AgentSkillsCN

vcp-security-check

按照 VCP 安全标准,对代码中的安全漏洞进行扫描。在审查代码的安全隐患时,或在提交代码前运行此步骤。

SKILL.md
--- frontmatter
name: vcp-security-check
description: >
  Scan code for security vulnerabilities against VCP security standards.
  Run this when reviewing code for security issues or before commits.
user-invocable: true
allowed-tools: Read, Glob, Grep, Bash, WebFetch
argument-hint: "[path]"

VCP Security Check

Scan target code against VCP security standards and report findings.

Step 1: Fetch Standards Manifest

Use WebFetch to fetch:

code
https://raw.githubusercontent.com/Z-M-Huang/vcp/main/standards/manifest.json

Parse the JSON response. Extract the standards_base_url and standards array.

Step 2: Load Project Context

  1. Try to read .vcp.json from the project root.
  2. If .vcp.json exists: Use its scopes, compliance, frameworks, exclude, and severity settings.
  3. If .vcp.json does not exist: Fall back to auto-detection:
    • core: always active
    • web-frontend: active if package.json contains react/vue/angular/svelte/next, or project has .tsx/.jsx/.vue/.svelte files
    • web-backend: active if package.json contains express/fastify/koa/nestjs/hono, or Python deps contain django/flask/fastapi, or pom.xml/build.gradle contains spring-boot, or Gemfile contains rails
    • database: active if prisma/schema.prisma, alembic.ini, knexfile., ormconfig. exist, or migrations/ directory exists, or .sql files exist
    • compliance: not active without .vcp.json (compliance requires explicit declaration)
    • Tell the user: "No .vcp.json found. Run /vcp-init to configure VCP for this project."
  4. Build exclude list: always exclude node_modules/**, .git/**, plus any patterns from .vcp.json exclude field.
  5. Note the severity threshold (default: "medium").
  6. Extract the ignore array (default: []). Entries matching a standard ID (e.g., "core-architecture") suppress all findings from that standard. Entries in "standard-id/rule-N" format (e.g., "core-security/rule-3") suppress that specific rule.

Step 3: Fetch Applicable Standards

From the manifest standards array, select entries where:

  • applies is "always" (core standards), OR
  • applies matches an active scope from Step 2, OR
  • applies matches "compliance:X" where X is in the active compliance array

Filter for this skill: Keep only standards where tags array includes "security". Also keep ALL compliance-scoped standards regardless of tags.

For each selected standard, use WebFetch to fetch its content from:

code
{standards_base_url}{entry.path}

Extract the Rules section from each fetched standard.

Step 4: Scan Target Code

Target path: $ARGUMENTS if provided. If not provided, ask the user which path to scan.

  1. Use Glob to find code files in the target path (exclude patterns from Step 2).
  2. Use Read and Grep to examine the code files.
  3. For each rule from each loaded standard, check if the code violates the rule.
  4. For each violation found, note:
    • Which standard and rule number
    • The file path and line number
    • What the issue is
    • How to fix it

Step 5: Report Findings

Output findings grouped by severity (critical first, then high, then medium). Only include findings at or above the severity threshold from Step 2.

Before outputting findings, remove any that match an entry in the ignore list. If a finding's standard ID is in the list, suppress it entirely. If "standard-id/rule-N" is in the list, suppress only that rule from that standard. After filtering, if any findings were suppressed, append a line: **Suppressed:** X finding(s) by ignore config. If any suppressed findings came from security-scoped standards (tag "security") or compliance standards, also add: **WARNING: Critical security findings suppressed by ignore config. Review .vcp.json ignore list.**

Use this format:

code
### VCP Security Check

**Scopes:** core, web-backend
**Standards loaded:** N standards, M rules checked

#### Critical

- **[core-security] Rule 3** — SQL string concatenation
  - **File:** src/db/queries.py:42
  - **Issue:** User input concatenated into SQL query via f-string
  - **Fix:** Use parameterized query: `cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))`

#### High

...

#### Medium

...

**Summary:** X critical, Y high, Z medium findings.

If no findings: "No security issues found against N rules from M standards."