Security Audit Skill
This skill provides a structured workflow for performing a tactical security audit on a codebase.
Workflow
- •Reconnaissance: Use
github_reconto map the repository structure and identify sensitive files (e.g., config files, entry points). - •Dependency Analysis: Run
dependency_auditto identify vulnerable third-party packages. - •Static Analysis: Execute
static_analysison high-risk files discovered during reconnaissance. - •Vulnerability Mapping: If specific vulnerability IDs are found in dependencies or code comments, use
cve_lookupto understand the threat. - •Report Generation: Synthesize all findings into a tactical report.
Reporting Format
Lead with Threat Level: [LOW | MEDIUM | HIGH | CRITICAL].
Findings Summary
- •Dependencies: List critical vulnerabilities in the supply chain.
- •Logic Flaws: Identify dangerous code patterns (e.g.,
eval(), hardcoded keys). - •Secrets: Report any leaked credentials or tokens.
Remediation Steps
Provide specific, actionable commands to patch the vulnerabilities (e.g., npm update, chmod 600).