---
name: security-posture
description: Quick security posture assessment — scorecard with grade, coverage status, and top recommendations
---

# Security Posture

Quick security scorecard — grade, coverage, top recommendations. Deterministic scanner, <2 sec.

## Step 1: Resolve Plugin Root

Plugin root = the directory containing `plugin.json`, found by searching up from this file's location.

## Step 2: Run Scanner

```bash
node <plugin-root>/scanners/posture-scanner.mjs $ARGUMENTS
```

If `$ARGUMENTS` is empty, scan the current working directory.

Parse the JSON output: `scoring.grade` (A-F), `scoring.pass_rate`, `risk.score` (0-100), `risk.band`, `risk.verdict`, `categories[]`, `findings[]`, `counts`.

## Step 3: Format Scorecard

```
# Security Posture — [project name]

| Field | Value |
|-------|-------|
| **Grade** | [A-F] |
| **Risk Score** | [N]/100 ([band]) |
| **Verdict** | [verdict] |

## Category Scorecard

| # | Category | Status | Findings |
|---|----------|--------|----------|
[one row per category, status as PASS/PARTIAL/FAIL/N-A]

## Top Findings

[List critical and high findings with title and recommendation]

## Quick Wins

[List low-effort fixes from findings]
```

## Step 4: Closing

- Grade A/B: "Posture solid. Re-run after major changes."
- Grade C: "Run the audit skill for detailed findings."
- Grade D/F: "Significant exposure. Run audit before production use."