Introduction
Security is no longer an afterthought—it's a continuous process embedded in every stage of development. DevSecOps shifts security left, integrating practices like static analysis, dynamic testing, and policy enforcement directly into CI/CD pipelines. But even with the best tools, teams often struggle to define clear, actionable tasks for their AI assistants or internal automation. This is where carefully crafted prompts come in.
A prompt is not just a question—it's a structured instruction that can trigger a scan, generate a report, or enforce a policy. In this article, I'll share 30 practical prompts across three categories: basic (for beginners), advanced (for practitioners), and expert (for architects). Each prompt includes the task, the exact prompt text, and an example result. Whether you're auditing code, scanning containers, or defining access policies, these prompts will save you time and reduce risk.
Why Prompts Matter in DevSecOps
In a DevSecOps environment, you interact with multiple tools—SAST scanners like Semgrep or CodeQL, DAST tools like OWASP ZAP or Burp Suite, policy engines like OPA (Open Policy Agent), and infrastructure-as-code validators like Checkov. Writing a good prompt means you can automate repetitive tasks, standardize responses, and avoid human error. For instance, a prompt like "Scan this Terraform file for misconfigurations" can be parameterized and reused across dozens of repositories.
Prompts also serve as a communication layer between security teams and developers. Instead of saying "fix the OWASP Top 10 issues," a prompt can generate a prioritized list with code snippets and remediation steps. This lowers friction and accelerates fixes.
Basic Prompts (10 Prompts)
These prompts are ideal for beginners—security analysts or junior developers who need quick, actionable results without deep configuration.
1. Task: Generate a SAST Scan Report for a Python Project
Prompt:
Analyze the Python codebase in the 'src/' directory for security vulnerabilities. Focus on the OWASP Top 10 for 2021, particularly SQL injection, XSS, and insecure deserialization. Output a Markdown table with columns: vulnerability name, file path, line number, severity (Critical/High/Medium/Low), and recommended fix. Ignore false positives if possible.
Example Result:
| Vulnerability | File | Line | Severity | Fix |
|---|---|---|---|---|
| SQL Injection | src/db.py | 42 | Critical | Use parameterized queries with cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,)) |
| Insecure Deserialization | src/utils.py | 15 | High | Avoid pickle.load(); use JSON or safely.loads() |
2. Task: Scan a Docker Image for Known CVEs
Prompt:
Scan the Docker image 'myapp:latest' for Common Vulnerabilities and Exposures (CVEs) in the base image and installed packages. List only critical and high-severity vulnerabilities. For each, provide the CVE ID, affected package, current version, and a link to the NVD entry.
Example Result:
- CVE-2026-1234: openssl 1.1.1k (Critical) – https://nvd.nist.gov/vuln/detail/CVE-2026-1234
- CVE-2025-5678: libcurl 7.74.0 (High) – https://nvd.nist.gov/vuln/detail/CVE-2025-5678
3. Task: Check a Kubernetes Deployment for Pod Security Standards
Prompt:
Review the Kubernetes deployment file 'deploy.yaml' against the Pod Security Standards (Restricted profile). List any violations, such as running as root, allowing privileged escalation, or missing read-only root filesystem. Provide the exact YAML path and suggested fix.
Example Result:
- Violation: securityContext.allowPrivilegeEscalation is not set (defaults to true). Fix: set allowPrivilegeEscalation: false.
- Violation: runAsNonRoot is not set. Fix: set runAsNonRoot: true.
4. Task: Audit AWS IAM Policies for Over-Permissions
Prompt:
Analyze the attached IAM policy document (JSON) for over-privileged permissions. Identify any actions that grant 'FullAccess' to services like S3, EC2, or IAM. List the principal, effect, action, and resource. Suggest a least-privilege alternative for each.
Example Result:
| Principal | Action | Resource | Issue | Suggestion |
|---|---|---|---|---|
| user:devops | s3:* | * | Full S3 access | Replace with s3:GetObject and s3:PutObject on specific buckets |
5. Task: Generate a Secret Scanning Report for a Git Repository
Prompt:
Scan the repository's commit history for hardcoded secrets—API keys, passwords, tokens, and private keys. Use regex patterns for AWS keys, GitHub tokens, and Slack webhooks. Output a table with commit hash, file path, secret type, and severity.
