Some_claude_skills security-auditor

Security vulnerability scanner and OWASP compliance auditor for codebases. Dependency scanning (npm audit, pip-audit), secret detection (high-entropy strings, API keys), SAST for injection/XSS

install

source · Clone the upstream repo

git clone https://github.com/curiositech/some_claude_skills

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/curiositech/some_claude_skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/.claude/skills/security-auditor" ~/.claude/skills/curiositech-some-claude-skills-security-auditor && rm -rf "$T"

manifest: .claude/skills/security-auditor/SKILL.md

source content

Security Auditor

Comprehensive security scanning for codebases. Identifies vulnerabilities before they become incidents. Focuses on actionable findings with remediation guidance.

When to Use

Use for:

Pre-deployment security audits
Dependency vulnerability scanning
Secret/credential leak detection
Code-level SAST (Static Application Security Testing)
Security posture reports for stakeholders
OWASP Top 10 compliance checking
Pre-PR security reviews

Do NOT use for:

Runtime security (WAF, rate limiting) - use infrastructure tools
Network security/firewall rules - use cloud/DevOps skills
SOC2/HIPAA/PCI compliance - requires legal/organizational process
Penetration testing execution - this is detection, not exploitation

Quick Start

Full Security Audit

# Run comprehensive scan
./scripts/full-audit.sh /path/to/project

# Output: security-report.json + summary

Quick Checks

# Dependency vulnerabilities only
npm audit --json > deps-audit.json

# Secret detection only
./scripts/detect-secrets.sh /path/to/project

# OWASP check specific file
./scripts/owasp-check.py /path/to/file.js

Core Scanning Capabilities

1. Dependency Scanning

Package Manager	Command	Severity Levels
npm	`npm audit --json`	critical, high, moderate, low
yarn	`yarn audit --json`	same as npm
pip	`pip-audit --format json`	critical, high, medium, low
cargo	`cargo audit --json`	same

Decision Tree:

Critical severity found?
├── YES → Block deployment, immediate fix required
│   └── Check if patch available → npm audit fix --force
├── NO → High severity?
    ├── YES → Fix within sprint, document if deferred
    └── NO → Low/Moderate → Track, fix during maintenance

2. Secret Detection

High-Risk Patterns:

API keys:
```
/[A-Za-z0-9_]{20,}/
```
near "key", "api", "secret"
AWS credentials:
```
AKIA[0-9A-Z]{16}
```

Private keys:

-----BEGIN (RSA|EC|OPENSSH) PRIVATE KEY-----

JWT tokens:

eyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+

Connection strings:
```
://[^:]+:[^@]+@
```

Entropy Analysis:

Shannon entropy > 4.5 on strings > 20 chars = suspicious
Base64-encoded blobs in source = investigate

False Positive Handling:

Secret-like pattern found?
├── In test file? → Lower severity, document
├── In example/docs? → Check if placeholder
├── High entropy + near "password"/"secret" → High confidence
└── In .env.example? → Acceptable if placeholder values

3. OWASP Top 10 Static Analysis

#	Vulnerability	Detection Pattern
A01	Broken Access Control	Missing auth checks on routes
A02	Cryptographic Failures	Weak algorithms (MD5, SHA1 for passwords)
A03	Injection	Unparameterized queries, eval(), innerHTML
A04	Insecure Design	Hardcoded credentials, missing rate limits
A05	Security Misconfiguration	Debug mode in prod, default credentials
A06	Vulnerable Components	Known CVEs in dependencies
A07	Auth Failures	Weak password policies, session issues
A08	Integrity Failures	Unsigned updates, untrusted deserialization
A09	Logging Failures	Sensitive data in logs, missing audit trails
A10	SSRF	Unvalidated URL inputs to fetch/request

4. Language-Specific Checks

JavaScript/TypeScript:

```
eval()
```
,
```
new Function()
```
- code injection
```
innerHTML
```
,
```
outerHTML
```
- XSS vectors
```
document.write()
```
- DOM-based XSS
```
child_process.exec()
```
with user input - command injection
Regex without timeout - ReDoS vulnerability

