deepsec-skill: Home of the Defensive OpSec Operating Standard

An agent skill that teaches AI coding agents (Claude Code, Codex, Cursor, OpenCode, etc.) how to run Vercel's deepsec under the Defensive OpSec Operating Standard for Agentic Security Review: five rules, four templates, one standards spine, MIT licensed.

• The standard: https://www.deepsec-skill.dev/standard.md (plain markdown, CORS open, deep-link any rule by anchor)
• The skill: https://www.deepsec-skill.dev/SKILL.md (also plain markdown, also CORS open)
• Methodology + reference index: /methodology and /references.json . every citation across the standard, the agent skill, and the specimens is verified via Exa search and tracked with a verified_on timestamp
• Specimen (worked example): /specimens/stablecoin.md . 71-source corpus, 8/8 highest-leverage claims independently Exa-cross-referenced
• Site: https://www.deepsec-skill.dev/

Tool-agnostic in principle; first vehicle is deepsec.

Credit: the scanner, the dual-backend AI verification pipeline (Claude Agent SDK and Codex), the cost model, and the regex-then-AI architecture are all Vercel's work. The scanner is licensed Apache-2.0; see Introducing deepsec: find and fix vulnerabilities in your code base by Malte Ubl, CTO of Vercel. This repo is the agent-facing wrapper that codifies the operating ritual on top of the scanner; it does not modify the scanner.

The skill maps to the standards the security community already uses: OWASP ASVS 5.0, OWASP WSTG v4.2, the OWASP Threat Modeling Cheat Sheet, NIST SP 800-218 (SSDF v1.1) and SP 800-218A (SSDF for generative AI), the NIST AI Risk Management Framework (AI RMF 1.0, NIST AI 100-1) and its Generative AI Profile (AI 600-1), CISA Secure by Design (350+ signatories) and the 2025 CISA SBOM Minimum Elements, SLSA v1.2, OpenSSF Scorecard, Sigstore / Cosign, FIRST CVSS v4.0, the OWASP GenAI Security Project umbrella (including the LLM Top 10 2025 and the Agentic Security Initiative), the ISO/IEC 29147 / 30111 / TR 5895 coordinated-vulnerability-disclosure family, and SEC Reg S-K Item 106 / Form 8-K Item 1.05.

Operating data

Two facts from Vercel's announcement that the security community will weigh:

• False-positive rate ≈ 10–20% at default settings, with revalidate available to cut it further.
• Scale. "Scans on Vercel's codebases routinely scale up to 1,000+ concurrent sandboxes" via Vercel Sandbox fan-out.

Both are quoted from the introductory blog post.

The upstream README is explicit on the operator-trust model: "Treat deepsec like a coding agent with full shell access on the environment that it is running on." This skill's authorization-and-scope step exists to react to exactly that warning.

What the skill covers

• Authorization and scope confirmation before any AI spend
• Threat-sketching the target (interfaces, auth boundaries, trust boundaries, build/release surfaces)
• init and .gitignore setup
• Authoring a tight, high-signal INFO.md (50 to 100 lines, with a per-section rubric)
• The two-phase scan (free regex) then process (paid AI) workflow, with cost guardrails so you never accidentally spend hundreds of dollars on a monorepo
• revalidate for false-positive culling
• Defensive-only evidence packets (no exploit payloads, no bypass recipes)
• Supply-chain lens for dependencies, CI, signing, and release gates
• Governance-aware risk summaries that surface materiality inputs without pretending to make legal calls
• Triage / remediation loop and run closeout
• When to add custom matchers (and when not to)

Install

npx skills add johndfowler/deepsec-skill

Or per-agent:

npx skills add johndfowler/deepsec-skill -a claude-code
npx skills add johndfowler/deepsec-skill -a codex

What activates it

The skill auto-activates when the user asks to "scan for vulnerabilities", "run deepsec", "security audit my code", or links to the deepsec blog post or repo. See deepsec/SKILL.md for the full description.

Decisions

Load-bearing design decisions are recorded as ADRs in docs/decisions/: license, CLAUDE.md absorption resistance, severity tiers, Exa-as-recommended-not-mandatory, and the five-tier source classification. Each ADR captures the why . context, alternatives considered, and consequences. That the code and the published artefacts only show what of.

License

MIT