Enterprise Rollout Guide
Plan and execute an organization-wide rollout of Manicode code security prompts. This guide covers assessment, selection, architecture, phased deployment, and success measurement.
When to Use
- A security or engineering leader is evaluating Manicode for org-wide adoption
- A security team wants to systematically deploy code security prompts across multiple teams and projects
- An organization needs a structured plan for stakeholder buy-in and phased rollout
- A team is preparing an internal proposal for adopting AI security prompts
Phase 1: Current State Assessment
Before selecting prompts, assess your organization's environment.
AI Tool Inventory
| Question | Notes |
|---|---|
| Which AI coding tools are developers using? (Copilot, Cursor, Claude Code, Windsurf, etc.) | |
| Which LLM APIs are integrated into products? (OpenAI, Anthropic, Google, etc.) | |
| Which AI models are approved for use? | |
| Is there a central AI/ML platform team? |
Technology Stack Inventory
| Question | Notes |
|---|---|
| Primary backend languages and frameworks | |
| Primary frontend languages and frameworks | |
| Mobile platforms (iOS, Android, Flutter, React Native) | |
| Infrastructure (cloud provider, container orchestration) | |
| Database systems | |
| Authorization policy engines (OPA, OpenFGA, Cedar, etc.) |
Phase 2: Prompt Selection
Match each team's primary framework to the appropriate Code Security prompt:
| Team / Project | Language | Framework | Recommended Prompt | Model Variants Available |
|---|---|---|---|---|
| Example: Backend API | Python | Django | Python/Django code security | Opus 4.6, GPT 5.3, Gemini 3.1, Grok 4.1, Copilot |
Coverage: 328 prompts across 13 categories — backend frameworks, frontend frameworks, AI security, infrastructure, web/API security, authentication, authorization, cryptography, mobile, embedded/IoT, WASM, C/C++, and code quality.
Phase 3: Integration Architecture
Choose a deployment architecture based on your organization's needs.
Option A: Repository-Level Integration (Recommended Start)
Commit prompt files directly to each repository:
| Tool | File | Location |
|---|---|---|
| Claude Code | CLAUDE.md | Repository root |
| GitHub Copilot | .github/copilot-instructions.md | Repository root |
| Cursor | .cursor/rules/security.mdc | Repository root |
| Windsurf | .windsurfrules | Repository root |
| JetBrains AI | .junie/guidelines.md | Repository root |
| Cline / Roo Code | .clinerules | Repository root |
| Amazon Q | .amazonq/rules/security.md | Repository root |
Pros: Version-controlled with the code, immediate effect, no infrastructure needed, auditable.
Cons: Manual updates across repos, per-repo configuration effort.
See IDE Integrations and AI Coding Agents for detailed setup.
Option B: Central Prompt Repository
Maintain a single repository of prompts that other repos reference:
- Create an internal
manicode-promptsrepository - Store selected prompts organized by category
- Use git submodules, a package manager, or a sync script to distribute prompts to downstream repos
- Updates propagate from the central repo to all consuming repos
Pros: Single source of truth, easy updates, consistent versions.
Cons: Requires sync mechanism, slight complexity in repo setup.
Option C: API-First Deployment
For programmatic integrations (CI/CD pipelines, custom tooling):
- Store prompts in a central location (object storage, config service, or the prompt repository)
- Fetch prompts at runtime via API or configuration
- Pass prompts as system messages in LLM API calls
See API and Programmatic Usage for code examples.
Pros: Dynamic prompt selection, runtime flexibility, works for non-IDE use cases.
Cons: Infrastructure dependency, latency for prompt fetching.
Phase 4: Phased Rollout Plan
Week 1–2: Pilot
| Activity | Details |
|---|---|
| Select 2–3 willing teams | Prefer teams with security-aware developers and active AI tool usage |
| Deploy code security prompts | Configure IDE files for primary repos |
| Collect baseline metrics | Record current security finding rates from SAST/code review |
Week 3–6: Expansion
| Activity | Details |
|---|---|
| Roll out to remaining high-risk codebases | Prioritize repos with sensitive data handling |
| Add AI security prompts | For teams building LLM/RAG applications |
| Add infrastructure prompts | For teams managing Kubernetes, Terraform, CI/CD |
| Create internal documentation | Onboarding guide, FAQ, support channel |
Week 7+: Standardization
| Activity | Details |
|---|---|
| Add prompt presence to PR checklist or CI | Verify prompts are configured before merge |
| Establish update cadence | Quarterly review and refresh of prompt selections |
| Track adoption metrics | Dashboard covering framework coverage |
| Run effectiveness reviews | Compare pre/post security metrics |
Phase 5: Success Metrics
Adoption Metrics
| Metric | How to Measure | Target |
|---|---|---|
| Repos with code security prompts configured | Scan for IDE config files across repos | 80%+ of active repos |
| Framework coverage | Prompts deployed for all primary frameworks | 100% of primary frameworks |
| Developer awareness | Internal training/communication | All AI-using developers |
Effectiveness Metrics
| Metric | How to Measure | Target |
|---|---|---|
| Security findings per code review | Compare SAST/review findings pre/post | 30%+ reduction |
| Time to remediate security issues | Track from finding to fix | 25%+ reduction |
| Developer satisfaction | Quarterly survey | Net positive |
Related Pages
- Code Security Prompts — All framework-specific prompts
- Team and Enterprise Deployment — Scaling code security prompts
- IDE Integrations — Per-tool setup guides
- AI Coding Agents — Agent-specific configuration
Limitations
- Rollout timelines depend heavily on organizational size, number of repos, and team willingness. The phase durations above are guidelines, not prescriptions.
- Prompt effectiveness varies by model. When teams use different AI models, prompt behavior may differ. See Model-Specific Guidance for details.
- Adoption metrics require instrumentation. If you cannot scan repos for config files, manual reporting is needed initially.
- This guide covers prompt deployment. Organizational change management (training, incentives, cultural adoption) is equally important and requires separate planning.