Security Requirement Extraction
Turn product specs and compliance goals into structured security requirements with domains, priorities, and acceptance criteria before you build.
Overview
Security Requirement Extraction is an agent skill most often used in Validate (also Ship) that turns compliance and threat concerns into prioritized, testable security requirement models with domain and framework tags.
Install
npx skills add https://github.com/wshobson/agents --skill security-requirement-extractionWhat is this skill?
- Python dataclass templates for SecurityRequirement with 10 SecurityDomain enums
- Maps requirements to ComplianceFramework (PCI-DSS, HIPAA, GDPR, SOC2, NIST, ISO 27001, OWASP)
- Priority tiers (CRITICAL through LOW) with acceptance criteria and threat refs
- RequirementType split: functional, non-functional, and constraint
- Worked examples alongside reusable security requirement models
- 7 ComplianceFramework mappings in the template model
Adoption & trust: 13.6k installs on skills.sh; 36.5k GitHub stars; 3/3 security scanners passed (skills.sh audits).
What problem does it solve?
You know you need GDPR or OWASP coverage but only have informal notes instead of prioritized requirements with acceptance criteria.
Who is it for?
Solo builders scoping MVP security, prepping SOC2/GDPR/PCI conversations, or drafting threat-linked acceptance criteria before backend work.
Skip if: Teams that only need automated SAST/DAST scans or already maintain a signed-off enterprise requirements baseline with no extraction step.
When should I use this skill?
You need to draft or refine a structured security requirement set with domains, priorities, and compliance links from specs or threats.
What do I get? / Deliverables
You get a structured security requirement catalog—domains, priorities, compliance refs, and test hooks—ready to drive implementation and later security review.
- Security requirement model instances
- Prioritized requirement list with acceptance criteria
- Compliance and threat reference links per requirement
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Requirement extraction belongs on the validate shelf because solo builders define security scope and constraints before committing to implementation. Scope is where you nail auth, data protection, and framework obligations (GDPR, SOC2, OWASP) into a testable requirement model.
Where it fits
List CRITICAL auth and data-protection requirements before choosing your auth stack.
Attach acceptance criteria to each API endpoint’s validation and session rules.
Cross-check shipped features against documented compliance_refs and test_cases.
Add new NON_FUNCTIONAL requirements when monitoring reveals gaps in audit logging.
How it compares
Use for structured requirement authoring templates, not for runtime vulnerability scanning or pentest execution.
Common Questions / FAQ
Who is security-requirement-extraction for?
Indie and solo builders who need to document security and compliance expectations in a consistent, agent-friendly model before or while building.
When should I use security-requirement-extraction?
During validate when scoping auth and data handling; during ship when aligning features to OWASP or SOC2-style controls; when turning threat notes into backlog-ready requirements.
Is security-requirement-extraction safe to install?
It is documentation and code templates without shell or network hooks; review the Security Audits panel on this Prism page before trusting any third-party skill package.
SKILL.md
READMESKILL.md - Security Requirement Extraction
# security-requirement-extraction — templates and worked examples ## Templates ### Template 1: Security Requirement Model ```python from dataclasses import dataclass, field from enum import Enum from typing import List, Dict, Optional, Set from datetime import datetime class RequirementType(Enum): FUNCTIONAL = "functional" NON_FUNCTIONAL = "non_functional" CONSTRAINT = "constraint" class Priority(Enum): CRITICAL = 1 HIGH = 2 MEDIUM = 3 LOW = 4 class SecurityDomain(Enum): AUTHENTICATION = "authentication" AUTHORIZATION = "authorization" DATA_PROTECTION = "data_protection" AUDIT_LOGGING = "audit_logging" INPUT_VALIDATION = "input_validation" ERROR_HANDLING = "error_handling" SESSION_MANAGEMENT = "session_management" CRYPTOGRAPHY = "cryptography" NETWORK_SECURITY = "network_security" AVAILABILITY = "availability" class ComplianceFramework(Enum): PCI_DSS = "pci_dss" HIPAA = "hipaa" GDPR = "gdpr" SOC2 = "soc2" NIST_CSF = "nist_csf" ISO_27001 = "iso_27001" OWASP = "owasp" @dataclass class SecurityRequirement: id: str title: str description: str req_type: RequirementType domain: SecurityDomain priority: Priority rationale: str = "" acceptance_criteria: List[str] = field(default_factory=list) test_cases: List[str] = field(default_factory=list) threat_refs: List[str] = field(default_factory=list) compliance_refs: List[str] = field(default_factory=list) dependencies: List[str] = field(default_factory=list) status: str = "draft" owner: str = "" created_date: datetime = field(default_factory=datetime.now) def to_user_story(self) -> str: """Convert to user story format.""" return f""" **{self.id}: {self.title}** As a security-conscious system, I need to {self.description.lower()}, So that {self.rationale.lower()}. **Acceptance Criteria:** {chr(10).join(f'- [ ] {ac}' for ac in self.acceptance_criteria)} **Priority:** {self.priority.name} **Domain:** {self.domain.value} **Threat References:** {', '.join(self.threat_refs)} """ def to_test_spec(self) -> str: """Convert to test specification.""" return f""" ## Test Specification: {self.id} ### Requirement {self.description} ### Test Cases {chr(10).join(f'{i+1}. {tc}' for i, tc in enumerate(self.test_cases))} ### Acceptance Criteria Verification {chr(10).join(f'- {ac}' for ac in self.acceptance_criteria)} """ @dataclass class RequirementSet: name: str version: str requirements: List[SecurityRequirement] = field(default_factory=list) def add(self, req: SecurityRequirement) -> None: self.requirements.append(req) def get_by_domain(self, domain: SecurityDomain) -> List[SecurityRequirement]: return [r for r in self.requirements if r.domain == domain] def get_by_priority(self, priority: Priority) -> List[SecurityRequirement]: return [r for r in self.requirements if r.priority == priority] def get_by_threat(self, threat_id: str) -> List[SecurityRequirement]: return [r for r in self.requirements if threat_id in r.threat_refs] def get_critical_requirements(self) -> List[SecurityRequirement]: return [r for r in self.requirements if r.priority == Priority.CRITICAL] def export_markdown(self) -> str: """Export all requirements as markdown.""" lines = [f"# Security Requirements: {self.name}\n"] lines.append(f"Version: {self.version}\n") for domain in SecurityDomain: domain_reqs = self.get_by_domain(domain) if domain_reqs: lines.append(f"\n## {domain.value.replace('_', ' ').title()}\n") for req in domain_reqs: lines.append(req.to_user_story()) return "\n".join(lines) def traceability_matrix(self) -> Dict[str, List[str]]: """Generate threat-to-requirement traceability.""" matrix =