20 Prompts for Security and DevSecOps: Audit, Scanning, Policies

Introduction

Security is no longer an afterthought in software development — it’s a continuous, integrated practice known as DevSecOps. To help teams automate audits, vulnerability scanning, and policy enforcement, this article provides 20 ready-to-use prompts for AI assistants like ChatGPT, Claude, and Gemini. Each prompt is designed to save time, reduce human error, and align with industry standards like OWASP, NIST, and CIS. Whether you’re a security engineer, DevOps lead, or compliance officer, these prompts will streamline your daily workflows.

Why Use Prompts for DevSecOps?

AI can accelerate repetitive security tasks — from generating SAST configuration files to drafting access control policies. Instead of writing every script or rule from scratch, you can ask an AI to produce a first draft, then review and customize it. This approach is especially useful for:
- SAST (Static Application Security Testing): Scanning source code for vulnerabilities.
- DAST (Dynamic Application Security Testing): Testing running applications.
- Policy as Code: Defining and enforcing security policies automatically.

Below are 20 categorized prompts you can copy, paste, and adapt.

SAST & Code Analysis Prompts

1. Generate a SAST Configuration for Semgrep

Prompt: "Create a Semgrep configuration file (YAML) that detects SQL injection, XSS, and insecure deserialization in Python Flask applications. Include rule IDs, severity levels, and example patterns. Use OWASP Top 10 2021 as reference."

Example Output:

rules:
  - id: python-flask-sql-injection
    pattern: |
      cursor.execute("..." + $VAR + "...")
    message: "SQL injection detected"
    severity: ERROR
    languages: [python]

2. Generate a SAST Configuration for CodeQL

Prompt: "Write a CodeQL query (QL file) to detect hardcoded API keys or passwords in Java source code. The query should flag string literals longer than 10 characters that match common key patterns like 'sk-', 'AKIA', or 'ghp_'. Reference the CWE-798 standard."

Example Output:

import java

from Expr e
where e.toString().matches("sk-%") or e.toString().matches("AKIA%")
select e, "Hardcoded credential detected"

3. Explain a SAST Finding

Prompt: "I have this SAST finding from SonarQube: 'Make sure that using this pseudorandom number generator is safe here.' The file is auth.py, line 42, using random.randint(). Write a one-paragraph explanation of the risk and suggest a fix using secrets module."

4. Compare SAST Tools for a Python Project

Prompt: "Compare Bandit, Semgrep, and SonarQube for a Python Django project with 50,000 lines of code. Consider: detection rate for OWASP Top 10, false positive rate, integration with GitHub Actions, and licensing cost. Provide a table and a recommendation."

Tool Detection Rate False Positives CI Integration License
Bandit Medium Low Native Open source
Semgrep High Medium Native Free tier + paid
SonarQube High Medium Native Community + paid

DAST & Dynamic Testing Prompts

5. Generate a DAST Scan Configuration for OWASP ZAP

Prompt: "Create an OWASP ZAP automation plan (YAML) to scan a REST API at https://api.example.com/v1. Include authentication using a bearer token, spidering, active scan with high threshold, and exclude logout endpoints. Output the full YAML."

6. Write a Burp Suite Intruder Payload

Prompt: "Generate a Burp Suite Intruder payload list (one entry per line) for testing SQL injection in a login form. Include 20 classic payloads like ' OR '1'='1, ' UNION SELECT NULL--, and sleep-based payloads. Reference OWASP SQL Injection Cheat Sheet."

7. Interpret a DAST Report

Prompt: "I have a DAST report from Acunetix showing a 'Reflected XSS' in the search endpoint with parameter 'q'. The evidence includes the payload ''. Write a remediation guide for the development team, including input validation, output encoding, and Content-Security-Policy headers."

8. Generate Test Cases for API Security Testing

Prompt: "List 15 test cases for DAST of a REST API that uses JWT authentication. Include tests for token tampering, missing token, expired token, and privilege escalation. For each test, describe the request, expected response, and risk level."

Policy as Code & Access Control Prompts

9. Write a Kubernetes Pod Security Policy

Prompt: "Create a Kubernetes Pod Security Standard (baseline profile) as a YAML policy using Kyverno. The policy should: deny privileged containers, require read-only root filesystem, and enforce that containers run as non-root user. Include annotations and validationFailureAction: enforce."

