General
Prompts, toolsets, and patterns that are not tied to a specific agent live here. Treat General as the default shelf: recipes should be usable by any workflow that can read the prompt, fetch the JSON, or attach the MCP context.
What usually lives here
- Triage frameworks - the decision trees and checklists your team uses when a new finding lands.
- Guardrail patterns - repeated ideas for keeping automation safe, such as scoped credentials, dry-run gates, and review policies.
- Review checklists - what a human should look at when reviewing a machine-generated PR.
- PR templates - the body your workflow should fill in when it opens a PR.
- Commit-message conventions - style rules automation should follow when committing.
- Python helper toolsets - small scripts and checks that prepare evidence, normalize scanner output, or validate a recipe result.
When this is the right folder
Put a recipe here when the finding class, evidence question, or helper toolset matters more than the product used to run it. Product-specific packaging can be mentioned inside the recipe, but the reusable guidance belongs in General.
Browse entries
Every entry carries its author, team, and maturity. Click any card for the full prompt.
OWASP Top 10 (2026) — repo audit
developmentA tool-agnostic hunt prompt that walks an agent through a structured audit of a repository against every category in the OWASP Top 10 (2026 iteration). The output is a …
OWASP Top 10:2025 — repo audit
developmentA tool-agnostic hunt prompt that walks an agent through a structured audit of a repository against every category in the OWASP Web Application Top 10:2025. As of 2026-05-02, …
OWASP Top 10 (2026) — remediate
developmentA tool-agnostic remediation prompt that takes a single finding from an OWASP Top 10 (2026) audit — or any equivalent source — and turns it into a reviewer-ready pull request. …
OWASP Top 10:2025 — remediate
developmentA tool-agnostic remediation prompt that takes a single finding from an OWASP Web Application Top 10:2025 audit — or any equivalent source — and turns it into a reviewer-ready …
SAST finding — triage and fix
developmentA tool-agnostic prompt that takes a single SAST finding and either opens a reviewer-ready PR (true positive, fixable), opens a suppression PR with justification and an expiry …
Base image — bump and rebuild
developmentA tool-agnostic prompt that takes a CVE finding scoped to a base image or an OS-package layer, and produces a reviewer-ready PR that bumps the FROM line (or the package install …
Source code audit - attack surface map
developmentA tool-agnostic source-code audit recipe that asks an agent to map where untrusted input enters a repository, where privileged actions happen, and which trust boundaries deserve …
Compromised package — cache quarantine
developmentA tool-agnostic prompt that takes a "this package is malicious" advisory and runs the eviction across the org's registries, caches, and mirrors — quarantining the artifact, …
Source code audit - auth and tenant boundaries
developmentA focused source-code audit recipe for authorization, tenant isolation, object ownership, and privilege-boundary mistakes. It is designed for code review sessions where the …
CVE intelligence intake gate
developmentA tool-agnostic prompt that turns a fresh CVE, GHSA, OSV, vendor bulletin, scanner alert, or ticket into one of five bounded outcomes:
Source code audit - injection and unsafe sinks
developmentA source-code audit recipe for tracing untrusted input into dangerous sinks: SQL, shell, template rendering, SSRF, deserialization, file paths, regular expressions, dynamic …
Agent session — telemetry-driven kill rules
developmentA tool-agnostic prompt that takes a workflow's run telemetry and a draft set of decision rules, and produces (a) a vetted rule pack the session monitor can load and (b) a …
Source code audit - secrets and data exposure
developmentA source-code audit recipe for finding places where secrets, tokens, credentials, regulated data, or customer content can leak through code, logs, telemetry, prompts, artifacts, …
Source code audit - dependency and build integrity
developmentA source-code audit recipe for dependency hygiene, lockfile integrity, build and CI trust boundaries, generated artifacts, package publishing, and release provenance.
Classic Vulnerable Defaults
Prompts that mitigate or replace the durable, unsafe-by-default patterns that show up in new code year after year — pickle, unsafe YAML, JNDI, JWT `none`, XXE, polymorphic deserialization, `eval`, and friends.
Crypto & DeFi Security Recipes
Tool-agnostic prompts for securing cryptocurrency payment flows, wallet operations, and DeFi protocol controls.
Compliance & Standards Checks
Tool-agnostic recipes for producing auditor-reviewable evidence and gap reports against common security, compliance, and software supply-chain standards.