VCP Security Check
Scan target code against VCP security standards and report findings.
Step 1: Fetch Standards Manifest
Use WebFetch to fetch:
https://raw.githubusercontent.com/Z-M-Huang/vcp/main/standards/manifest.json
Parse the JSON response. Extract the standards_base_url and standards array.
Step 2: Load Project Context
- •Try to read
.vcp.jsonfrom the project root. - •If
.vcp.jsonexists: Use itsscopes,compliance,frameworks,exclude, andseveritysettings. - •If
.vcp.jsondoes not exist: Fall back to auto-detection:- •
core: always active - •
web-frontend: active if package.json contains react/vue/angular/svelte/next, or project has .tsx/.jsx/.vue/.svelte files - •
web-backend: active if package.json contains express/fastify/koa/nestjs/hono, or Python deps contain django/flask/fastapi, or pom.xml/build.gradle contains spring-boot, or Gemfile contains rails - •
database: active if prisma/schema.prisma, alembic.ini, knexfile., ormconfig. exist, or migrations/ directory exists, or .sql files exist - •
compliance: not active without.vcp.json(compliance requires explicit declaration) - •Tell the user: "No .vcp.json found. Run
/vcp-initto configure VCP for this project."
- •
- •Build exclude list: always exclude
node_modules/**,.git/**, plus any patterns from.vcp.jsonexcludefield. - •Note the severity threshold (default:
"medium"). - •Extract the
ignorearray (default:[]). Entries matching a standard ID (e.g.,"core-architecture") suppress all findings from that standard. Entries in"standard-id/rule-N"format (e.g.,"core-security/rule-3") suppress that specific rule.
Step 3: Fetch Applicable Standards
From the manifest standards array, select entries where:
- •
appliesis"always"(core standards), OR - •
appliesmatches an active scope from Step 2, OR - •
appliesmatches"compliance:X"where X is in the activecompliancearray
Filter for this skill: Keep only standards where tags array includes "security". Also keep ALL compliance-scoped standards regardless of tags.
For each selected standard, use WebFetch to fetch its content from:
{standards_base_url}{entry.path}
Extract the Rules section from each fetched standard.
Step 4: Scan Target Code
Target path: $ARGUMENTS if provided. If not provided, ask the user which path to scan.
- •Use Glob to find code files in the target path (exclude patterns from Step 2).
- •Use Read and Grep to examine the code files.
- •For each rule from each loaded standard, check if the code violates the rule.
- •For each violation found, note:
- •Which standard and rule number
- •The file path and line number
- •What the issue is
- •How to fix it
Step 5: Report Findings
Output findings grouped by severity (critical first, then high, then medium). Only include findings at or above the severity threshold from Step 2.
Before outputting findings, remove any that match an entry in the ignore list. If a finding's standard ID is in the list, suppress it entirely. If "standard-id/rule-N" is in the list, suppress only that rule from that standard. After filtering, if any findings were suppressed, append a line: **Suppressed:** X finding(s) by ignore config. If any suppressed findings came from security-scoped standards (tag "security") or compliance standards, also add: **WARNING: Critical security findings suppressed by ignore config. Review .vcp.json ignore list.**
Use this format:
### VCP Security Check
**Scopes:** core, web-backend
**Standards loaded:** N standards, M rules checked
#### Critical
- **[core-security] Rule 3** — SQL string concatenation
- **File:** src/db/queries.py:42
- **Issue:** User input concatenated into SQL query via f-string
- **Fix:** Use parameterized query: `cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))`
#### High
...
#### Medium
...
**Summary:** X critical, Y high, Z medium findings.
If no findings: "No security issues found against N rules from M standards."