AgentSkillsCN

security-audit

适用于审查代码安全性、审计依赖项是否存在 CVE、检查配置或秘密安全性、评估认证与授权模式、识别 OWASP 漏洞(注入、XSS、CSRF),或解决有关实现的安全顾虑时使用。

SKILL.md
--- frontmatter
name: security-audit
agents: [yokay-security-scanner]
description: Use when reviewing code security, auditing dependencies for CVEs, checking configuration or secret security, assessing authentication and authorization patterns, identifying OWASP vulnerabilities (injection, XSS, CSRF), or addressing security concerns about implementations.

Security Audit

Systematic security review for application code, dependencies, and configuration.

Not a replacement for professional penetration testing. Identifies common vulnerabilities within scope of code review.

Audit Types

TypeFocusWhen to Use
Code ReviewOWASP Top 10, injection, authNew features, PRs, suspicious code
DependencyCVEs, outdated packagesBefore deploy, periodic, CI/CD
ConfigurationSecrets, permissions, hardeningInfrastructure changes, new envs
ArchitectureAttack surface, data flowDesign phase, major refactors
API SecurityAuth, authz, rate limitingNew endpoints, public APIs

When NOT to Use

  • Designing new auth flows — Use api-design for designing OAuth2/JWT endpoints from scratch
  • Performance issues — Use performance-optimization even if caused by auth overhead
  • CI/CD pipeline security — Use ci-cd for pipeline hardening (secret management, permissions)

Key Principles

  • Scope first — Define audit area, depth, and constraints before scanning
  • Classify severity — Critical (24-48h), High (1 week), Medium (2-4 weeks), Low (backlog)
  • Remediate or track — Fix critical issues immediately, create ohno tasks for the rest
  • No secrets in code — Scan for hardcoded credentials, API keys, connection strings

Quick Start Checklist

  1. Define audit scope and type (code, dependency, config, architecture, API)
  2. Run automated scans (npm audit, grep patterns, secret detection)
  3. Review findings and classify severity using decision tree in references
  4. Remediate critical/high findings immediately
  5. Create ohno tasks for medium/low findings with appropriate priority
  6. Document findings in audit report

References

ReferenceDescription
owasp-top-10.mdOWASP vulnerabilities with detection and fixes
dependency-security.mdnpm audit, pip-audit, Snyk, CI/CD integration
auth-patterns.mdSecure authentication and authorization patterns
api-security.mdAPI-specific security concerns
secrets-management.mdHandling sensitive configuration