AgentSkillsCN

codebase-auditor

在代码质量审计、安全扫描、技术债务评估、代码生产就绪性审查、CI质量门设置,以及DORA指标追踪等场景中,主动运用该工具。它可依据OWASP Top 10、SOLID原则、Testing Trophy,以及2024–2025年软件开发生命周期标准,对代码库进行全面分析。支持对大型代码库进行增量式审计。不适用于运行时性能剖析或实时监控。

SKILL.md
--- frontmatter
name: codebase-auditor
description: Use PROACTIVELY when auditing code quality, running security scans, assessing technical debt, reviewing code for production readiness, setting up CI quality gates, or tracking DORA metrics. Analyzes codebases against OWASP Top 10, SOLID principles, Testing Trophy, and 2024-25 SDLC standards. Supports incremental audits for large codebases. Not for runtime profiling or real-time monitoring.

Codebase Auditor

Comprehensive codebase audits using modern software engineering standards with actionable remediation plans.

When to Use

  • Audit codebase for quality, security, maintainability
  • Assess technical debt and estimate remediation
  • Prepare production readiness report
  • Evaluate legacy codebase for modernization
  • Set up quality gates for CI/CD pipelines
  • Configure incremental audits for large codebases (>100k LOC)
  • Track audit history and trends over time

Trigger Phrases

  • "Audit this codebase" / "Run a code audit"
  • "Security scan" / "Check for vulnerabilities"
  • "Assess technical debt" / "How much tech debt?"
  • "Production readiness review"
  • "Set up quality gates"
  • "DORA metrics" / "Deployment health"

Audit Phases

Phase 1: Initial Assessment

  • Project discovery (tech stack, frameworks, tools)
  • Quick health check (LOC, docs, git practices)
  • Red flag detection (secrets, massive files)

Phase 2: Deep Analysis

Load on demand based on Phase 1 findings.

Phase 3: Report Generation

Comprehensive report with scores and priorities.

Phase 4: Remediation Planning

Prioritized action plan with effort estimates.

Analysis Categories

CategoryKey Checks
Code QualityComplexity, duplication, code smells
TestingCoverage (80% min), trophy distribution, quality
SecurityOWASP Top 10, dependencies, secrets
ArchitectureSOLID, patterns, modularity
PerformanceBuild time, bundle size, runtime
DocumentationJSDoc, README, ADRs
DevOpsCI/CD maturity, DORA metrics
AccessibilityWCAG 2.1 AA compliance

Technical Debt Rating (SQALE)

GradeRemediation Effort
A<= 5% of dev time
B6-10%
C11-20%
D21-50%
E> 50%

Usage Examples

code
# Basic audit
Audit this codebase using the codebase-auditor skill.

# Security focused
Run a security-focused audit on this codebase.

# Quick health check
Give me a quick health check (Phase 1 only).

# Custom scope
Audit focusing on test coverage and security.

Output Formats

  1. Markdown Report - Human-readable for PR comments
  2. JSON Report - Machine-readable for CI/CD
  3. HTML Dashboard - Interactive visualization
  4. Remediation Plan - Prioritized action items

Priority Levels

PriorityExamplesTimeline
P1 CriticalSecurity vulns, data loss risksImmediate
P2 HighCoverage gaps, performance issuesThis sprint
P3 MediumCode smells, doc gapsNext quarter
P4 LowStylistic, minor optimizationsBacklog

Best Practices

  1. Run incrementally for large codebases
  2. Focus on critical paths first
  3. Baseline before major releases
  4. Track metrics over time
  5. Integrate with CI/CD

Integrations

Complements: SonarQube, ESLint, Jest/Vitest, npm audit, Lighthouse, GitHub Actions

Limitations

  • Static analysis only (no runtime profiling)
  • Requires source code access
  • Internet needed for CVE data
  • Large codebases need chunked analysis

Additional Resources

ResourcePathDescription
Audit Criteriareference/audit_criteria.mdComplete checklist (200+ items)
Severity Matrixreference/severity_matrix.mdScoring rubric
Best Practicesreference/best_practices_2025.mdSDLC standards
CI Integrationreference/ci-integration.mdGitHub Actions workflows
Incremental Auditworkflow/incremental-audit.mdLarge codebase strategies
History Schematemplates/audit-history-schema.sqlSQLite tracking
Custom Rulesdata/custom-rules.yamlRule template