v0.2.4·alpha·Apache-2.0

Security gates for
spec-driven development.

A GitHub Spec Kit extension that catches prompt injection, committed secrets, unpinned models, and undeclared PII before code ships. Eight slash commands, five phase hooks, six gates. All stack-agnostic.

Read the docs →View on GitHub

Works with

Claude Code

Copilot

Cursor

Gemini CLI

OpenCode+ 15 more

install.sh

# 1. Install Spec Kit

uv tool install specify-cli \

--from git+https://github.com/github/spec-kit.git

# 2. Clone this extension

git clone https://github.com/TEKIMAX/speckit-security

# 3. Install into any Spec Kit project

cd your-project && specify extension add --dev \

../speckit-security

Ready in under a minute · Zero runtime deps

commands

hooks

gates

The six gates

GATE A

Data Contract

Blocks if the spec has no Data Contract section, the Zod schema file is missing, or the schema uses z.any().

GATE B

Threat Model

Blocks if the spec has no threat model section, or if any High/Critical threat is marked [UNMITIGATED].

GATE C

Model Governance

For AI features: blocks on unpinned versions like "latest" or "stable", or when no rollback plan is mentioned.

GATE D

Guardrails

For AI features: requires a versioned guardrail YAML with both blocked_patterns and redact_patterns defined.

GATE E

Red Team

Checks a red-team report file exists. An optional runner hits staging with safety guards that refuse prod URLs and rate-limit requests.

GATE F

Inline Content Scan

Blocks inline system prompts in src/, committed secrets anywhere in the repo, and .env files tracked by git.

Security gates forspec-driven development.