Docs
security-recipes.ai is a recipe library for teams that want AI agents to help with security remediation without handing those agents broad authority.
Use the site to answer four questions:
- What kind of security finding am I trying to fix?
- Which recipe and prompt should the agent use?
- Which agent configuration file should carry the rules?
- Which MCP servers or data sources should the agent read before acting?
That is the whole shape. The repository includes helper scripts and an optional read-only MCP server, but the primary artifact is the content: recipes, prompts, setup guides, and review patterns.
Core surfaces
What the site does
- Provides practical security remediation recipes that an agent can follow.
- Gives teams prompt and rules-file examples they can adapt to their repos.
- Shows how to add security context from MCP servers without turning every connector into an action surface.
- Keeps review gates clear: one finding, one bounded change, tests run, human approval before merge.
- Makes the optional site index and MCP server available for teams that want agents to search the recipes directly.
What the site does not do
- It is not a replacement for SCA, SAST, secrets scanning, CI, ticketing, SIEM, SOAR, or code review.
- It is not a general-purpose automation platform.
- It does not require teams to run a custom scanner before they can use a recipe.
- It does not treat prompts as enforcement. Policy still belongs in branch protections, CODEOWNERS, CI, approvals, scoped tokens, and audit logs.
Helper scripts
The scripts in this repository are support tooling. They help maintainers validate content, generate indexes, import public advisory material, and run local checks. They are not required runtime tooling for a company using a recipe.
If a team wants to operationalize a recipe, the recommended path is:
- Keep the recipe and prompt in the repo or agent configuration.
- Use existing scanners and ticket systems to provide findings.
- Use existing CI and branch protections to enforce review.
- Add MCP connectors only for context the agent must read.
- Treat any write-capable connector as a separate security review.
Where to start
Start with the Quick Start, then choose the agent your team already uses under Agent Setup. When the first loop works, add MCP context and stronger prompts from Recipes.