Back to Details

ln-760-security-setup

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Security Setup Coordinator

安全设置协调器

L2 Domain Coordinator that orchestrates security scanning and configuration for project bootstrap.
用于协调项目初始化阶段安全扫描与配置的L2领域协调器。

Purpose & Scope

目标与范围

  • Coordinate secret scanning (ln-761) and dependency vulnerability audit (ln-625)
  • Aggregate findings from both workers into unified report
  • Generate security infrastructure: SECURITY.md, pre-commit hooks, CI workflow
  • Provide overall security score and risk assessment
  • 协调密钥扫描(ln-761)和依赖项漏洞审计(ln-625)
  • 将两个扫描器的结果汇总为统一报告
  • 生成安全基础设施:SECURITY.md、预提交钩子、CI工作流
  • 提供整体安全评分与风险评估

When to Use

使用场景

  • During project bootstrap (invoked by ln-700-project-bootstrap)
  • Manual security audit request
  • CI/CD pipeline initialization
  • 项目初始化期间(由ln-700-project-bootstrap调用)
  • 手动安全审计请求
  • CI/CD流水线初始化

Workflow

工作流程

Phase 1: Pre-flight Check

阶段1:预检检查

Step 1: Detect Project Type
  • Identify primary ecosystem(s): Node.js, .NET, Python, Go, etc.
  • Check for existing security configs (
    .gitleaks.toml
    , 
    SECURITY.md
    )
Step 2: Check Tool Availability
  • Verify gitleaks/trufflehog available for secret scanning
  • Verify ecosystem-specific audit tools available
  • Log warnings for missing tools (do not fail)
Step 3: Load Existing Configs
  • If 
    .gitleaks.toml
    exists: note for preservation
  • If 
    SECURITY.md
    exists: note for update (not overwrite)
  • If 
    .pre-commit-config.yaml
    exists: check for gitleaks hook
步骤1:检测项目类型
  • 识别主要生态系统:Node.js、.NET、Python、Go等
  • 检查是否存在现有安全配置(
    .gitleaks.toml
    SECURITY.md
步骤2:检查工具可用性
  • 验证gitleaks/trufflehog是否可用于密钥扫描
  • 验证生态系统特定的审计工具是否可用
  • 记录缺失工具的警告(不终止流程)
步骤3:加载现有配置
  • 如果存在
    .gitleaks.toml
    :记录以保留现有配置
  • 如果存在
    SECURITY.md
    :记录以进行更新(不覆盖)
  • 如果存在
    .pre-commit-config.yaml
    :检查是否包含gitleaks钩子

Phase 2: Delegate Scans

阶段2:委托扫描任务

Step 1: Invoke ln-761 Secret Scanner
  • Delegate via Task tool
  • Receive: findings list, severity summary, remediation guidance
Step 2: Invoke ln-625 Dependencies Auditor (mode=vulnerabilities_only)
  • Delegate via Task tool (can run parallel with Step 1)
  • Pass parameter: 
    mode=vulnerabilities_only
  • Receive: vulnerability list, CVSS scores, fix recommendations
步骤1:调用ln-761密钥扫描器
  • 通过Task工具委托
  • 接收:结果列表、严重程度摘要、修复指导
步骤2:调用ln-625依赖项审计器(模式=仅漏洞扫描)
  • 通过Task工具委托(可与步骤1并行运行)
  • 传递参数:
    mode=vulnerabilities_only
  • 接收:漏洞列表、CVSS评分、修复建议

Phase 3: Aggregate Reports

阶段3:汇总报告

Step 1: Combine Findings
  • Merge findings from both workers
  • Group by severity (Critical first)
  • Calculate overall security score
Step 2: Risk Assessment
  • Critical findings: flag for immediate attention
  • High findings: recommend fix within 48h
  • Medium/Low: add to backlog
Step 3: Build Summary
  • Files scanned count
  • Secrets found (by severity)
  • Vulnerabilities found (by severity)
  • Overall pass/warn/fail status
步骤1:合并结果
  • 合并两个扫描器的结果
  • 按严重程度分组(高危优先)
  • 计算整体安全评分
步骤2:风险评估
  • 严重风险:标记为需立即处理
  • 高风险:建议48小时内修复
  • 中/低风险:添加到待处理事项
步骤3:生成摘要
  • 已扫描文件数量
  • 发现的密钥(按严重程度)
  • 发现的漏洞(按严重程度)
  • 整体通过/警告/失败状态

