security-recipes.ai

Security recipes for AI-assisted fixes.

Turn security findings into bounded agent work: one recipe, scoped context, required proof, and a human-reviewed result.

Bounded by designOne finding, one recipe
Scoped contextRead-only MCP sources
Required proofEvidence before merge
Human reviewYou own the result
Findings
SQL Injection/api/searchHigh
Auth Bypass/api/adminHigh
Secrets Leakconfig/.envMedium
security-recipes.ai
context layer
Recipe Parameterized SQL id: sql-injection.parameterize
version: 1.4.0
MCP Context (read-only)
Code Repository read-only
OWASP ASVS read-only
Internal Standards read-only
Dependency Docs read-only
Recipe Content
Intent & Scope
Change Plan
Validation Steps
Proof Requirements
Coding Agents
Agent
(Code)
Agent
(Test)
Agent
(Docs)
Review & Merge
Proof Packet
  • Changes
  • Tests
  • Screenshots
  • Logs
  • Docs
Human ReviewApprove & Merge
ResultReviewed PR

A context layer purpose-built for secure AI-assisted remediation.

Adopt secure AI at the pace your organization can govern

The AI Adoption Blueprint gives small teams a short path to one reviewed fix and enterprises a staged path with scoped MCP context, evidence, and promotion gates.

Open the adoption blueprint

Choose a rollout lane, define the review model, and expand only when the workflow produces repeatable evidence.

Small teams

Start with one repository, one finding class, the agent you already use, and mandatory review for every change.

Enterprise teams

Scale through scoped identities, an MCP gateway, named reviewers, audit evidence, and measurable stage gates.

One finding, one recipe, one reviewed output

The useful loop is small on purpose: attach a recipe, constrain the agent, require proof, and review the result.

1

Pick the matching recipe

Start with a dependency, SAST, sensitive-data, container, or CVE recipe that matches the finding.

2

Load rules into the agent

Use `AGENTS.md`, `CLAUDE.md`, `.cursor/rules`, Copilot instructions, Codex guidance, or Devin Knowledge.

3

Add scoped context

Expose only the MCP servers and files needed for the finding. Keep context read-only by default.

4

Review the output

The agent should produce a PR, test result, or triage note. Humans approve the change.

# Agent task
Remediate one security finding using the matching security-recipes.ai recipe.

Rules:
- Fix only the finding named in the task.
- Read the recipe and repo instructions before editing.
- Use MCP context as read-only evidence unless explicitly approved.
- Run the existing tests that cover the touched area.
- Open a PR with the finding ID, files changed, tests run, and residual risk.
- If the fix requires broad refactoring or unclear ownership, stop with a triage note.

MCP is context, not authority

Security agents get better when they can read the right data. They get risky when every connector becomes an action surface.

Advisory intelligence

Connect public vulnerability and package data such as OSV, GitHub Advisories, deps.dev, NVD-backed mirrors, and package registries.

Repository evidence

Use GitHub, GitLab, Azure DevOps, SARIF, SBOM, Semgrep, CodeQL, and dependency metadata as scoped read-only context.

Security system context

Bring in approved SCA, SAST, SIEM, SOAR, ticketing, documentation, and cloud-security MCP servers with narrow tokens and audit logs.

Bring recipes to the tools teams already trust.

security-recipes.ai should not ask teams to adopt a custom scanner, ticketing system, SOAR platform, or deployment tool before they can use a recipe. Existing systems should produce the findings; recipes help agents use the right context, return the right proof, and stop at the right time.