- Home
- Skills
- Dchuk
- Claude Code Tauri Skills
- Tauri Ecosystem Security
tauri-ecosystem-security_skill
12
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill dchuk/claude-code-tauri-skills --skill tauri-ecosystem-security- SKILL.md10.7 KB
Overview
This skill guides developers through practical security practices for the Tauri v2 ecosystem, covering auditing, dependency management, permissions, and organizational controls. It focuses on concrete actions to reduce supply-chain, buildtime, distribution, and runtime risks when building secure desktop applications.
How this skill works
The skill explains what to inspect at each stage of the app lifecycle: upstream dependencies, development environments, CI/CD pipelines, release procedures, and runtime enforcement (CSP, capabilities, scopes). It recommends tools and procedures—cargo audit, npm audit, pinned action versions, and capability/scoping checks—and provides a checklist for pre-release and periodic reviews. It also describes secure vulnerability reporting and coordinated disclosure practices.
When to use it
- Before a release to run a pre-release security audit and dependency scans
- When onboarding a new dependency or third-party library
- When designing IPC and capability boundaries for frontend-backend communication
- While configuring CI/CD to ensure reproducible, signed builds
- During incident handling to follow responsible vulnerability disclosure
Best practices
- Adopt least-privilege capabilities and explicit scopes; deny rules must block sensitive paths
- Pin critical dependencies to a git revision and pin action/tool versions in CI workflows
- Run automated audits (cargo audit, npm audit) and supplement with vetting tools like cargo vet
- Harden developer machines: avoid admin usage, do not store production secrets locally, use hardware tokens
- Use strict CSPs, whitelist only trusted hosts, and avoid loading remote scripts from CDNs
Example use cases
- Pinning a filesystem library to a git revision and validating it with cargo vet before release
- Configuring a capability that grants fs:read-files only to a named window and denying user home secret paths
- Updating CI workflows to pin GitHub Actions versions and require signed commits and human approvals
- Running cargo audit and npm audit as part of a gated release job and failing on critical findings
- Reporting a discovered vulnerability privately via GitHub private disclosure or the project security email
FAQ
Capabilities limit which windows can request permissions and scopes constrain command access to explicit paths, enforcing least privilege and reducing blast radius if frontend is compromised.
Which tools should I run regularly?
Run cargo audit and npm audit routinely, use cargo outdated to check freshness, and consider cargo vet/crev for deeper supply-chain verification.