deepsec
작성자: vercel
dev3000에서 체크아웃한 Vercel 프로젝트에 대해 DeepSec을 실행합니다. 원클릭 DeepSec 설정, 프로젝트 컨텍스트 부트스트래핑, 제한된 1차 처리 등에 사용합니다.
npx skills add https://github.com/vercel-labs/dev3000 --skill deepsecDeepSec Dev3000 Runbook
Use this skill to turn the manual DeepSec workflow into a repeatable dev3000 run against the current Vercel project checkout.
Operating Policy
- Work from the real project checkout at
/workspace/repo. - Do not write AI credentials into
.deepsec/.env.localor any tracked file. The dev3000 runtime passes AI Gateway credentials through the process environment. - Default dev3000 runs are a bounded first pass. Do not run an unbounded
processorrevalidatecommand unless the user explicitly asks for a full DeepSec scan in run-specific instructions. - Keep generated scan state in the locations DeepSec already gitignores. Commit only the durable setup/context files and human-readable findings report.
- Treat DeepSec as a coding agent with shell access. Do not run it on untrusted source inputs.
Default Flow
- Inspect the project shape:
- Read
README.mdif present. - Read
AGENTS.mdorCLAUDE.mdif present. - Skim representative files for auth, middleware, request handlers, data access, billing, webhooks, and security-sensitive boundaries.
- Read
- Initialize DeepSec if needed:
- If
.deepsec/is absent, runnpx --yes deepsec@latest init. - If
.deepsec/already exists, do not force overwrite it.
- If
- Install DeepSec workspace dependencies:
- Run
corepack pnpm installfrom.deepsec/. - Ensure the Claude Agent SDK native binary that DeepSec actually uses is available. Do not run a Claude Code postinstall; DeepSec uses
@anthropic-ai/claude-agent-sdk. - If
corepack pnpmis unavailable, runpnpm installonly after confirmingpnpmexists.
- Run
- Fill the generated project context:
- Read
.deepsec/node_modules/deepsec/SKILL.md. - Read
.deepsec/data/<id>/SETUP.md. - Replace
.deepsec/data/<id>/INFO.mdwith concise project-specific context. - Keep
INFO.mdto roughly 50-100 lines. - Use 3-5 examples per section. Name local primitives such as auth helpers, middleware, database clients, webhook handlers, and privileged APIs.
- Do not include line numbers, generic CWE lists, or broad framework summaries.
- Read
- Run the scan:
- Run
corepack pnpm deepsec scanfrom.deepsec/.
- Run
- Run bounded AI processing:
- Default command:
corepack pnpm deepsec process --limit 25 --concurrency 2 --batch-size 3. - If the candidate set is below the limit, state that all discovered candidates were processed.
- If the user explicitly requested a full run, use the requested limit/concurrency or omit
--limit. - If the process command fails, stop and report the failure. Do not generate a manual fallback report from regex candidates.
- Default command:
- Generate the findings report:
- Run
corepack pnpm deepsec export --format md-dir --out ./findings. - If there are no findings, create
.deepsec/findings/README.mdsummarizing that this bounded pass found no findings and include the exact commands that were run.
- Run
- Summarize the run:
- Include commands run, project id, limit/concurrency, and whether the report contains findings.
- Do not include a "Next Steps - Full Scan" section by default.
- Only include a follow-up scan section if DeepSec reports unprocessed candidates or the user explicitly asked about deeper coverage. Label it "Optional Deeper Follow-Up" and explain exactly how it differs from the completed run.
Validation
- Prefer DeepSec's own command output,
corepack pnpm deepsec status, and generated finding files as validation. - Do not start a dev server or browser unless the user explicitly asks for visual/runtime verification.
- Before finishing, check
git diff --statand make sure no secrets,node_modules,.env.local, or raw scan state are staged by accident.