Phase 4: Generate Outputs

阶段4:生成输出

Step 1: Create/Update SECURITY.md
  • Use template from 
    references/security_md_template.md
  • If exists: update, preserve custom sections
  • If new: generate with placeholders
Step 2: Configure Pre-commit Hooks
  • If 
    .pre-commit-config.yaml
    missing: create from template
  • If exists without gitleaks: recommend adding
  • Template: 
    references/precommit_config_template.yaml
Step 3: Generate CI Workflow
  • If 
    .github/workflows/security.yml
    missing: create from template
  • Template: 
    references/ci_workflow_template.yaml
  • Include ecosystem-specific audit jobs
Step 4: Update .gitignore
  • Ensure secret-related patterns present: 
    • .env
      , 
      .env.*
      , 
      !.env.example
    • *.pem
      , 
      *.key
  • Preserve existing entries
步骤1:创建/更新SECURITY.md
  • 使用
    references/security_md_template.md
    中的模板
  • 如果已存在:进行更新,保留自定义部分
  • 如果是新创建:生成带占位符的文件
步骤2:配置预提交钩子
  • 如果缺少
    .pre-commit-config.yaml
    :从模板创建
  • 如果存在但未包含gitleaks:建议添加
  • 模板:
    references/precommit_config_template.yaml
步骤3:生成CI工作流
  • 如果缺少
    .github/workflows/security.yml
    :从模板创建
  • 模板:
    references/ci_workflow_template.yaml
  • 包含生态系统特定的审计任务
步骤4:更新.gitignore
  • 确保包含密钥相关的规则: 
    • .env
      , 
      .env.*
      , 
      !.env.example
    • *.pem
      , 
      *.key
  • 保留现有条目

Delegation Pattern

委托模式

CRITICAL: All delegations use Task tool with 
subagent_type: "general-purpose"
for context isolation.
WorkerParallelPurpose
ln-761-secret-scannerYesHardcoded secret detection
ln-625-dependencies-auditorYesVulnerability scanning (mode=vulnerabilities_only)
Prompt template:
Task(description: "Secret scanning via ln-761",
     prompt: "Execute ln-761-secret-scanner. Read skill from ln-761-secret-scanner/SKILL.md. Project: {projectPath}",
     subagent_type: "general-purpose")

Task(description: "Dependency vulnerability scan via ln-625",
     prompt: "Execute ln-625-dependencies-auditor with mode=vulnerabilities_only. Read skill from ln-625-dependencies-auditor/SKILL.md. Project: {projectPath}. Mode: vulnerabilities_only (only CVE scan, skip outdated/unused checks).",
     subagent_type: "general-purpose")
Pattern: Both workers can execute in parallel via Task tool, then aggregate results.
Anti-Patterns:
  • ❌ Direct Skill tool invocation without Task wrapper
  • ❌ Any execution bypassing subagent context isolation
  • ❌ Calling ln-625 without mode parameter (would run full audit)
重要提示: 所有委托均使用Task工具,并设置
subagent_type: "general-purpose"
以实现上下文隔离。
扫描器是否可并行用途
ln-761-secret-scanner硬编码密钥检测
ln-625-dependencies-auditor漏洞扫描(mode=vulnerabilities_only)
提示模板:
Task(description: "Secret scanning via ln-761",
     prompt: "Execute ln-761-secret-scanner. Read skill from ln-761-secret-scanner/SKILL.md. Project: {projectPath}",
     subagent_type: "general-purpose")

Task(description: "Dependency vulnerability scan via ln-625",
     prompt: "Execute ln-625-dependencies-auditor with mode=vulnerabilities_only. Read skill from ln-625-dependencies-auditor/SKILL.md. Project: {projectPath}. Mode: vulnerabilities_only (only CVE scan, skip outdated/unused checks).",
     subagent_type: "general-purpose")
模式说明: 两个扫描器可通过Task工具并行执行,之后汇总结果。
反模式:
  • ❌ 不使用Task包装器直接调用Skill工具
  • ❌ 任何绕过子代理上下文隔离的执行
  • ❌ 调用ln-625时不传递mode参数(会运行完整审计)

Definition of Done

完成标准

  • Both workers (ln-761, ln-625) invoked and completed
  • Findings aggregated with severity classification
  • SECURITY.md created/updated
  • Pre-commit hook configured (or recommendation logged)
  • CI workflow generated (or recommendation logged)
  • .gitignore updated with secret patterns
  • Summary report returned to parent orchestrator
  • 已调用并完成两个扫描器(ln-761、ln-625)
  • 已汇总结果并按严重程度分类
  • 已创建/更新SECURITY.md
  • 已配置预提交钩子(或记录建议)
  • 已生成CI工作流(或记录建议)
  • 已更新.gitignore以包含密钥规则
  • 已向父协调器返回摘要报告

Reference Files

参考文件

FilePurpose
references/security_md_template.md
Template for SECURITY.md generation
references/precommit_config_template.yaml
Pre-commit hooks configuration
references/ci_workflow_template.yaml
GitHub Actions security workflow
Version: 3.0.0 Last Updated: 2026-02-05
文件用途
references/security_md_template.md
SECURITY.md生成模板
references/precommit_config_template.yaml
预提交钩子配置模板
references/ci_workflow_template.yaml
GitHub Actions安全工作流模板
版本: 3.0.0 最后更新: 2026-02-05