Example Result:
| Commit | File | Secret Type | Severity |
|---|---|---|---|
| a1b2c3d | config.py | AWS Access Key | Critical |
| e4f5g6h | .env | Slack Token | High |
6. Task: Review a Terraform Plan for Security Misconfigurations
Prompt:
Examine the Terraform plan output for security misconfigurations. Check for S3 buckets with public access, security groups with 0.0.0.0/0 to port 22, and RDS instances without encryption. For each issue, provide the resource address, current setting, and recommended change.
Example Result:
- Resource: aws_s3_bucket.my_bucket – Public access block not set. Fix: add block_public_acls = true.
- Resource: aws_security_group.ssh – Ingress 0.0.0.0/0:22. Fix: restrict to specific IP range.
7. Task: Analyze a Log File for Suspicious Activity
Prompt:
Analyze the provided web server access log (Nginx format) for potential attack patterns: SQL injection attempts, path traversal, or brute-force login. Summarize the top 5 suspicious IPs, the type of attack, and the number of occurrences.
Example Result:
- IP 192.168.1.100 – SQL injection in '/search?q=1' OR '1'='1' – 12 occurrences
- IP 10.0.0.5 – Path traversal in '/../../../etc/passwd' – 3 occurrences
8. Task: Check a Python Library for Known Vulnerabilities
Prompt:
Given the 'requirements.txt' file, check each package against the NVD database. List packages with known vulnerabilities, including the fixed version. Prioritize by CVSS score.
Example Result:
- requests 2.25.1 (CVE-2026-1111, CVSS 9.8) – upgrade to 2.26.0
- django 3.2.0 (CVE-2025-9999, CVSS 7.5) – upgrade to 3.2.10
9. Task: Generate a Compliance Summary for SOC 2
Prompt:
Evaluate the current security controls (list provided) against SOC 2 Trust Service Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy). For each criterion, state whether it's met or not, and list missing controls.
Example Result:
- Security: Met (access control, encryption at rest, logging)
- Availability: Not met (no disaster recovery plan documented)
10. Task: Create a Security Checklist for a New Microservice
Prompt:
Generate a security checklist for deploying a new microservice. Include items: authentication (JWT/OAuth), input validation, output encoding, dependency scanning, and logging. For each item, provide a brief description and a sample implementation.
Example Result:
- [ ] Input validation: Use a library like pydantic to validate all API inputs.
- [ ] Dependency scanning: Run npm audit or pip-audit before deployment.
Advanced Prompts (10 Prompts)
These prompts require a deeper understanding of security tools and infrastructure.
11. Task: Automated DAST Scan with OWASP ZAP
Prompt:
Execute a DAST scan against the staging URL 'https://staging.example.com' using OWASP ZAP. Run the 'Full Scan' with AJAX Spider enabled. After completion, generate a JSON report with all alerts, grouped by risk level (High, Medium, Low). Include evidence (request/response) for high-risk findings.
Example Result:
{
"site": "https://staging.example.com",
"alerts": [
{
"risk": "High",
"name": "SQL Injection",
"url": "/api/users?id=1",
"evidence": "Request: GET /api/users?id=1' OR '1'='1; Response: 200 OK with user data"
}
]
}
12. Task: Enforce a Policy with OPA (Rego)
Prompt:
Write a Rego policy for OPA that denies any Kubernetes deployment with 'imagePullPolicy: Always' in production namespaces (e.g., 'prod-*'). The policy should also allow 'imagePullPolicy: IfNotPresent' for non-prod. Provide the policy code and a test case.
Example Result:
package kubernetes.admission
denying[msg] {
input.request.kind.kind == "Deployment"
namespace = input.request.object.metadata.namespace
startswith(namespace, "prod-")
containers = input.request.object.spec.template.spec.containers[_]
containers.imagePullPolicy == "Always"
msg = "Production deployments must use 'IfNotPresent' imagePullPolicy"
}
13. Task: Perform a CodeQL Query for Hardcoded Credentials
Prompt:
Using CodeQL, query the JavaScript repository for hardcoded credentials. Write a QL query that finds string literals containing 'password', 'secret', or 'api_key' assigned to variables. Output the file, line number, and the literal value.
Example Result:
- src/config.js:12 – const password = "supersecret123"
14. Task: Generate an SBOM (Software Bill of Materials)
Prompt:
Generate a CycloneDX SBOM for the Node.js project in '/app'. Include all direct and transitive dependencies, their versions, licenses, and download locations. Output as JSON.
