From 12cd7d32092bcafb39675df73c7d6feabbe34195 Mon Sep 17 00:00:00 2001 From: Florencio Cano Gabarda Date: Sat, 25 Apr 2026 19:46:58 +0200 Subject: [PATCH 1/2] feat: integrate prodsec-skills for transparent security guidance in every session MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Clone RedHatProductSecurity/prodsec-skills into the runner image and wire it into every session via add_dirs and the system prompt. Agents get transparent access to 128 security skills covering secure development, security testing, security auditing, and developer tooling — no user action or slash commands required. Changes: - Dockerfile: clone prodsec-skills into /app/prodsec-skills at build time - bridge.py: add /app/prodsec-skills to add_dirs so Claude Code can read files - prompts.py: system prompt tells agents where skills are and when to use them Made-with: Cursor --- components/runners/ambient-runner/Dockerfile | 4 ++++ .../ambient_runner/bridges/claude/bridge.py | 7 +++++++ .../ambient_runner/platform/prompts.py | 20 +++++++++++++++++++ 3 files changed, 31 insertions(+) diff --git a/components/runners/ambient-runner/Dockerfile b/components/runners/ambient-runner/Dockerfile index 0d15b77cf..59bd32be7 100755 --- a/components/runners/ambient-runner/Dockerfile +++ b/components/runners/ambient-runner/Dockerfile @@ -46,6 +46,10 @@ RUN npm install -g @google/gemini-cli@${GEMINI_CLI_VERSION} && \ # Install CodeRabbit CLI (official install script, binary for current arch) RUN curl -fsSL https://cli.coderabbit.ai/install.sh | CODERABBIT_INSTALL_DIR=/usr/local/bin sh +# Install prodsec-skills (Product Security guidance available to every session) +RUN git clone --depth 1 https://github.com/RedHatProductSecurity/prodsec-skills.git /app/prodsec-skills && \ + rm -rf /app/prodsec-skills/.git + # Set environment variables ENV PYTHONUNBUFFERED=1 ENV PYTHONDONTWRITEBYTECODE=1 diff --git a/components/runners/ambient-runner/ambient_runner/bridges/claude/bridge.py b/components/runners/ambient-runner/ambient_runner/bridges/claude/bridge.py index 893e2348c..c37bb6630 100644 --- a/components/runners/ambient-runner/ambient_runner/bridges/claude/bridge.py +++ b/components/runners/ambient-runner/ambient_runner/bridges/claude/bridge.py @@ -15,6 +15,7 @@ import os import time from collections.abc import AsyncIterator +from pathlib import Path from typing import Any from ag_ui.core import ( @@ -674,6 +675,12 @@ async def _setup_platform(self) -> None: # Workspace paths cwd_path, add_dirs = resolve_workspace_paths(self._context) + + # Prodsec-skills: make security guidance available to every session + _prodsec_path = "/app/prodsec-skills" + if Path(_prodsec_path).exists() and _prodsec_path not in add_dirs: + add_dirs.append(_prodsec_path) + if add_dirs: os.environ["CLAUDE_CODE_ADDITIONAL_DIRECTORIES_CLAUDE_MD"] = "1" diff --git a/components/runners/ambient-runner/ambient_runner/platform/prompts.py b/components/runners/ambient-runner/ambient_runner/platform/prompts.py index 7de1f8433..8b5e15a69 100644 --- a/components/runners/ambient-runner/ambient_runner/platform/prompts.py +++ b/components/runners/ambient-runner/ambient_runner/platform/prompts.py @@ -98,6 +98,22 @@ "attention.\n\n" ) +PRODSEC_SKILLS_PROMPT = ( + "## Security Skills\n" + "Product Security skills are available at `/app/prodsec-skills/skills/`. " + "When performing security-sensitive tasks (code review, writing auth/crypto/network " + "code, configuring infrastructure, auditing), read the relevant skill for guidance " + "before proceeding. Key areas:\n" + "- `secure_development/` — cryptography, web security, supply chain, MCP servers, " + "Kubernetes, API gateways, inference engines, agent security (103 skills)\n" + "- `security_testing/` — fuzzing (AFL++, libFuzzer, cargo-fuzz), static analysis " + "(Semgrep, CodeQL, SARIF) (17 skills)\n" + "- `security_auditing/` — context building, differential review, variant analysis " + "(4 skills)\n" + "- `developer_tooling/` — devcontainers, property-based testing (4 skills)\n" + "See `/app/prodsec-skills/skills/README.md` for the full index.