10. Generate an AWS IAM Policy

Prompt: "Write an AWS IAM policy (JSON) that grants least-privilege access to an S3 bucket for a CI/CD pipeline. Allow only s3:GetObject, s3:PutObject, and s3:ListBucket on a specific bucket 'myapp-artifacts'. Deny all other actions. Use a condition to require TLS."

11. Create a Terraform Sentinel Policy

Prompt: "Write a Terraform Sentinel policy (Sentinel language) that prevents provisioning of AWS RDS instances without encryption at rest. The policy should check resource type 'aws_db_instance' and ensure the 'storage_encrypted' attribute is true. If not, deny the plan."

12. Generate a Compliance Check for CIS Benchmark

Prompt: "Create a script in Python using the 'policyuniverse' library that reads an AWS IAM policy JSON and checks if it violates CIS AWS Foundations Benchmark 1.22 (ensure IAM policies that allow full administrative privileges are not created). Output pass/fail with reasons."

Audit & Logging Prompts

13. Write a CloudTrail Audit Query

Prompt: "Generate an AWS CloudTrail Insights query (JSON) that detects root account login activity. The query should filter on eventName 'ConsoleLogin' and userIdentity.type 'Root'. Return the last 90 days of events. Explain how to run this in AWS Athena."

14. Draft a Security Audit Checklist

Prompt: "Create a 20-item security audit checklist for a web application that stores PII. Cover areas: encryption at rest and in transit, authentication, session management, logging, and incident response. Reference NIST SP 800-53 controls. Format as a table with columns: Control Area, Check Item, Status (Pass/Fail/NA)."

Control Area Check Item Status
Encryption Database encrypted with AES-256
Authentication MFA enabled for all users

15. Generate a Log Analysis Query for SIEM

Prompt: "Write a Splunk SPL query to detect brute-force SSH attempts. Look for more than 10 failed authentication events (sshd: Failed password) from the same source IP within 5 minutes. Return source IP, count, and first/last timestamp. Include a threshold alert description."

Container & Infrastructure Security Prompts

16. Generate a Dockerfile Security Lint

Prompt: "Create a Dockerfile best-practice checklist with 10 rules. For each rule, provide a 'good' and 'bad' example. Include: use specific base image tags, avoid running as root, use multi-stage builds, don't store secrets in ENV, and add HEALTHCHECK."

17. Write a Trivy Scan Command

Prompt: "Generate a Trivy command to scan a Docker image 'myapp:latest' for critical and high severity vulnerabilities. Output should be in JSON format, include only fixed vulnerabilities, and exclude unfixed ones. Explain how to integrate this into a GitLab CI pipeline."

18. Create a Network Policy for Kubernetes

Prompt: "Write a Kubernetes NetworkPolicy YAML that restricts traffic to a 'backend' namespace: allow ingress only from 'frontend' namespace on port 8080, deny all other ingress and egress. Use Calico network policy syntax."

Collaboration & Communication Prompts

19. Write a Security Incident Response Playbook

Prompt: "Draft a one-page incident response playbook for a suspected data breach. Use the NIST framework: Preparation, Detection, Containment, Eradication, Recovery, Lessons Learned. For each phase, list 3-5 action items and responsible roles (e.g., SOC analyst, Dev lead)."

20. Generate a Security Awareness Email

Prompt: "Write an internal email to all employees about a new phishing simulation campaign. Tone: friendly but serious. Include: what phishing is, how to report suspicious emails (button in Outlook), and a link to the company's security policy. Keep it under 200 words."

Conclusion

These 20 prompts cover the most common DevSecOps tasks — from static and dynamic analysis to policy as code and incident response. By using AI to generate first drafts, you free up time for deeper security reviews and threat modeling. Remember: always validate AI-generated configurations against your organization’s specific requirements and run them in a test environment first.

For a deeper dive into integrating these prompts with real-world tools and CI/CD pipelines, explore dedicated courses on security automation. Many platforms now offer structured learning paths for DevSecOps. For example, ASI Biont supports connecting to GitHub, GitLab, and Jenkins through API — see details at asibiont.com/courses. Start small, automate gradually, and always keep security human-centric.

← All posts

Comments