Example Result:
{
"bomFormat": "CycloneDX",
"components": [
{
"name": "lodash",
"version": "4.17.21",
"licenses": [{"license": {"id": "MIT"}}],
"purl": "pkg:npm/lodash@4.17.21"
}
]
}
15. Task: Analyze a Container Image for Non-Root User
Prompt:
Inspect the Dockerfile for 'myapp:latest' and ensure it creates a non-root user and switches to it. If not, output the lines that need to be added. Also check if the container runs with 'USER root'.
Example Result:
- Missing: RUN useradd -m -s /bin/bash appuser and USER appuser before CMD.
- Current: USER root at line 20 – should be removed.
16. Task: Review a Network Security Group for Inbound Rules
Prompt:
Analyze the AWS security group JSON for inbound rules. Flag any rule with 'CidrIp': '0.0.0.0/0' and port 22, 3389, or 3306. For each, suggest a more restrictive CIDR (e.g., office IP range).
Example Result:
- Rule: Ingress TCP 22 from 0.0.0.0/0 – change to 203.0.113.0/24.
17. Task: Perform a GitLeaks Scan on a Branch
Prompt:
Run GitLeaks on the 'develop' branch of the repository. Scan for high-entropy strings and known patterns (AWS, GitHub, Slack). Output results in JSON format with commit, file, and secret.
Example Result:
{
"leaks": [
{
"commit": "abc123",
"file": "config.json",
"secret": "AKIA..."
}
]
}
18. Task: Generate a Threat Model for a Payment API
Prompt:
Create a threat model for a payment API using STRIDE. For each category (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege), list at least one threat, its impact, and a mitigation.
Example Result:
- Spoofing: Attacker impersonates a merchant via stolen API key. Mitigation: Use mutual TLS (mTLS).
- Denial of Service: Flooding /charge endpoint. Mitigation: Rate limiting and WAF.
19. Task: Validate a Terraform State File for Drift
Prompt:
Compare the current Terraform state file (state.json) with the live AWS resources. List any resources that have drifted—e.g., changed tags, security groups, or instance types. Provide the resource name, expected value, and actual value.
Example Result:
- Resource: aws_instance.web – Expected tag 'Env: prod', actual 'Env: staging'.
20. Task: Create a Custom Semgrep Rule for Hardcoded IPs
Prompt:
Write a Semgrep rule that detects hardcoded IPv4 addresses in Python code (except 127.0.0.1 and 0.0.0.0). The rule should match string literals like '10.0.0.1'. Output the rule YAML and a test case.
Example Result:
rules:
- id: hardcoded-ip
patterns:
- pattern-regex: "\\b(?:[0-9]{1,3}\\.){3}[0-9]{1,3}\\b"
- pattern-not: "127.0.0.1"
- pattern-not: "0.0.0.0"
message: "Hardcoded IP address found"
languages: [python]
severity: WARNING
Expert Prompts (10 Prompts)
These prompts are for security architects and lead engineers who design policies and automate complex workflows.
21. Task: Build a Custom Policy Engine for Infrastructure as Code
Prompt:
Design a policy engine using OPA that validates Terraform modules before deployment. The engine should check for: (1) S3 bucket versioning enabled, (2) CloudTrail logging enabled, (3) KMS encryption on EBS volumes. Provide the Rego policies and a script to run them via `opa eval`.
Example Result:
package terraform.aws
violation[msg] {
resource = input.resource.aws_s3_bucket[_]
resource.versioning[0].enabled != true
msg = sprintf("%s: versioning is not enabled", [resource.name])
}
22. Task: Automate Incident Response with a Prompt
Prompt:
Create a runbook for responding to a 'Critical' alert from AWS GuardDuty (e.g., 'UnauthorizedAccess:EC2/SSHBruteForce'). The runbook should include: step-by-step containment (isolate the instance), investigation (analyze CloudTrail logs), and recovery (apply security group changes). Output as a checklist.
Example Result:
1. Isolate: Attach a 'deny-all' security group to the affected instance.
2. Investigate: Query CloudTrail for API calls from the source IP in the last 24 hours.
3. Recover: Remove the instance from Auto Scaling group, patch, then redeploy.
23. Task: Generate a Kubernetes Network Policy from a Service Map
Prompt:
Given a service dependency graph (list of services and their allowed connections), generate Kubernetes NetworkPolicy YAML for each namespace. Use 'podSelector' and 'ingress/egress' rules. Example: 'frontend' can talk to 'backend' on port 8080, 'backend' can talk to 'db' on port 5432.
