Introduction
Modern development pipelines are fast, but speed without security is a liability. DevSecOps integrates security into every phase of the software lifecycle—from code commit to production deployment. Yet many teams struggle to adopt it because security expertise is scarce and manual checks are slow. This is where structured prompts for AI assistants come in: they automate audit tasks, generate scanning configurations, and enforce policies consistently. In this article, we provide 15 ready-to-use prompts for SAST, DAST, dependency scanning, access policies, and compliance checks—each with a concrete example.
Why Prompts Matter for DevSecOps
Prompts act as reusable templates that guide an AI to produce specific security outputs. According to the OWASP DevSecOps Guideline (owasp.org), automation is key to shift-left security. By using these prompts, you can:
- Generate SAST rules for custom codebases.
- Create DAST scan profiles for web applications.
- Draft IAM policies that follow least-privilege principles.
- Audit CI/CD pipelines for secret leaks and misconfigurations.
Each prompt below is designed to be copy-pasted into an AI tool (like ChatGPT or Claude) and yields actionable results.
15 Prompts for Security and DevSecOps
1. SAST Rule Generation for SQL Injection
Prompt: "Generate a Semgrep rule that detects SQL injection vulnerabilities in Python Django applications. The rule should flag raw SQL queries using cursor.execute() with string concatenation. Provide the rule in YAML format with metadata including severity (HIGH) and confidence (HIGH)."
Explanation: This prompt creates a static analysis rule tailored to your tech stack. Instead of using generic rules, you get a focused check that reduces false positives.
Usage example: Paste the prompt into an AI assistant. It returns a YAML snippet:
rules:
- id: django-sql-injection
pattern: cursor.execute("..." + $QUERY)
message: "SQL injection risk: string concatenation in cursor.execute"
severity: HIGH
languages: [python]
2. DAST Scan Configuration for OWASP Top 10
Prompt: "Write a ZAP (Zed Attack Proxy) scan policy configuration for a web application. Include active scanners for all OWASP Top 10 2021 categories: A01 Broken Access Control, A02 Cryptographic Failures, A03 Injection, A04 Insecure Design, A05 Security Misconfiguration, A06 Vulnerable Components, A07 Auth Failures, A08 Data Integrity, A09 Logging Failures, A10 SSRF. Output as a policy file in JSON format."
Explanation: ZAP is a popular open-source DAST tool. This prompt generates a ready-to-import policy that covers the most critical web risks.
Usage example: The AI outputs a JSON policy that you import into ZAP. It enables all high-risk scanners and disables low-risk ones.
3. Dependency Vulnerability Scan Script
Prompt: "Create a bash script that runs pip-audit on all Python projects in a directory tree, outputs a CSV report with columns: project, package, installed version, vulnerability ID, severity, and fix version. Include error handling for missing virtual environments."
Explanation: Automates dependency scanning across multiple microservices. The CSV format simplifies integration with dashboards.
Usage example: The script scans 20 projects in seconds, producing a report that you can feed into a Jira board for tracking.
4. Kubernetes RBAC Policy Audit
Prompt: "Analyze the following Kubernetes RBAC configuration and identify roles that violate least-privilege principles. List roles that grant wildcard verbs ('') or resources (''), and suggest specific permissions. Format the output as a table with Role Name, Namespace, Violation, and Recommendation."
Explanation: RBAC misconfigurations are a top cause of breaches. This prompt helps you audit existing policies.
Usage example: Provide a YAML file with Role and ClusterRole definitions. The AI outputs a table showing overprivileged roles.
5. CI/CD Pipeline Secret Detection
Prompt: "Review the following GitLab CI YAML file for hardcoded secrets (API keys, tokens, passwords). Highlight each occurrence with line number, secret type, and risk level. Suggest how to replace them with CI/CD variables."
Explanation: Secrets in pipeline configs are common. This prompt acts as an automated code review.
Usage example: Paste your .gitlab-ci.yml. The AI returns a list like: "Line 15: AWS_ACCESS_KEY_ID (HIGH) → use $AWS_ACCESS_KEY_ID variable."
6. Terraform Security Policy Check
Prompt: "Scan this Terraform script for security misconfigurations: open security groups, unencrypted S3 buckets, public RDS instances, and IAM policies with full admin access. For each issue, provide the resource name, risk, and a fix using Terraform code."
Explanation: Infrastructure-as-Code (IaC) scanning prevents cloud misconfigurations before deployment.
Usage example: The AI finds an S3 bucket with acl = "public-read" and suggests acl = "private".
7. OpenID Connect (OIDC) Integration Audit
Prompt: "Check this OpenID Connect configuration (client ID, redirect URIs, token endpoint) for common flaws: missing PKCE, wildcard redirect URIs, expired certificates, and insecure token storage. Provide a checklist with pass/fail status."
Explanation: OIDC is widely used for authentication, but misconfigurations lead to account takeover.
Usage example: The AI flags a redirect URI https://*.example.com/* as a high-risk wildcard.
8. Dockerfile Security Hardening
Prompt: "Analyze this Dockerfile for security issues: running as root, using outdated base images, installing unnecessary packages, and copying secrets. Suggest improvements using multi-stage builds and non-root users."
Explanation: Container security starts with the Dockerfile. This prompt generates a hardened version.
Usage example: The AI changes FROM ubuntu:latest to FROM ubuntu:22.04 and adds USER appuser.
9. Logging and Monitoring Policy Template
Prompt: "Draft a security logging policy for a cloud-native application. Include required log sources (API gateway, application logs, database logs), retention periods (30 days hot, 1 year cold), and alerting rules for failed logins, privilege escalation, and data exfiltration. Output as a Markdown document."
Explanation: Many teams lack a formal logging policy. This prompt creates a template you can adapt.
Usage example: The policy includes a rule: "Alert on 10+ failed logins from same IP in 5 minutes."
10. Incident Response Playbook for Code Injection
Prompt: "Write an incident response playbook for a suspected code injection attack in a Node.js application. Include steps: detection (signs in logs), containment (isolate server), eradication (remove malicious code), recovery (restore from clean backup), and lessons learned. Use the NIST framework."
Explanation: Predefined playbooks reduce response time. This one follows NIST SP 800-61.
Usage example: The playbook includes a checklist: "Check application logs for eval() calls with unexpected input."
11. Compliance Check for GDPR Data Handling
Prompt: "Audit this pseudocode data flow for GDPR compliance. Identify where personal data (PII) is collected, stored, processed, and deleted. Flag any step that lacks encryption at rest or in transit, and suggest fixes."
Explanation: GDPR requires data protection by design. This prompt automates a privacy review.
Usage example: The AI notes: "PII stored in CSV on disk without encryption → use AES-256."
12. API Security Specification Review
Prompt: "Review this OpenAPI 3.0 specification for security issues: missing authentication on endpoints, lack of rate limiting, insecure data types (e.g., integer for user IDs), and missing input validation. Provide a table with endpoint path, issue, and OWASP category."
Explanation: API specs are often reviewed manually. This prompt catches common mistakes.
Usage example: The AI flags GET /users/{id} as missing security scheme and suggests adding OAuth2.
13. Network Security Group Rule Optimization
Prompt: "Analyze this AWS Security Group configuration and suggest rules that allow only necessary traffic. Flag overly permissive rules (e.g., 0.0.0.0/0 on SSH). Provide optimized JSON with descriptions."
Explanation: Cloud network misconfigurations cause data breaches. This prompt tightens rules.
Usage example: The AI changes from_port: 22, to_port: 22, cidr_ip: 0.0.0.0/0 to a specific office IP.
14. Secrets Rotation Policy Generator
Prompt: "Create a secrets rotation policy for a microservices architecture using HashiCorp Vault. Include rotation intervals for database credentials (30 days), API keys (90 days), and TLS certificates (1 year). Describe the rotation workflow with commands."
Explanation: Automated rotation reduces breach impact. This prompt provides a concrete plan.
Usage example: The policy includes vault write database/rotate-root/my-db command.
15. Supply Chain Security Checklist
Prompt: "Generate a supply chain security checklist for a software project. Cover: signed commits, SBOM generation, dependency pinning, vulnerability scanning in CI, and artifact provenance. Use SLSA level 2 as a baseline."
Explanation: Supply chain attacks (like SolarWinds) are growing. This checklist follows SLSA standards.
Usage example: The checklist includes: "Enable Dependabot alerts and require signed commits via GPG."
Conclusion
These 15 prompts cover the core areas of DevSecOps: code scanning, dynamic testing, infrastructure security, policy enforcement, and incident response. By integrating them into your daily workflow, you shift security left without overburdening your team. Start by picking the prompt most relevant to your current bottleneck—whether it's SAST rule generation or CI/CD secret detection. Automate your security audits, and let the AI handle the heavy lifting.
Next step: Pick one prompt today, run it against your project, and commit the results to your security backlog.
Comments