Introduction
Security is no longer an afterthought in software development. With the rise of DevSecOps, organizations embed security practices directly into their CI/CD pipelines. But where do you start? One of the most practical ways to accelerate security workflows is by using targeted prompts for AI assistants, code analyzers, and automation tools. This article provides 15 ready-to-use prompts covering SAST, DAST, dependency scanning, policy enforcement, and compliance audits. Each prompt is designed to save you time and improve your security posture.
Why Prompts Matter in DevSecOps
Modern development teams rely on AI tools to review code, generate security policies, and interpret scan results. A well-crafted prompt can turn a generic AI into a specialized security advisor. For example, instead of asking "Is this code secure?", you can ask "Analyze this Python snippet for SQL injection vulnerabilities and suggest fixes using OWASP Top 10 guidelines." The difference in output quality is dramatic.
Prompts for SAST (Static Application Security Testing)
1. Vulnerability Discovery in Source Code
Prompt: "Act as a senior application security engineer. Review the following [language] code for common vulnerabilities (SQL injection, XSS, path traversal, insecure deserialization). List each issue with the exact line number, severity (Critical/High/Medium/Low), and a code snippet fix. Use CWE identifiers where applicable."
Example: Run this against a Java Spring Boot controller that accepts user input without validation. The AI will flag missing input sanitization and suggest parameterized queries.
2. Secure Code Generation
Prompt: "Generate a secure Python function that reads a file from an S3 bucket, validates the file type (allow only .csv and .json), and returns the content. Include error handling for missing files, permission errors, and invalid file types. Add comments explaining each security control."
Example: The output includes try-except blocks, file extension whitelisting, and AWS IAM role checks.
3. SAST Configuration Tuning
Prompt: "I use [tool name, e.g., Semgrep or SonarQube] for SAST. My project is a React frontend with Node.js backend. Suggest a custom ruleset that reduces false positives by 30% while still catching OWASP Top 10 issues. Provide the rule syntax."
Example: For Semgrep, you get rules like pattern: document.write(...) to flag DOM XSS.
Prompts for DAST (Dynamic Application Security Testing)
4. Automated DAST Test Plan
Prompt: "Design a DAST test plan for a REST API with authentication (JWT tokens). Include tests for authentication bypass, IDOR, rate limiting, mass assignment, and SQL injection. For each test, specify the HTTP method, endpoint, payload, expected response, and pass/fail criteria."
Example: The plan includes a test for IDOR: GET /api/users/1234 with a JWT of user 5678, expecting a 403 response.
5. Interpreting DAST Results
Prompt: "I received a DAST report from Burp Suite with 15 findings. The report is attached. Summarize the top 5 risks by business impact, explain the attack vector for each, and recommend a remediation priority order. Include references to CWE and CVSS scores."
Example: The AI highlights a critical SQL injection in /search endpoint with CVSS 9.8 and suggests immediate input validation.
6. DAST Scan Configuration
Prompt: "Configure a DAST scan for a web application hosted at https://example.com. The app uses OAuth2 and has a login page. Set the scan to run weekly, exclude the /logout endpoint, and limit the scan depth to 3 levels. Provide the JSON configuration for OWASP ZAP."
Example: The output includes ZAP context file settings for authentication and scope.
Prompts for Policy Generation and Enforcement
7. Infrastructure-as-Code Policy
Prompt: "Generate a Terraform policy (using Sentinel or OPA) that ensures all S3 buckets have 'block_public_access' enabled and encryption at rest with AWS KMS. The policy should deny any resource that violates these rules and log the violation to CloudWatch."
Example: The policy snippet includes deny { resource_type == "aws_s3_bucket" and not block_public_acls }.
8. Container Security Policy
Prompt: "Create a Kubernetes Pod Security Admission policy that enforces: (1) containers run as non-root, (2) read-only root filesystem, (3) no privileged escalation. Use the 'restricted' profile as a base, but allow an exception for the 'monitoring' namespace. Output the YAML."
Example: The YAML includes allowedNamespaces: ["monitoring"] with appropriate exceptions.
9. Dependency License Compliance
Prompt: "I have a package.json from a Node.js project. Check all dependencies against a whitelist of approved licenses (MIT, Apache 2.0, BSD-2, BSD-3, ISC). List any unapproved licenses, their risk level, and suggest alternative packages. Also flag any GPL or AGPL licenses."
Example: The AI detects a GPL-3.0 dependency like sqlite3 and suggests better-sqlite3 as a MIT alternative.
Prompts for Compliance Audits
10. GDPR Readiness Audit
Prompt: "Act as a GDPR compliance auditor. Review the following data flow description: [paste description of app that collects user emails and IPs]. List all GDPR violations, the applicable articles (e.g., Art. 5, Art. 6, Art. 17), and corrective actions. Prioritize by risk of regulatory fine."
Example: The output flags missing consent mechanism (Art. 7) and lack of data retention policy.
11. SOC 2 Type II Evidence Collection
Prompt: "I need to collect evidence for SOC 2 Type II audit, specifically for the 'Security' trust principle. List 10 types of evidence I must gather (e.g., access review logs, vulnerability scan reports, incident response playbooks). For each, describe the expected content and retention period."
Example: Evidence #3: Quarterly access review report showing user permissions and any revoked accounts.
12. PCI DSS Self-Assessment
Prompt: "I run a small e-commerce site that processes credit card payments via Stripe. Walk me through a PCI DSS SAQ A self-assessment. For each requirement (1-12), tell me what I need to prove compliance and provide a checklist of documents."
Example: Requirement 3.4: Render PAN unreadable — check if you use tokenization (Stripe does this automatically).
Prompts for Developer Training
13. Secure Coding Quiz Generator
Prompt: "Generate 10 multiple-choice questions about SQL injection prevention for a team of mid-level Python developers. Each question should have 4 options, explain the correct answer, and reference a CWE or OWASP resource. Include questions about parameterized queries, ORMs, and stored procedures."
Example: Question: "Which of the following is the most effective way to prevent SQL injection in Python? A) Escape quotes, B) Use parameterized queries, C) Use blacklist filtering, D) Use stored procedures." Answer: B.
14. Incident Response Runbook
Prompt: "Write a runbook for responding to a 'Critical' severity alert from an IDS/IPS system that indicates a potential SQL injection attack on a production web server. Include: (1) immediate containment steps, (2) evidence collection, (3) root cause analysis checklist, (4) communication template for stakeholders."
Example: The runbook includes a step: "Isolate the affected server from load balancer by running kubectl cordon node-x."
15. Threat Modeling Session
Prompt: "Lead a threat modeling session using STRIDE for a new microservice that handles user authentication. For each category (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege), list at least two threats specific to authentication, the affected component, and a mitigation (e.g., rate limiting, multi-factor authentication)."
Example: Under Spoofing: "Threat: Attacker impersonates a user via stolen JWT. Mitigation: Use short-lived tokens and refresh token rotation."
Conclusion
Effective DevSecOps relies on automation, clear policies, and continuous education. The 15 prompts above give you a head start in leveraging AI for security tasks — from scanning code to auditing compliance. Remember: a prompt is only as good as the context you provide. Always refine your prompts based on your specific stack and threat model. For teams looking to integrate these practices into a unified workflow, platforms like ASI Biont support connecting security tools and automating policy enforcement through API integrations. Start with one prompt today, and build your security muscle over time.
Comments