\n\n" +) + RESTART_TOOL_DESCRIPTION = ( "Restart the Claude session to recover from issues, clear state, " "or get a fresh connection. Use this if you detect you're in a " @@ -231,6 +247,10 @@ def build_workspace_context_prompt( if os.getenv("GITLAB_TOKEN"): prompt += GITLAB_TOKEN_PROMPT + # Prodsec-skills: security guidance for every session + if Path("/app/prodsec-skills/skills").exists(): + prompt += PRODSEC_SKILLS_PROMPT + # Workflow instructions if ambient_config.get("systemPrompt"): prompt += f"## Workflow Instructions\n{ambient_config['systemPrompt']}\n\n" From 365eba7185b46d944fd078b23b7ca0789bd56324 Mon Sep 17 00:00:00 2001 From: Florencio Cano Gabarda Date: Sun, 26 Apr 2026 10:33:20 +0200 Subject: [PATCH 2/2] fix: address CodeRabbit review feedback on prodsec-skills integration - Pin prodsec-skills clone to a specific commit SHA for reproducibility and supply-chain safety (Dockerfile) - Align existence check in bridge.py to verify /app/prodsec-skills/skills directory, consistent with prompts.py - Drop hardcoded skill counts from PRODSEC_SKILLS_PROMPT to avoid drift as skills are added or removed Assisted-by: Claude Made-with: Cursor --- components/runners/ambient-runner/Dockerfile | 4 +++- .../ambient_runner/bridges/claude/bridge.py | 2 +- .../ambient-runner/ambient_runner/platform/prompts.py | 9 ++++----- 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/components/runners/ambient-runner/Dockerfile b/components/runners/ambient-runner/Dockerfile index 59bd32be7..38c355bf6 100755 --- a/components/runners/ambient-runner/Dockerfile +++ b/components/runners/ambient-runner/Dockerfile @@ -47,7 +47,9 @@ RUN npm install -g @google/gemini-cli@${GEMINI_CLI_VERSION} && \ RUN curl -fsSL https://cli.coderabbit.ai/install.sh | CODERABBIT_INSTALL_DIR=/usr/local/bin sh # Install prodsec-skills (Product Security guidance available to every session) -RUN git clone --depth 1 https://github.com/RedHatProductSecurity/prodsec-skills.git /app/prodsec-skills && \ +ARG PRODSEC_SKILLS_REF=f100e15c3f560771e5ede57f7fce03dcb61512eb +RUN git clone https://github.com/RedHatProductSecurity/prodsec-skills.git /app/prodsec-skills && \ + git -C /app/prodsec-skills checkout --detach "${PRODSEC_SKILLS_REF}" && \ rm -rf /app/prodsec-skills/.git # Set environment variables diff --git a/components/runners/ambient-runner/ambient_runner/bridges/claude/bridge.py b/components/runners/ambient-runner/ambient_runner/bridges/claude/bridge.py index c37bb6630..44d4cba59 100644 --- a/components/runners/ambient-runner/ambient_runner/bridges/claude/bridge.py +++ b/components/runners/ambient-runner/ambient_runner/bridges/claude/bridge.py @@ -678,7 +678,7 @@ async def _setup_platform(self) -> None: # Prodsec-skills: make security guidance available to every session _prodsec_path = "/app/prodsec-skills" - if Path(_prodsec_path).exists() and _prodsec_path not in add_dirs: + if Path(f"{_prodsec_path}/skills").exists() and _prodsec_path not in add_dirs: add_dirs.append(_prodsec_path) if add_dirs: diff --git a/components/runners/ambient-runner/ambient_runner/platform/prompts.py b/components/runners/ambient-runner/ambient_runner/platform/prompts.py index 8b5e15a69..56aab6ffd 100644 --- a/components/runners/ambient-runner/ambient_runner/platform/prompts.py +++ b/components/runners/ambient-runner/ambient_runner/platform/prompts.py @@ -105,12 +105,11 @@ "code, configuring infrastructure, auditing), read the relevant skill for guidance " "before proceeding. Key areas:\n" "- `secure_development/` — cryptography, web security, supply chain, MCP servers, " - "Kubernetes, API gateways, inference engines, agent security (103 skills)\n" + "Kubernetes, API gateways, inference engines, agent security\n" "- `security_testing/` — fuzzing (AFL++, libFuzzer, cargo-fuzz), static analysis " - "(Semgrep, CodeQL, SARIF) (17 skills)\n" - "- `security_auditing/` — context building, differential review, variant analysis " - "(4 skills)\n" - "- `developer_tooling/` — devcontainers, property-based testing (4 skills)\n" + "(Semgrep, CodeQL, SARIF)\n" + "- `security_auditing/` — context building, differential review, variant analysis\n" + "- `developer_tooling/` — devcontainers, property-based testing\n" "See `/app/prodsec-skills/skills/README.md` for the full index.\n\n" )