Introduction
Security is no longer an afterthought in software development — it’s a continuous, integrated practice known as DevSecOps. To help teams automate audits, vulnerability scanning, and policy enforcement, this article provides 20 ready-to-use prompts for AI assistants like ChatGPT, Claude, and Gemini. Each prompt is designed to save time, reduce human error, and align with industry standards like OWASP, NIST, and CIS. Whether you’re a security engineer, DevOps lead, or compliance officer, these prompts will streamline your daily workflows.
Why Use Prompts for DevSecOps?
AI can accelerate repetitive security tasks — from generating SAST configuration files to drafting access control policies. Instead of writing every script or rule from scratch, you can ask an AI to produce a first draft, then review and customize it. This approach is especially useful for:
- SAST (Static Application Security Testing): Scanning source code for vulnerabilities.
- DAST (Dynamic Application Security Testing): Testing running applications.
- Policy as Code: Defining and enforcing security policies automatically.
Below are 20 categorized prompts you can copy, paste, and adapt.
SAST & Code Analysis Prompts
1. Generate a SAST Configuration for Semgrep
Prompt: "Create a Semgrep configuration file (YAML) that detects SQL injection, XSS, and insecure deserialization in Python Flask applications. Include rule IDs, severity levels, and example patterns. Use OWASP Top 10 2021 as reference."
Example Output:
rules:
- id: python-flask-sql-injection
pattern: |
cursor.execute("..." + $VAR + "...")
message: "SQL injection detected"
severity: ERROR
languages: [python]
2. Generate a SAST Configuration for CodeQL
Prompt: "Write a CodeQL query (QL file) to detect hardcoded API keys or passwords in Java source code. The query should flag string literals longer than 10 characters that match common key patterns like 'sk-', 'AKIA', or 'ghp_'. Reference the CWE-798 standard."
Example Output:
import java
from Expr e
where e.toString().matches("sk-%") or e.toString().matches("AKIA%")
select e, "Hardcoded credential detected"
3. Explain a SAST Finding
Prompt: "I have this SAST finding from SonarQube: 'Make sure that using this pseudorandom number generator is safe here.' The file is auth.py, line 42, using random.randint(). Write a one-paragraph explanation of the risk and suggest a fix using secrets module."
4. Compare SAST Tools for a Python Project
Prompt: "Compare Bandit, Semgrep, and SonarQube for a Python Django project with 50,000 lines of code. Consider: detection rate for OWASP Top 10, false positive rate, integration with GitHub Actions, and licensing cost. Provide a table and a recommendation."
| Tool | Detection Rate | False Positives | CI Integration | License |
|---|---|---|---|---|
| Bandit | Medium | Low | Native | Open source |
| Semgrep | High | Medium | Native | Free tier + paid |
| SonarQube | High | Medium | Native | Community + paid |
DAST & Dynamic Testing Prompts
5. Generate a DAST Scan Configuration for OWASP ZAP
Prompt: "Create an OWASP ZAP automation plan (YAML) to scan a REST API at https://api.example.com/v1. Include authentication using a bearer token, spidering, active scan with high threshold, and exclude logout endpoints. Output the full YAML."
6. Write a Burp Suite Intruder Payload
Prompt: "Generate a Burp Suite Intruder payload list (one entry per line) for testing SQL injection in a login form. Include 20 classic payloads like ' OR '1'='1, ' UNION SELECT NULL--, and sleep-based payloads. Reference OWASP SQL Injection Cheat Sheet."
7. Interpret a DAST Report
Prompt: "I have a DAST report from Acunetix showing a 'Reflected XSS' in the search endpoint with parameter 'q'. The evidence includes the payload ''. Write a remediation guide for the development team, including input validation, output encoding, and Content-Security-Policy headers."
8. Generate Test Cases for API Security Testing
Prompt: "List 15 test cases for DAST of a REST API that uses JWT authentication. Include tests for token tampering, missing token, expired token, and privilege escalation. For each test, describe the request, expected response, and risk level."
Policy as Code & Access Control Prompts
9. Write a Kubernetes Pod Security Policy
Prompt: "Create a Kubernetes Pod Security Standard (baseline profile) as a YAML policy using Kyverno. The policy should: deny privileged containers, require read-only root filesystem, and enforce that containers run as non-root user. Include annotations and validationFailureAction: enforce."
