Code

3 skills
iac-scan-checkoviac-scan-tfseciac-scan-kube-linter

Tools: Checkov, tfsec, KubeLinter  |  Targets: Terraform, K8s, Helm, CloudFormation

DAST

2 skills
dast-zapdast-nuclei

Tools: OWASP ZAP, Nuclei  |  Targets: Web Apps, APIs, Network

API Security

2 skills
api-security-schemathesisapi-security-spectral

Tools: Schemathesis, Spectral  |  Targets: OpenAPI, GraphQL, AsyncAPI

SBOM

1 skill
sbom-syft

Tools: Syft  |  Targets: Images, Filesystems

License Compliance

1 skill
license-scan-scancode

Tools: ScanCode Toolkit  |  Targets: Source Code

Cloud Security

2 skills
cloud-security-prowlercloud-security-scoutsuite

Tools: Prowler, ScoutSuite  |  Targets: AWS, Azure, GCP, Oracle

Mobile Security

1 skill
mobile-security-mobsf

Tools: MobSF  |  Targets: Android, iOS

Network Security

1 skill
network-scan-nmap

Tools: Nmap  |  Targets: Hosts, Networks

TLS/SSL Security

1 skill
tls-scan-testssl

Tools: testssl.sh  |  Targets: TLS Endpoints

Malware Analysis

1 skill
malware-scan-yara

Tools: YARA  |  Targets: Files, Binaries

Supply Chain Security

1 skill
dependency-confusion-detect

Tools: Confused + GuardDog  |  Targets: npm, PyPI, Maven

How It Works

Each skill is a self-contained SKILL.md file that teaches your AI agent how to:

  • >Execute the underlying security tool with the right flags and configuration
  • >Parse and interpret tool output (JSON, SARIF, or custom formats)
  • >Classify findings by severity and provide contextual remediation guidance
  • >Handle edge cases — missing dependencies, unsupported file types, empty results

Skills are available in the skills.sh format (top-level directories with SKILL.md files) and as native Claude Code skills in the .claude/skills/ directory.

OWASP Secure Coding Integration

The secure-coding-audit and secure-coding-generate skills are powered by the companion OWASP Secure Coding Practices (Markdown) repository — 22 modular rule files covering authentication, input validation, API security, cryptography, Docker, Kubernetes, CI/CD, and more.

$ git clone https://github.com/vchirrav/owasp-secure-coding-md.git
$ cp -r owasp-secure-coding-md/rules ./rules

All other skills function independently without external dependencies.

Why This Matters

The shift to AI-assisted development is accelerating. Developers are using Claude Code, Cursor, and Copilot to write code faster than ever — but security tooling hasn’t kept pace. Most security scanning still happens in CI/CD pipelines, after code is committed.

Product Security AI Skills brings security scanning into the development loop. Instead of waiting for pipeline results, developers can run SAST, SCA, secret scanning, and container audits directly from their AI assistant — catching vulnerabilities at the moment of creation.

  • >Shift-left security without changing developer workflows
  • >Consistent security coverage across 30+ programming languages
  • >AI-interpreted results with actionable remediation, not raw tool dumps
  • >Open-source tools only — no vendor lock-in, no license fees

Get Product Security AI Skills

36 security skills. 16 categories. One install command. Secure your software supply chain with AI-powered precision.

View on GitHub

Open-source and free to use. Stars and contributions welcome.