Understanding Workflow Prompts
- What Are SD Elements AppSec Skills for Agentic AI Workflow?
- Available Workflows
- Setup Security Plan from Existing Codebase - /setup-security-plan-from-repo
- Create a Security Plan from Design Documents - /create-plan-from-specs
- Apply Security Fixes to Codebase - /apply-security-fixes
- Verify Security Countermeasures via AI Code Scan - /code-scan-verification-validation
- Customize Skills
- Usage Notes
Agentic capabilities in SD Elements are delivered through Workflow Prompts. While the MCP server provides the underlying tools, a Workflow Prompt defines the higher-level orchestration—how those tools are used together to accomplish a defined outcome. A Workflow Prompt guides an agent through structured, multi-step, repeatable reasoning across SD Elements concepts, replacing fragmented manual steps or brittle scripts with governed automation.
What Are SD Elements AppSec Skills for Agentic AI Workflow?
Skills are an open framework for packaging AI agent instructions and tools into portable, reusable playbooks. Rather than loading all instructions upfront, a skill allows an agent to dynamically pull in countermeasure-specific logic only when it’s needed — keeping the agent focused and its context lean.
SD Elements Skills connect AI agents to the SD Elements library of security and compliance requirements, enabling them to enforce your organization’s controls automatically during software development. Any AI agent that supports the open Model Context Protocol (MCP) can integrate your security policies directly into its development workflows.
Three types of artifacts work together to make this possible:
SKILL.md — Countermeasure Skills
A SKILL.md file is an open standard for defining a reusable skill for an AI
agent. It contains the instructions, metadata, and resources that teach an agent
how to perform a specific, well-scoped task — such as "get latest countermeasures"
or "apply a security fix."
In SD Elements, Countermeasure Skills are task-level skills that specify requirements and implementation guidance for a particular security control or compliance requirement, drawn from the SD Elements library. These are loaded into the agent’s context temporarily, only as needed, keeping overhead minimal.
AGENTS.md — Weakness Remediation Plan
An AGENTS.md file is an open standard for static, project-level agent
instructions: code conventions, commands, and rules that ensure any agent working
on a repository behaves consistently.
In SD Elements, workflow prompts generate a project-specific Weakness
Remediation Plan as an AGENTS.md file — an enforceable contract that indexes
the relevant countermeasure skills dictated by your team’s risk policy into a plan
a coding agent can execute. Because AGENTS.md lives in the repository, it
becomes part of the persistent project context: the agent is always aware of it.
Teams can also edit and adapt the plan directly in their repository to suit their
needs.
Key difference:
SKILL.mdcontent is loaded on demand, only when the agent needs it.AGENTS.mdis always present in the project context, making it the persistent contract the agent operates under.
Workflow Prompts — Top-Level Orchestration
Workflow Prompts are static, top-level commands available directly via the SD Elements MCP server. They define the higher-level orchestration — how tools, skills, and agent interactions are combined to accomplish a complete outcome. A workflow can trigger multi-step processes, call other tools, and interact with the user via chat or the command line to clarify tasks along the way.
How They Work Together
| Artifact | Type | Scope | Persistence |
|---|---|---|---|
Workflow Prompt |
Top-level command |
Full workflow orchestration |
Static, served via MCP |
|
Countermeasure Skill |
Single task or control |
Loaded on demand |
|
Weakness Remediation Plan |
Entire project |
Always present in repo |
The flow in practice:
-
A Workflow Prompt drives the overall process and determines which countermeasures apply.
-
Countermeasure Skills (
SKILL.md) are pulled in on demand to provide specific security guidance as each control is addressed. -
The Weakness Remediation Plan (
AGENTS.md) is written to the repository as a persistent contract, keeping the agent aligned with your project’s risk policy throughout the project lifecycle.
Available Workflows
Setup Security Plan from Existing Codebase - /setup-security-plan-from-repo
Analyze a source code repository to create an SDE project, collect applicable security requirements and countermeasures in SD Elements, and create an agentic security mitigation plan.
Key Functions:
-
Completes SD Elements survey with evidence from repository analysis.
-
Supports risk policy selection for threat modeling alignment with compliance.
-
Retrieves and organizes actionable security countermeasures.
-
Produces granular security specifications for incremental tracking and completion.
-
Preserves existing project content, avoiding overwriting prior configuration.
This workflow prompt is typically the starting point for teams working from an existing codebase.
Create a Security Plan from Design Documents - /create-plan-from-specs
Interpret application specifications to generate an agentic initial risk-mitigation plan and scaffolding before full implementation.
Key Functions:
-
Processes SDLC documents (PRDs, requirements, design, architecture).
-
Supports sources: local files, Confluence, or Jira.
-
Completes SD Elements project survey using specification content.
-
Retrieves relevant security countermeasures based on project context/risk.
-
Generates initial project scaffold with security guidance.
This workflow prompt is designed for greenfield projects and early design-stage workflows, allowing teams to begin threat modeling before code exists.
Apply Security Fixes to Codebase - /apply-security-fixes
Leveraging AI SAST, the system reviews changes within the repository to suggest iterative updates. This ensures that project requirements remain consistently aligned with the evolving codebase.
Key Functions:
-
Reads specifications and applies fixes to source code.
-
Supports flexible fix application: broadly or in controlled steps.
-
Allows incremental work with individual change review/approval.
-
Records progress to SD Elements with notes for visibility and auditability.
-
Supports resuming interrupted work.
-
Provides clearer progress reporting.
This workflow prompt is best used after security specifications have been generated and reviewed.
Verify Security Countermeasures via AI Code Scan - /code-scan-verification-validation
Using AI-powered static analysis using your model of choice, the system verifies that each countermeasure is actually mitigated in the source code and records structured Verification Notes to SD Elements for auditability and compliance evidence.
Key Functions:
-
Reads countermeasure context from SD Elements (vulnerability, fix guidance, how-tos).
-
Performs AI code analysis against relevant source files for each countermeasure.
-
Derives a verdict (pass, partial, or fail) with confidence level and cited findings.
-
Post Verification Notes to the task Evidence section in SD Elements.
-
Supports two modes: standalone (baseline scan before fixes) and handoff (post-fix confirmation).
-
Supports flexible scope: verify all, verify specific countermeasures, or verify one-by-one interactively.
-
Countermeasures that have been verified as passed are optionally marked as DONE in SD Elements.
This workflow prompt is used twice in the recommended flow—post-planning for a baseline and post-fix for confirmation—this prompt provides objective, auditable evidence of mitigation status.
Customize Skills
Workflow Prompts will be managed in the existing SD Elements content library, which makes them easy to customize, manage, and distribute across teams. Because these particles skills are defined in simple Markdown (SKILL.md) files, they are fully transparent and customizable.
-
Edit Existing Skills: You can adjust the instructions, add new verification steps, or modify the MCP tool calls in any existing skill to better match your team’s specific processes.
-
Create Custom Workflows: You can easily create your own SKILL.md files from scratch to automate other security tasks or create entirely new workflows tailored to your organization’s needs. This allows you to build a library of custom, automated security processes that your team can rely on.
For the best results:
-
Each workflow prompt should be used in the agents' plan mode for it to prepare an execution plan to run the workflow prompt.
-
Each workflow prompt is best used in a separate session (context window)
Usage Notes
-
Best used for accelerating project planning and ongoing alignment.
-
Outputs will vary depending on the model used and the agent’s capabilities.
-
Frontier models typically perform better and provide the best results.
-
To build your own Skills, refer to this documentation for assistance.