AgentSkillsCN

security-audit

针对 OWASP Top 10 全面执行安全审计

SKILL.md
--- frontmatter
name: security-audit
description: Run a comprehensive security audit against OWASP Top 10
disable-model-invocation: true

Context

Performs a thorough security review of specified files or the entire project, checking against OWASP Top 10, secret exposure, dependency vulnerabilities, and project security standards.

Inputs

$ARGUMENTS - File paths, directory, or "full" for entire project

Steps

1. Gather Context

  • Read standards/security.md for security requirements.
  • Identify the scope: specific files or full project.
  • Determine the technology stack(s) in scope.

2. Secret Scanning

  • Run gitleaks detect --source . --no-git --verbose if available.
  • Manually scan for patterns: AKIA, sk-, ghp_, xox, connection strings, private keys.
  • Check for .env files, credentials.*, *.pem, *.key in tracked files.
  • Verify .gitignore excludes sensitive files.

3. Dependency Scanning

  • .NET: dotnet list package --vulnerable
  • TypeScript: npm audit
  • Python: pip audit
  • Report vulnerabilities with severity and remediation advice.

4. OWASP Top 10 Review

For each file in scope, check:

#CategoryWhat to Look For
A01Broken Access ControlMissing authorization checks, IDOR, path traversal
A02Cryptographic FailuresWeak algorithms, hardcoded keys, missing encryption
A03InjectionSQL concatenation, command injection, XSS, LDAP injection
A04Insecure DesignMissing rate limiting, business logic flaws
A05Security MisconfigurationDebug mode in prod, default credentials, verbose errors
A06Vulnerable ComponentsOutdated dependencies (see Step 3)
A07Auth FailuresWeak passwords, missing MFA, session fixation
A08Data IntegrityMissing input validation, unsafe deserialization
A09Logging FailuresMissing audit logs, PII in logs, log injection
A10SSRFUnvalidated URLs, internal network access

5. Report

code
## Security Audit Report

**Scope:** [files/directories audited]
**Verdict:** PASS | FAIL

### Critical (must fix before deploy)
- [ ] **[file:line]** [OWASP category] - [Description] → [Fix]

### High Priority
- [ ] **[file:line]** [Description]

### Medium Priority
- [ ] **[file:line]** [Description]

### Informational
- [Observations and recommendations]

### Dependencies
- [Vulnerable packages with versions and fixes]

Verification

  • All OWASP Top 10 categories checked
  • No secrets in source code
  • Dependency vulnerabilities documented
  • Each finding has a remediation recommendation