Skip to content

mayankguptadotcom/drupal-security

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
skill-template
skill-template
 
 
updater
updater
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
SKILL.md
SKILL.md
 
 
dynamic_rules.json
dynamic_rules.json
 
 
install.sh
install.sh
 
 
run_updater.py
run_updater.py
 
 

Repository files navigation

Drupal Security Skill (Ever-Green)

An ever-green, self-updating AI skill that keeps your AI coding agent current with real-world Drupal security best practices. It compiles OWASP 2025 guidelines and community-sourced security rules from the Drupal.org Project Applications Queue into a single, agent-ready SKILL.md.

Load SKILL.md into GitHub Copilot, Claude Code, Gemini CLI, Cursor, or any other AI coding assistant to get:

  • OWASP Top 10 (2025) secure coding rules for Drupal
  • 23+ community-sourced rules extracted from real security team reviews
  • Static analysis commands for PHPCS and PHPStan
  • Self-update capability — the skill can refresh itself as new reviews are published

Quick Install

Run the installer script to drop SKILL.md into the right location for your tool of choice:

./install.sh

The script will prompt you to choose from:

  • GitHub Copilot CLI — installs to .github/copilot-instructions.md in your Drupal project
  • Claude Code — installs to CLAUDE.md in your Drupal project
  • Gemini CLI — installs to GEMINI.md in your Drupal project
  • Cursor — installs to .cursorrules in your Drupal project
  • Global (all tools) — places skill in your home directory configs

How It Works

Drupal.org Project Applications Queue
            │
            ▼
  run_updater.py --scrape-history   ← scrapes security review comments
            │
            ▼
  AI agent (you, via Copilot CLI)   ← extracts rules, deduplicates
            │
            ▼
  dynamic_rules.json                ← 23+ community-sourced rules
            │
            ▼
  skill-template/SKILL.md.j2        ← Jinja2 template (static OWASP rules)
            │
            ▼
  run_updater.py --compile
            │
            ▼
  SKILL.md  ✓  ← the deployable skill, ready for AI agents

No external API key required. The AI analysis is performed by whichever agent you already have running (Copilot, Claude, etc.).

Architecture

File Purpose
SKILL.md Compiled output — the agent-ready skill file. Load this into your AI tool. Never edit directly.
skill-template/SKILL.md.j2 Jinja2 template containing static OWASP rules and the skill structure
dynamic_rules.json Database of 23+ community-sourced rules with metadata (source URL, author, confidence)
run_updater.py CLI orchestrator — scrape, compile, and manage rules
updater/scrape_reviews.py Scrapes security review comments from Drupal.org
updater/rule_dedup.py Jaccard-based semantic deduplication (threshold 0.35) to avoid duplicate rules

Keeping The Skill Up To Date

Scrape new reviews from Drupal.org

# Scrape the latest RSS feed (most recent reviews)
./run_updater.py --scrape

# Scrape historical pages (e.g. pages 40–59 of the application queue)
./run_updater.py --scrape-history --start-page 40 --pages 20

Extract new rules (agent-driven — no API key needed)

After scraping, ask your AI agent:

"update the security skill"

The agent will:

  1. Read scraped_reviews.json (the raw scraped comments)
  2. Read dynamic_rules.json (existing rules to avoid duplicates)
  3. Run each comment through a 5-gate evaluation pipeline:
    1. Drupal-specific? — Must target a Drupal API/subsystem, not generic PHP
    2. Actionable? — Must have a concrete insecure pattern AND a secure fix
    3. Not pure style? — Must have security impact, not just formatting/docblocks
    4. Factually correct? — Must align with Drupal docs; wrong suggestions are discarded
    5. Not already covered? — Same attack vector against same subsystem = duplicate; skip
  4. Assign confidence (high / medium / low) and append passing rules to dynamic_rules.json
  5. Run ./run_updater.py --compile to rebuild SKILL.md

Recompile SKILL.md

After updating dynamic_rules.json or editing the template:

./run_updater.py --compile

Recommended update cadence

Frequency Command
Quarterly ./run_updater.py --scrape then ask agent "update the security skill"
After any template edit ./run_updater.py --compile

Manual Installation (without the installer script)

GitHub Copilot CLI (VS Code)

Copy SKILL.md to your Drupal project as an instructions file:

mkdir -p your-drupal-project/.github
cp SKILL.md your-drupal-project/.github/copilot-instructions.md

Or place it in your VS Code user prompts folder as a .instructions.md file.

Claude Code

cp SKILL.md your-drupal-project/CLAUDE.md

Gemini CLI

cp SKILL.md your-drupal-project/GEMINI.md

Cursor

cp SKILL.md your-drupal-project/.cursorrules

Static Analysis (DDEV Integration)

SKILL.md includes built-in instructions for the agent to run these tools on DDEV-hosted Drupal projects:

# Code style and Drupal best practices
ddev exec vendor/bin/phpcs --standard=Drupal,DrupalPractice .

# Static analysis at PHPStan level 8
ddev exec vendor/bin/phpstan analyse . -l 8

Contributing

Rules in dynamic_rules.json are sourced from security team members on Drupal.org (primarily the klausi reviewer). To contribute:

  1. Add a new entry to dynamic_rules.json with title, description, insecure_example, secure_example, source_url, and confidence
  2. Run ./run_updater.py --compile to rebuild SKILL.md
  3. Submit a PR

Requirements

  • Python 3.8+
  • requests library (pip install requests)
  • No external API key required for the core workflow

About

This skill analyzes Drupal security application queue for new issues and comments by reviewers to update the SKILL.md file.

Resources

Readme
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages