30 Prompts for Security and DevSecOps: Audit, Scanning, and Policies

Introduction

Security is no longer an afterthought—it's a continuous process embedded in every stage of development. DevSecOps shifts security left, integrating practices like static analysis, dynamic testing, and policy enforcement directly into CI/CD pipelines. But even with the best tools, teams often struggle to define clear, actionable tasks for their AI assistants or internal automation. This is where carefully crafted prompts come in.

A prompt is not just a question—it's a structured instruction that can trigger a scan, generate a report, or enforce a policy. In this article, I'll share 30 practical prompts across three categories: basic (for beginners), advanced (for practitioners), and expert (for architects). Each prompt includes the task, the exact prompt text, and an example result. Whether you're auditing code, scanning containers, or defining access policies, these prompts will save you time and reduce risk.

Why Prompts Matter in DevSecOps

In a DevSecOps environment, you interact with multiple tools—SAST scanners like Semgrep or CodeQL, DAST tools like OWASP ZAP or Burp Suite, policy engines like OPA (Open Policy Agent), and infrastructure-as-code validators like Checkov. Writing a good prompt means you can automate repetitive tasks, standardize responses, and avoid human error. For instance, a prompt like "Scan this Terraform file for misconfigurations" can be parameterized and reused across dozens of repositories.

Prompts also serve as a communication layer between security teams and developers. Instead of saying "fix the OWASP Top 10 issues," a prompt can generate a prioritized list with code snippets and remediation steps. This lowers friction and accelerates fixes.

Basic Prompts (10 Prompts)

These prompts are ideal for beginners—security analysts or junior developers who need quick, actionable results without deep configuration.

1. Task: Generate a SAST Scan Report for a Python Project

Prompt:

Analyze the Python codebase in the 'src/' directory for security vulnerabilities. Focus on the OWASP Top 10 for 2021, particularly SQL injection, XSS, and insecure deserialization. Output a Markdown table with columns: vulnerability name, file path, line number, severity (Critical/High/Medium/Low), and recommended fix. Ignore false positives if possible.

Example Result:

Vulnerability File Line Severity Fix
SQL Injection src/db.py 42 Critical Use parameterized queries with cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))
Insecure Deserialization src/utils.py 15 High Avoid pickle.load(); use JSON or safely.loads()

2. Task: Scan a Docker Image for Known CVEs

Prompt:

Scan the Docker image 'myapp:latest' for Common Vulnerabilities and Exposures (CVEs) in the base image and installed packages. List only critical and high-severity vulnerabilities. For each, provide the CVE ID, affected package, current version, and a link to the NVD entry.

Example Result:
- CVE-2026-1234: openssl 1.1.1k (Critical) – https://nvd.nist.gov/vuln/detail/CVE-2026-1234
- CVE-2025-5678: libcurl 7.74.0 (High) – https://nvd.nist.gov/vuln/detail/CVE-2025-5678

3. Task: Check a Kubernetes Deployment for Pod Security Standards

Prompt:

Review the Kubernetes deployment file 'deploy.yaml' against the Pod Security Standards (Restricted profile). List any violations, such as running as root, allowing privileged escalation, or missing read-only root filesystem. Provide the exact YAML path and suggested fix.

Example Result:
- Violation: securityContext.allowPrivilegeEscalation is not set (defaults to true). Fix: set allowPrivilegeEscalation: false.
- Violation: runAsNonRoot is not set. Fix: set runAsNonRoot: true.

4. Task: Audit AWS IAM Policies for Over-Permissions

Prompt:

Analyze the attached IAM policy document (JSON) for over-privileged permissions. Identify any actions that grant 'FullAccess' to services like S3, EC2, or IAM. List the principal, effect, action, and resource. Suggest a least-privilege alternative for each.

Example Result:

Principal Action Resource Issue Suggestion
user:devops s3:* * Full S3 access Replace with s3:GetObject and s3:PutObject on specific buckets

5. Task: Generate a Secret Scanning Report for a Git Repository

Prompt:

Scan the repository's commit history for hardcoded secretsAPI keys, passwords, tokens, and private keys. Use regex patterns for AWS keys, GitHub tokens, and Slack webhooks. Output a table with commit hash, file path, secret type, and severity.

Example Result:

Commit File Secret Type Severity
a1b2c3d config.py AWS Access Key Critical
e4f5g6h .env Slack Token High

6. Task: Review a Terraform Plan for Security Misconfigurations

Prompt:

Examine the Terraform plan output for security misconfigurations. Check for S3 buckets with public access, security groups with 0.0.0.0/0 to port 22, and RDS instances without encryption. For each issue, provide the resource address, current setting, and recommended change.

Example Result:
- Resource: aws_s3_bucket.my_bucket – Public access block not set. Fix: add block_public_acls = true.
- Resource: aws_security_group.ssh – Ingress 0.0.0.0/0:22. Fix: restrict to specific IP range.

7. Task: Analyze a Log File for Suspicious Activity

Prompt:

Analyze the provided web server access log (Nginx format) for potential attack patterns: SQL injection attempts, path traversal, or brute-force login. Summarize the top 5 suspicious IPs, the type of attack, and the number of occurrences.

Example Result:
- IP 192.168.1.100 – SQL injection in '/search?q=1' OR '1'='1' – 12 occurrences
- IP 10.0.0.5 – Path traversal in '/../../../etc/passwd' – 3 occurrences

8. Task: Check a Python Library for Known Vulnerabilities

Prompt:

Given the 'requirements.txt' file, check each package against the NVD database. List packages with known vulnerabilities, including the fixed version. Prioritize by CVSS score.

Example Result:
- requests 2.25.1 (CVE-2026-1111, CVSS 9.8) – upgrade to 2.26.0
- django 3.2.0 (CVE-2025-9999, CVSS 7.5) – upgrade to 3.2.10

9. Task: Generate a Compliance Summary for SOC 2

Prompt:

Evaluate the current security controls (list provided) against SOC 2 Trust Service Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy). For each criterion, state whether it's met or not, and list missing controls.

Example Result:
- Security: Met (access control, encryption at rest, logging)
- Availability: Not met (no disaster recovery plan documented)

10. Task: Create a Security Checklist for a New Microservice

Prompt:

Generate a security checklist for deploying a new microservice. Include items: authentication (JWT/OAuth), input validation, output encoding, dependency scanning, and logging. For each item, provide a brief description and a sample implementation.

Example Result:
- [ ] Input validation: Use a library like pydantic to validate all API inputs.
- [ ] Dependency scanning: Run npm audit or pip-audit before deployment.

Advanced Prompts (10 Prompts)

These prompts require a deeper understanding of security tools and infrastructure.

11. Task: Automated DAST Scan with OWASP ZAP

Prompt:

Execute a DAST scan against the staging URL 'https://staging.example.com' using OWASP ZAP. Run the 'Full Scan' with AJAX Spider enabled. After completion, generate a JSON report with all alerts, grouped by risk level (High, Medium, Low). Include evidence (request/response) for high-risk findings.

Example Result:

{
  "site": "https://staging.example.com",
  "alerts": [
    {
      "risk": "High",
      "name": "SQL Injection",
      "url": "/api/users?id=1",
      "evidence": "Request: GET /api/users?id=1' OR '1'='1; Response: 200 OK with user data"
    }
  ]
}

12. Task: Enforce a Policy with OPA (Rego)

Prompt:

Write a Rego policy for OPA that denies any Kubernetes deployment with 'imagePullPolicy: Always' in production namespaces (e.g., 'prod-*'). The policy should also allow 'imagePullPolicy: IfNotPresent' for non-prod. Provide the policy code and a test case.

Example Result:

package kubernetes.admission
denying[msg] {
  input.request.kind.kind == "Deployment"
  namespace = input.request.object.metadata.namespace
  startswith(namespace, "prod-")
  containers = input.request.object.spec.template.spec.containers[_]
  containers.imagePullPolicy == "Always"
  msg = "Production deployments must use 'IfNotPresent' imagePullPolicy"
}

13. Task: Perform a CodeQL Query for Hardcoded Credentials

Prompt:

Using CodeQL, query the JavaScript repository for hardcoded credentials. Write a QL query that finds string literals containing 'password', 'secret', or 'api_key' assigned to variables. Output the file, line number, and the literal value.

Example Result:
- src/config.js:12 – const password = "supersecret123"

14. Task: Generate an SBOM (Software Bill of Materials)

Prompt:

Generate a CycloneDX SBOM for the Node.js project in '/app'. Include all direct and transitive dependencies, their versions, licenses, and download locations. Output as JSON.

Example Result:

{
  "bomFormat": "CycloneDX",
  "components": [
    {
      "name": "lodash",
      "version": "4.17.21",
      "licenses": [{"license": {"id": "MIT"}}],
      "purl": "pkg:npm/lodash@4.17.21"
    }
  ]
}

15. Task: Analyze a Container Image for Non-Root User

Prompt:

Inspect the Dockerfile for 'myapp:latest' and ensure it creates a non-root user and switches to it. If not, output the lines that need to be added. Also check if the container runs with 'USER root'.

Example Result:
- Missing: RUN useradd -m -s /bin/bash appuser and USER appuser before CMD.
- Current: USER root at line 20 – should be removed.

16. Task: Review a Network Security Group for Inbound Rules

Prompt:

Analyze the AWS security group JSON for inbound rules. Flag any rule with 'CidrIp': '0.0.0.0/0' and port 22, 3389, or 3306. For each, suggest a more restrictive CIDR (e.g., office IP range).

Example Result:
- Rule: Ingress TCP 22 from 0.0.0.0/0 – change to 203.0.113.0/24.

17. Task: Perform a GitLeaks Scan on a Branch

Prompt:

Run GitLeaks on the 'develop' branch of the repository. Scan for high-entropy strings and known patterns (AWS, GitHub, Slack). Output results in JSON format with commit, file, and secret.

Example Result:

{
  "leaks": [
    {
      "commit": "abc123",
      "file": "config.json",
      "secret": "AKIA..."
    }
  ]
}

18. Task: Generate a Threat Model for a Payment API

Prompt:

Create a threat model for a payment API using STRIDE. For each category (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege), list at least one threat, its impact, and a mitigation.

Example Result:
- Spoofing: Attacker impersonates a merchant via stolen API key. Mitigation: Use mutual TLS (mTLS).
- Denial of Service: Flooding /charge endpoint. Mitigation: Rate limiting and WAF.

19. Task: Validate a Terraform State File for Drift

Prompt:

Compare the current Terraform state file (state.json) with the live AWS resources. List any resources that have driftede.g., changed tags, security groups, or instance types. Provide the resource name, expected value, and actual value.

Example Result:
- Resource: aws_instance.web – Expected tag 'Env: prod', actual 'Env: staging'.

20. Task: Create a Custom Semgrep Rule for Hardcoded IPs

Prompt:

Write a Semgrep rule that detects hardcoded IPv4 addresses in Python code (except 127.0.0.1 and 0.0.0.0). The rule should match string literals like '10.0.0.1'. Output the rule YAML and a test case.

Example Result:

rules:
  - id: hardcoded-ip
    patterns:
      - pattern-regex: "\\b(?:[0-9]{1,3}\\.){3}[0-9]{1,3}\\b"
      - pattern-not: "127.0.0.1"
      - pattern-not: "0.0.0.0"
    message: "Hardcoded IP address found"
    languages: [python]
    severity: WARNING

Expert Prompts (10 Prompts)

These prompts are for security architects and lead engineers who design policies and automate complex workflows.

21. Task: Build a Custom Policy Engine for Infrastructure as Code

Prompt:

Design a policy engine using OPA that validates Terraform modules before deployment. The engine should check for: (1) S3 bucket versioning enabled, (2) CloudTrail logging enabled, (3) KMS encryption on EBS volumes. Provide the Rego policies and a script to run them via `opa eval`.

Example Result:

package terraform.aws
violation[msg] {
  resource = input.resource.aws_s3_bucket[_]
  resource.versioning[0].enabled != true
  msg = sprintf("%s: versioning is not enabled", [resource.name])
}

22. Task: Automate Incident Response with a Prompt

Prompt:

Create a runbook for responding to a 'Critical' alert from AWS GuardDuty (e.g., 'UnauthorizedAccess:EC2/SSHBruteForce'). The runbook should include: step-by-step containment (isolate the instance), investigation (analyze CloudTrail logs), and recovery (apply security group changes). Output as a checklist.

Example Result:
1. Isolate: Attach a 'deny-all' security group to the affected instance.
2. Investigate: Query CloudTrail for API calls from the source IP in the last 24 hours.
3. Recover: Remove the instance from Auto Scaling group, patch, then redeploy.

23. Task: Generate a Kubernetes Network Policy from a Service Map

Prompt:

Given a service dependency graph (list of services and their allowed connections), generate Kubernetes NetworkPolicy YAML for each namespace. Use 'podSelector' and 'ingress/egress' rules. Example: 'frontend' can talk to 'backend' on port 8080, 'backend' can talk to 'db' on port 5432.

Example Result:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: backend-allow-frontend
spec:
  podSelector:
    matchLabels:
      app: backend
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: frontend
    ports:
    - port: 8080

24. Task: Perform a Cryptographic Audit of TLS Certificates

Prompt:

Audit all TLS certificates in the 'certificates/' directory. For each, extract: issuer, subject, validity period, signature algorithm, and key size. Flag certificates using SHA-1 or RSA 1024. Output a table with status (Pass/Fail).

Example Result:

Certificate Issuer Key Size Algorithm Status
wildcard.example.com.pem Let's Encrypt 2048 SHA-256 Pass
old-cert.pem Self-signed 1024 SHA-1 Fail

25. Task: Create a Compliance Dashboard Query

Prompt:

Write a SQL query for a security data lake (e.g., AWS Athena) that retrieves all failed CIS benchmark checks for EC2 instances in the last 7 days. Group by instance ID and check ID. Include the timestamp, region, and account ID.

Example Result:

SELECT instance_id, check_id, region, account_id, MAX(timestamp) as last_fail
FROM compliance_results
WHERE status = 'FAIL' AND dt >= current_date - interval '7' day
GROUP BY 1, 2, 3, 4;

26. Task: Design a Zero-Trust Network Architecture Prompt

Prompt:

Outline a zero-trust network architecture for a multi-cloud environment (AWS + GCP). Include: micro-segmentation, identity-aware proxy, mutual TLS, and continuous monitoring. For each component, specify the tool (e.g., BeyondCorp, AWS Network Firewall) and configuration steps.

Example Result:
- Micro-segmentation: Use Calico or Cilium for Kubernetes network policies.
- Identity-aware proxy: Deploy Google IAP or AWS Verified Access.

27. Task: Automate a SLSA Level 3 Build

Prompt:

Create a GitHub Actions workflow that achieves SLSA Level 3 for a Java application. Include: (1) provenance generation using slsa-framework, (2) signed attestations, (3) reproducible build. Provide the YAML and the commands for verification.

Example Result:

name: SLSA
on: [push]
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: slsa-framework/slsa-github-generator@v1.0

28. Task: Generate a Dynamic Policy for CI/CD Based on Branch

Prompt:

Write a script (Bash or Python) that checks the current Git branch and applies different security policies: for 'main' branch, require SAST scan, dependency check, and container image signing; for 'feature' branches, only require linting and unit tests. Output the policy decision.

Example Result:

if [[ "$BRANCH" == "main" ]]; then
  echo "Applying full security suite: SAST, SCA, signing"
  # run SAST
else
  echo "Running minimal checks"
fi

29. Task: Evaluate Third-Party Library Risk

Prompt:

For each dependency in 'requirements.txt', compute a risk score based on: (1) number of open CVEs, (2) last release date, (3) number of maintainers, (4) license type. Output a sorted list with risk score and recommendation (keep/update/replace).

Example Result:

Library Score Recommendation
deprecated-lib 9.2 Replace with 'new-lib'

30. Task: Create a Self-Healing Security Pipeline

Prompt:

Design a pipeline that automatically blocks a deployment if a critical vulnerability is found. The pipeline should: scan the image, compare against a policy (e.g., no CVSS > 7.0), and if blocked, create a Jira ticket and notify the team via Slack. Provide a diagram and pseudocode.

Example Result:
- Pseudocode: if scan.critical_count > 0: then block_deployment(); create_jira(); send_slack_alert()

Practical Tips for Writing Security Prompts

  • Be specific: Instead of "check for vulnerabilities," say "scan for SQL injection in Python code using Semgrep with rule 'python.sql-injection'."
  • Include output format: Specify JSON, Markdown, or YAML to avoid ambiguity.
  • Set severity thresholds: Filter results to critical/high to reduce noise.
  • Test with edge cases: Run prompts against known vulnerable code to verify they catch issues.
  • Iterate: Prompts are not static—refine them based on false positives and team feedback.

Conclusion

Prompts are a powerful tool in a DevSecOps engineer's arsenal. They bridge the gap between security intent and automated action. By mastering these 30 prompts—from basic SAST scans to expert policy engines—you can enforce security at scale, reduce mean time to remediation, and build a culture of proactive defense. Start with the basic prompts, then gradually adopt advanced and expert ones as your team matures. Remember: the best prompt is the one that gets executed consistently in your pipeline.

This article was published on asibiont.com/blog. For more insights on security automation and DevSecOps, visit our blog regularly.

← All posts

Comments