10. Generate an AWS IAM Policy
Prompt: "Write an AWS IAM policy (JSON) that grants least-privilege access to an S3 bucket for a CI/CD pipeline. Allow only s3:GetObject, s3:PutObject, and s3:ListBucket on a specific bucket 'myapp-artifacts'. Deny all other actions. Use a condition to require TLS."
11. Create a Terraform Sentinel Policy
Prompt: "Write a Terraform Sentinel policy (Sentinel language) that prevents provisioning of AWS RDS instances without encryption at rest. The policy should check resource type 'aws_db_instance' and ensure the 'storage_encrypted' attribute is true. If not, deny the plan."
12. Generate a Compliance Check for CIS Benchmark
Prompt: "Create a script in Python using the 'policyuniverse' library that reads an AWS IAM policy JSON and checks if it violates CIS AWS Foundations Benchmark 1.22 (ensure IAM policies that allow full administrative privileges are not created). Output pass/fail with reasons."
Audit & Logging Prompts
13. Write a CloudTrail Audit Query
Prompt: "Generate an AWS CloudTrail Insights query (JSON) that detects root account login activity. The query should filter on eventName 'ConsoleLogin' and userIdentity.type 'Root'. Return the last 90 days of events. Explain how to run this in AWS Athena."
14. Draft a Security Audit Checklist
Prompt: "Create a 20-item security audit checklist for a web application that stores PII. Cover areas: encryption at rest and in transit, authentication, session management, logging, and incident response. Reference NIST SP 800-53 controls. Format as a table with columns: Control Area, Check Item, Status (Pass/Fail/NA)."
| Control Area | Check Item | Status |
|---|---|---|
| Encryption | Database encrypted with AES-256 | |
| Authentication | MFA enabled for all users |
15. Generate a Log Analysis Query for SIEM
Prompt: "Write a Splunk SPL query to detect brute-force SSH attempts. Look for more than 10 failed authentication events (sshd: Failed password) from the same source IP within 5 minutes. Return source IP, count, and first/last timestamp. Include a threshold alert description."
Container & Infrastructure Security Prompts
16. Generate a Dockerfile Security Lint
Prompt: "Create a Dockerfile best-practice checklist with 10 rules. For each rule, provide a 'good' and 'bad' example. Include: use specific base image tags, avoid running as root, use multi-stage builds, don't store secrets in ENV, and add HEALTHCHECK."
17. Write a Trivy Scan Command
Prompt: "Generate a Trivy command to scan a Docker image 'myapp:latest' for critical and high severity vulnerabilities. Output should be in JSON format, include only fixed vulnerabilities, and exclude unfixed ones. Explain how to integrate this into a GitLab CI pipeline."
18. Create a Network Policy for Kubernetes
Prompt: "Write a Kubernetes NetworkPolicy YAML that restricts traffic to a 'backend' namespace: allow ingress only from 'frontend' namespace on port 8080, deny all other ingress and egress. Use Calico network policy syntax."
Collaboration & Communication Prompts
19. Write a Security Incident Response Playbook
Prompt: "Draft a one-page incident response playbook for a suspected data breach. Use the NIST framework: Preparation, Detection, Containment, Eradication, Recovery, Lessons Learned. For each phase, list 3-5 action items and responsible roles (e.g., SOC analyst, Dev lead)."
20. Generate a Security Awareness Email
Prompt: "Write an internal email to all employees about a new phishing simulation campaign. Tone: friendly but serious. Include: what phishing is, how to report suspicious emails (button in Outlook), and a link to the company's security policy. Keep it under 200 words."
Conclusion
These 20 prompts cover the most common DevSecOps tasks — from static and dynamic analysis to policy as code and incident response. By using AI to generate first drafts, you free up time for deeper security reviews and threat modeling. Remember: always validate AI-generated configurations against your organization’s specific requirements and run them in a test environment first.
For a deeper dive into integrating these prompts with real-world tools and CI/CD pipelines, explore dedicated courses on security automation. Many platforms now offer structured learning paths for DevSecOps. For example, ASI Biont supports connecting to GitHub, GitLab, and Jenkins through API — see details at asibiont.com/courses. Start small, automate gradually, and always keep security human-centric.
Comments