catlog22/Claude-Code-Workflow
1
0
Fork 0
mirror of https://github.com/catlog22/Claude-Code-Workflow.git synced 2026-03-30 20:21:09 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
4092c89ab5bd678c53ccb9fec4af2981db64f551
Claude-Code-Workflow/.claude/skills/security-audit/SKILL.md
catlog22 67ff3fe339 feat: add investigate, security-audit, ship skills (Claude + Codex) 
- Add 3 new Claude skills: investigate (Iron Law debugging), security-audit
  (OWASP Top 10 + STRIDE), ship (gated release pipeline)
- Port all 3 skills to Codex v4 format under .codex/skills/ using
  Deep Interaction pattern (spawn_agent + assign_task phase transitions)
- Update README/README_CN acknowledgments: credit gstack
  (https://github.com/garrytan/gstack) as inspiration source

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-30 10:31:13 +08:00

5.5 KiB
Raw Blame History

name, description, allowed-tools
name description allowed-tools
security-audit OWASP Top 10 and STRIDE security auditing with supply chain analysis. Triggers on "security audit", "security scan", "cso". Read, Write, Bash, Glob, Grep

Security Audit

4-phase security audit covering supply chain risks, OWASP Top 10 code review, STRIDE threat modeling, and trend-tracked reporting. Produces structured JSON findings in .workflow/.security/.

Architecture Overview

+-------------------------------------------------------------------+
|  Phase 1: Supply Chain Scan                                       |
|  -> Dependency audit, secrets detection, CI/CD review, LLM risks  |
|  -> Output: supply-chain-report.json                              |
+-----------------------------------+-------------------------------+
                                    |
+-----------------------------------v-------------------------------+
|  Phase 2: OWASP Review                                           |
|  -> OWASP Top 10 2021 code-level analysis via ccw cli            |
|  -> Output: owasp-findings.json                                  |
+-----------------------------------+-------------------------------+
                                    |
+-----------------------------------v-------------------------------+
|  Phase 3: Threat Modeling (STRIDE)                                |
|  -> 6 threat categories mapped to architecture components         |
|  -> Output: threat-model.json                                    |
+-----------------------------------+-------------------------------+
                                    |
+-----------------------------------v-------------------------------+
|  Phase 4: Report & Tracking                                      |
|  -> Score calculation, trend comparison, dated report             |
|  -> Output: .workflow/.security/audit-report-{date}.json         |
+-------------------------------------------------------------------+

Key Design Principles

  1. Infrastructure-first: Phase 1 catches low-hanging fruit (leaked secrets, vulnerable deps) before deeper analysis
  2. Standards-based: OWASP Top 10 2021 and STRIDE provide systematic coverage
  3. Scoring gates: Daily quick-scan must score 8/10; comprehensive audit minimum 2/10 for initial baseline
  4. Trend tracking: Each audit compares against prior results in .workflow/.security/

Execution Flow

Quick-Scan Mode (daily)

Run Phase 1 only. Must score >= 8/10 to pass.

Comprehensive Mode (full audit)

Run all 4 phases sequentially. Initial baseline minimum 2/10.

Phase Sequence

  1. Phase 1: Supply Chain Scan -- phases/01-supply-chain-scan.md
    • Dependency audit (npm audit / pip-audit / safety check)
    • Secrets detection (API keys, tokens, passwords in source)
    • CI/CD config review (injection risks in workflow YAML)
    • LLM/AI prompt injection check
  2. Phase 2: OWASP Review -- phases/02-owasp-review.md
    • Systematic OWASP Top 10 2021 code review
    • Uses ccw cli --tool gemini --mode analysis --rule analysis-assess-security-risks
  3. Phase 3: Threat Modeling -- phases/03-threat-modeling.md
    • STRIDE threat model mapped to architecture components
    • Trust boundary identification and attack surface assessment
  4. Phase 4: Report & Tracking -- phases/04-report-tracking.md
    • Score calculation with severity weights
    • Trend comparison with previous audits
    • Date-stamped report to .workflow/.security/

Scoring Overview

See specs/scoring-gates.md for full specification.

Severity Weight Example
Critical 10 RCE, SQL injection, leaked credentials
High 7 Broken auth, SSRF, privilege escalation
Medium 4 XSS, CSRF, verbose error messages
Low 1 Missing headers, informational disclosures

Gates: Daily quick-scan >= 8/10, Comprehensive initial >= 2/10.

Directory Setup

mkdir -p .workflow/.security
WORK_DIR=".workflow/.security"

Output Structure

.workflow/.security/
  audit-report-{YYYY-MM-DD}.json    # Dated audit report
  supply-chain-report.json           # Latest supply chain scan
  owasp-findings.json                # Latest OWASP findings
  threat-model.json                  # Latest STRIDE threat model

Reference Documents

Document Purpose
phases/01-supply-chain-scan.md Dependency, secrets, CI/CD, LLM risk scan
phases/02-owasp-review.md OWASP Top 10 2021 code review
phases/03-threat-modeling.md STRIDE threat modeling
phases/04-report-tracking.md Report generation and trend tracking
specs/scoring-gates.md Scoring system and quality gates
specs/owasp-checklist.md OWASP Top 10 detection patterns

Completion Status Protocol

This skill follows the Completion Status Protocol defined in _shared/SKILL-DESIGN-SPEC.md sections 13-14.

Possible termination statuses:

  • DONE: All phases completed, score calculated, report generated
  • DONE_WITH_CONCERNS: Audit completed but findings exceed acceptable thresholds
  • BLOCKED: Required tools unavailable (e.g., npm/pip not installed), permission denied
  • NEEDS_CONTEXT: Ambiguous project scope, unclear trust boundaries

Escalation follows the Three-Strike Rule (section 14) per step.

Reference in New Issue View Git Blame Copy Permalink