Modular security capabilities. Compose what you need.
Skills are small, composable units of work — detect, reason, remediate, govern, comply, integrate. Each one has a typed contract, a signed trace, and a marketplace home. Use the ones we ship, override the ones you want to, write the ones we have not.
Every skill belongs to one of six families.
Detection skills
Surface what is there — vulnerabilities, secrets, sinks, suspicious dependencies.
sink.detectsecret.scanpackage.suspiciouslicense.flagimage.scanReasoning skills
Decide whether a finding is real — taint, exploitability, disproof.
taint.walkexploit.hypothesisexploit.disprovereach.rankcontext.mergeRemediation skills
Close the loop — patch, PR, regression test, rollback plan.
patch.synthesizepr.drafttest.generaterollback.planfix.verifyGovernance skills
Constrain what is allowed — policy gates, capability scopes, signed logs.
policy.evaluatecapability.scopeaudit-log.signapproval.routeguardrail.enforceCompliance skills
Produce evidence — SBOM, attestations, framework mappings.
sbom.generateevidence.collectframework.mapvex.authorattestation.signIntegration skills
Move data between Safeguard and the rest of the stack.
jira.syncslack.notifysiem.pushticket.assignwebhook.dispatchEight skills most teams reach for first.
Each skill ships with a typed input/output contract, a signed audit trace, and a documented home in a product or use case.
griffin.reasonStructured-trace reasoning over a candidate finding — emits hypothesis, cited path, disproof, and proposed patch.
Used byeagle.rankReachability-aware vulnerability ranking. Sorts findings by exploitable surface, not by CVSS theatre.
Used bylion.flagLightweight detector for suspicious dependencies, typosquats, and compromised maintainers in real time.
Used bysbom.generateProduce a CycloneDX or SPDX SBOM from a manifest, image, or repo — signed, attested, ready to ship.
Used byvex.authorAuthor and sign a VEX statement for a CVE against a specific product — affected, not affected, fixed, under investigation.
Used byauto-fix.patchSynthesise a patch for a confirmed finding, generate a regression test, open a PR — reviewer in the loop.
Used bypolicy.evaluateRun an artefact (image, SBOM, finding) through the active policy set and return a structured allow / deny / wait decision.
Used byaudit-log.signAppend a cryptographically signed entry to the per-tenant audit log — every Safeguard decision is replayable.
Used byWire them together in a manifest.
A short YAML pipeline expresses what most teams want: scan, rank, reason, fix, gate, log.
# safeguard.skills.yaml
pipeline:
- skill: sbom.generate
inputs: { source: repo }
- skill: eagle.rank
inputs: { sbom: ${steps.sbom.out} }
- skill: griffin.reason
when: rank.high
inputs: { finding: ${steps.eagle.out.top } }
- skill: auto-fix.patch
when: griffin.confirmed
inputs: { finding: ${steps.griffin.out } }
- skill: policy.evaluate
inputs: { patch: ${steps.fix.out } }
- skill: audit-log.sign
inputs: { trace: ${pipeline.trace } }First-party plus a marketplace.
Write a skill, sign it, list it. The marketplace SDK lets teams ship private skills to their tenant or publish public ones for the community. Every skill in the marketplace runs inside the same trace, policy, and audit envelope as the ones Safeguard ships.