
deepsec
โ 1,542by vercel-labs ยท part of vercel-labs/dev3000
Run DeepSec against a Vercel project checkout from dev3000. Use for one-click DeepSec setup, project context bootstrapping, bounded first-pass processing, and report generation.
This is the playbook your agent receives when the skill activates โ you don't need to read it to use the skill, but it's here to audit before installing.
DeepSec Dev3000 Runbook
Use this skill to turn the manual DeepSec workflow into a repeatable dev3000 run against the current Vercel project checkout.
Operating Policy
- Work from the real project checkout at
/workspace/repo. - Do not write AI credentials into
.deepsec/.env.localor any tracked file. The dev3000 runtime passes AI Gateway credentials through the process environment. - Default dev3000 runs are a bounded first pass. Do not run an unbounded
processorrevalidatecommand unless the user explicitly asks for a full DeepSec scan in run-specific instructions. - Keep generated scan state in the locations DeepSec already gitignores. Commit only the durable setup/context files and human-readable findings report.
- Treat DeepSec as a coding agent with shell access. Do not run it on untrusted source inputs.
Default Flow
- Inspect the project shape:
- Read
README.mdif present. - Read
AGENTS.mdorCLAUDE.mdif present. - Skim representative files for auth, middleware, request handlers, data access, billing, webhooks, and security-sensitive boundaries.
- Read
- Initialize DeepSec if needed:
- If
.deepsec/is absent, runnpx --yes deepsec@latest init. - If
.deepsec/already exists, do not force overwrite it.
- If
- Install DeepSec workspace dependencies:
- Run
corepack pnpm installfrom.deepsec/. - Ensure the Claude Agent SDK native binary that DeepSec actually uses is available. Do not run a Claude Code postinstall; DeepSec uses
@anthropic-ai/claude-agent-sdk. - If
corepack pnpmis unavailable, runpnpm installonly after confirmingpnpmexists.
- Run
- Fill the generated project context:
- Read
.deepsec/node_modules/deepsec/SKILL.md. - Read
.deepsec/data/<id>/SETUP.md. - Replace
.deepsec/data/<id>/INFO.mdwith concise project-specific context. - Keep
INFO.mdto roughly 50-100 lines. - Use 3-5 examples per section. Name local primitives such as auth helpers, middleware, database clients, webhook handlers, and privileged APIs.
- Do not include line numbers, generic CWE lists, or broad framework summaries.
- Read
- Run the scan:
- Run
corepack pnpm deepsec scanfrom.deepsec/.
- Run
- Run bounded AI processing:
- Default command:
corepack pnpm deepsec process --limit 25 --concurrency 2 --batch-size 3. - If the candidate set is below the limit, state that all discovered candidates were processed.
- If the user explicitly requested a full run, use the requested limit/concurrency or omit
--limit. - If the process command fails, stop and report the failure. Do not generate a manual fallback report from regex candidates.
- Default command:
- Generate the findings report:
- Run
corepack pnpm deepsec export --format md-dir --out ./findings. - If there are no findings, create
.deepsec/findings/README.mdsummarizing that this bounded pass found no findings and include the exact commands that were run.
- Run
- Summarize the run:
- Include commands run, project id, limit/concurrency, and whether the report contains findings.
- Do not include a "Next Steps - Full Scan" section by default.
- Only include a follow-up scan section if DeepSec reports unprocessed candidates or the user explicitly asked about deeper coverage. Label it "Optional Deeper Follow-Up" and explain exactly how it differs from the completed run.
Validation
- Prefer DeepSec's own command output,
corepack pnpm deepsec status, and generated finding files as validation. - Do not start a dev server or browser unless the user explicitly asks for visual/runtime verification.
- Before finishing, check
git diff --statand make sure no secrets,node_modules,.env.local, or raw scan state are staged by accident.
npx skills add https://github.com/vercel-labs/dev3000 --skill deepsecRun this in your project โ your agent picks the skill up automatically.
No common issues documented yet. If you hit a problem, the repository's GitHub Issues page is the best place to look.
Licensed under MITโ you can use, modify, and redistribute it under that license's terms.
View the full license file on GitHub โ