Example Result:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: backend-allow-frontend
spec:
podSelector:
matchLabels:
app: backend
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
ports:
- port: 8080
24. Task: Perform a Cryptographic Audit of TLS Certificates
Prompt:
Audit all TLS certificates in the 'certificates/' directory. For each, extract: issuer, subject, validity period, signature algorithm, and key size. Flag certificates using SHA-1 or RSA 1024. Output a table with status (Pass/Fail).
Example Result:
| Certificate | Issuer | Key Size | Algorithm | Status |
|---|---|---|---|---|
| wildcard.example.com.pem | Let's Encrypt | 2048 | SHA-256 | Pass |
| old-cert.pem | Self-signed | 1024 | SHA-1 | Fail |
25. Task: Create a Compliance Dashboard Query
Prompt:
Write a SQL query for a security data lake (e.g., AWS Athena) that retrieves all failed CIS benchmark checks for EC2 instances in the last 7 days. Group by instance ID and check ID. Include the timestamp, region, and account ID.
Example Result:
SELECT instance_id, check_id, region, account_id, MAX(timestamp) as last_fail
FROM compliance_results
WHERE status = 'FAIL' AND dt >= current_date - interval '7' day
GROUP BY 1, 2, 3, 4;
26. Task: Design a Zero-Trust Network Architecture Prompt
Prompt:
Outline a zero-trust network architecture for a multi-cloud environment (AWS + GCP). Include: micro-segmentation, identity-aware proxy, mutual TLS, and continuous monitoring. For each component, specify the tool (e.g., BeyondCorp, AWS Network Firewall) and configuration steps.
Example Result:
- Micro-segmentation: Use Calico or Cilium for Kubernetes network policies.
- Identity-aware proxy: Deploy Google IAP or AWS Verified Access.
27. Task: Automate a SLSA Level 3 Build
Prompt:
Create a GitHub Actions workflow that achieves SLSA Level 3 for a Java application. Include: (1) provenance generation using slsa-framework, (2) signed attestations, (3) reproducible build. Provide the YAML and the commands for verification.
Example Result:
name: SLSA
on: [push]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: slsa-framework/slsa-github-generator@v1.0
28. Task: Generate a Dynamic Policy for CI/CD Based on Branch
Prompt:
Write a script (Bash or Python) that checks the current Git branch and applies different security policies: for 'main' branch, require SAST scan, dependency check, and container image signing; for 'feature' branches, only require linting and unit tests. Output the policy decision.
Example Result:
if [[ "$BRANCH" == "main" ]]; then
echo "Applying full security suite: SAST, SCA, signing"
# run SAST
else
echo "Running minimal checks"
fi
29. Task: Evaluate Third-Party Library Risk
Prompt:
For each dependency in 'requirements.txt', compute a risk score based on: (1) number of open CVEs, (2) last release date, (3) number of maintainers, (4) license type. Output a sorted list with risk score and recommendation (keep/update/replace).
Example Result:
| Library | Score | Recommendation |
|---|---|---|
| deprecated-lib | 9.2 | Replace with 'new-lib' |
30. Task: Create a Self-Healing Security Pipeline
Prompt:
Design a pipeline that automatically blocks a deployment if a critical vulnerability is found. The pipeline should: scan the image, compare against a policy (e.g., no CVSS > 7.0), and if blocked, create a Jira ticket and notify the team via Slack. Provide a diagram and pseudocode.
Example Result:
- Pseudocode: if scan.critical_count > 0: then block_deployment(); create_jira(); send_slack_alert()
Practical Tips for Writing Security Prompts
- Be specific: Instead of "check for vulnerabilities," say "scan for SQL injection in Python code using Semgrep with rule 'python.sql-injection'."
- Include output format: Specify JSON, Markdown, or YAML to avoid ambiguity.
- Set severity thresholds: Filter results to critical/high to reduce noise.
- Test with edge cases: Run prompts against known vulnerable code to verify they catch issues.
- Iterate: Prompts are not static—refine them based on false positives and team feedback.
Conclusion
Prompts are a powerful tool in a DevSecOps engineer's arsenal. They bridge the gap between security intent and automated action. By mastering these 30 prompts—from basic SAST scans to expert policy engines—you can enforce security at scale, reduce mean time to remediation, and build a culture of proactive defense. Start with the basic prompts, then gradually adopt advanced and expert ones as your team matures. Remember: the best prompt is the one that gets executed consistently in your pipeline.
This article was published on asibiont.com/blog. For more insights on security automation and DevSecOps, visit our blog regularly.
Comments