HN 표시: MCP(Claude and Cursor)용 보안 SDLC 에이전트

8 AI security specialists. Invoked at the exact phase where each vulnerability would have been caught. Requirements → threat modelling → code review → IaC → compliance → release gate. Works in Claude Code, Cursor, Windsurf, Warp, and any MCP-compatible tool. You asked Claude Code to build a file upload feature. It wrote working code in 4 minutes. It missed: | Vulnerability | Severity | Which agent catches it | |---|---|---| SVG file with embedded stored and served without sanitisation | CRITICAL | appsec-engineer — MIME type validation, output encoding | | No file size limit or type allowlist | HIGH | appsec-engineer — input validation, magic byte checks | S3 bucket provisioned with public-read ACL | CRITICAL | cloud-platform-engineer — IaC security review | | No rate limiting on the upload endpoint | HIGH | appsec-engineer — anti-automation controls | | Upload URL in API response leaks internal bucket path | MEDIUM | dev-lead — information disclosure review | Every one of these has appeared in real breach post-mortems. AI agents optimise for working code, not secure code. This project embeds the specialists that close that gap — at the exact phase where each issue would have been caught. | What | Why it matters | |---|---| | 8 specialist agents | AppSec, Product Manager, GRC Analyst, Cloud/Platform, Dev Lead, Release Manager, Security Champion, AI Security Engineer | | MCP server | Works in Cursor, Windsurf, Zed, Continue, and any MCP-compatible tool | CLI tool (secure-sdlc ) | Zero-friction setup, kickoff wizard, status dashboard, release gate | | Cursor rules | Automatic security context in every Cursor session | | GitHub Actions workflow | Artefact gate, secret scan, SAST (CodeQL), IaC scan (Checkov), dependency audit | | Git hooks | Pre-commit secret detection, security anti-pattern checks | | Warp workflows | Pre-built Warp automation for every SDLC phase | | Stack profiles | Deep, framework-specific guidance for Next.js, FastAPI, Django, Express, Rails | | Document templates | 8 fully structured templates for every phase artefact | | Worked examples | 3 complete feature walkthroughs (auth, REST API, file upload) | | Agent | Role | When to invoke | |---|---|---| product-manager | ASVS-mapped security requirements | Start of every feature | appsec-engineer | Threat modelling, SAST/DAST, vuln triage | Design, Build, Test | grc-analyst | Compliance mapping, risk register, audit evidence | Plan through Release | cloud-platform-engineer | IaC security, CSPM, secrets, hardening | Design, Build, Release | dev-lead | Secure coding, PR review, SCA | Every PR | release-manager | Security sign-off, go/no-go gate | Pre-release | security-champion | First-line security Q&A and lightweight review | Any time, any phase | ai-security-engineer | Prompt injection, agentic risks, LLM supply chain | Any feature using AI/LLMs | What are you working on? │ ├── Starting a new feature? │ ├── product-manager → "Define security requirements for X using ASVS L2" │ └── grc-analyst → "Initialise risk register, map to SOC2 / GDPR / PCI-DSS" │ ├── Designing the architecture? │ ├── appsec-engineer → "Threat model this design using STRIDE" │ ├── cloud-platform-engineer → "Review IaC for this feature" │ └── ai-security-engineer → "Security review — feature calls an LLM" ← always include this │ ├── Writing or merging code? │ ├── dev-lead → "Review PR #N for secure coding issues and dependency risks" │ └── appsec-engineer → "Triage SAST findings for PR #N" │ ├── Quick security question (any phase)? │ └── security-champion → "Is this pattern / library safe? Context: ..." │ └── Ready to ship? └── release-manager → "Run pre-release security checklist for vX.Y.Z" /plugin marketplace add Kaademos/secure-sdlc-agents /plugin install secure-sdlc-agents@secure-sdlc-agents All 8 agents are immediately available in your session. No cloning, no npm, no file copying. git clone https://github.com/Kaademos/secure-sdlc-agents.git cp -r secure-sdlc-agents/.claude /your/project/ cp secure-sdlc-agents/CLAUDE.md /your/project/ cp -r secure-sdlc-agents/docs/templates /your/project/docs/ Then use agents directly: cd /your/project claude --agent product-manager "Define security requirements for [your feature]" Published on npm as @kaademos/secure-sdlc . Requires Node.js 18+. Global install (command is still secure-sdlc ): npm install -g @kaademos/secure-sdlc secure-sdlc --version secure-sdlc init No global install (uses npx; pin a version in CI with @1.0.0 ): npx @kaademos/secure-sdlc@latest init After install — useful commands: secure-sdlc paths # print PACKAGE_ROOT and MCP server path (for Cursor MCP JSON) secure-sdlc init --cursor # scaffold project + .cursor/mcp.json pointing at bundled MCP secure-sdlc install-mcp # merge MCP server into ~/.cursor/mcp.json (and other tools) secure-sdlc kickoff # interactive feature wizard secure-sdlc status Develop / run from a git clone (no npm publish needed): cd /path/to/secure-sdlc-agents npm install node cli/bin/secur