Python:

```
pickle.loads()
```
with untrusted data - arbitrary code execution
```
yaml.load()
```
without
```
Loader=SafeLoader
```
- code injection
```
subprocess.shell=True
```
- command injection
```
eval()
```
,
```
exec()
```
- code injection
SQL string concatenation - SQL injection

SQL:

String concatenation in queries - SQL injection
```
LIKE '%' + input + '%'
```
- injection via wildcards
Missing parameterization - critical vulnerability

Anti-Patterns

Anti-Pattern: Security by Obscurity

What it looks like: "Nobody will find this hardcoded password" Why wrong: Secrets in source always leak eventually Instead: Environment variables, secret managers, zero hardcoded secrets

Anti-Pattern: Audit Fatigue

What it looks like: 500 findings, all "medium", team ignores Why wrong: Critical issues buried in noise Instead: Prioritize by exploitability, start with critical/high only

Anti-Pattern: Fix Without Understanding

What it looks like:

npm audit fix --force

without review Why wrong: May introduce breaking changes, doesn't address root cause Instead: Review each fix, understand the vulnerability, test after

Anti-Pattern: One-Time Audit

What it looks like: "We did a security audit last year" Why wrong: New CVEs daily, code changes constantly Instead: CI/CD integration, weekly automated scans minimum

Security Report Format

{
  "summary": {
    "critical": 0,
    "high": 2,
    "medium": 5,
    "low": 12,
    "informational": 8
  },
  "findings": [
    {
      "id": "SEC-001",
      "severity": "high",
      "category": "A03:Injection",
      "title": "SQL Injection in user search",
      "location": "src/api/users.js:45",
      "description": "User input concatenated directly into SQL query",
      "evidence": "const query = `SELECT * FROM users WHERE name = '${input}'`",
      "remediation": "Use parameterized queries: db.query('SELECT * FROM users WHERE name = $1', [input])",
      "references": ["https://owasp.org/www-community/attacks/SQL_Injection"]
    }
  ],
  "recommendations": [
    "Implement parameterized queries across all database access",
    "Add input validation layer",
    "Enable SQL query logging for monitoring"
  ]
}

CI/CD Integration

GitHub Actions Example

security-scan:
  runs-on: ubuntu-latest
  steps:
    - uses: actions/checkout@v4
    - name: Run security audit
      run: |
        npm audit --json > audit.json
        ./scripts/detect-secrets.sh . > secrets.json
        ./scripts/generate-report.py
    - name: Fail on critical
      run: |
        if jq '.summary.critical > 0' report.json; then
          echo "Critical vulnerabilities found!"
          exit 1
        fi

Scripts (in

scripts/

folder)

Script	Purpose
`full-audit.sh`	Comprehensive security scan
`detect-secrets.sh`	High-entropy string and pattern detection
`owasp-check.py`	OWASP Top 10 static analysis
`generate-report.py`	Combine findings into unified report

Expert vs Novice Approach

Novice	Expert
Runs audit once before release	CI/CD integration, every commit
Focuses on tool output only	Understands vulnerability context
Fixes everything or nothing	Triages by exploitability
Uses one scanner	Layers multiple tools
Ignores false positives	Tunes detection rules

Success Metrics

Metric	Target
Critical/High pre-production	0
Mean time to remediate critical	< 24 hours
False positive rate	< 10%
Scan coverage	100% of deployable code

Reference Files

```
references/owasp-top-10-2024.md
```
- Detailed OWASP guidance
```
references/secret-patterns.md
```
- Comprehensive regex patterns
```
references/remediation-playbook.md
```
- Fix guidance by vulnerability type
```
references/ci-cd-templates.md
```
- Integration examples
```
scripts/
```
- Working security scanning scripts

Detects: Dependency CVEs | Secret leaks | Injection vulnerabilities | OWASP violations | Security misconfigurations

Use with: site-reliability-engineer (deployment gates) | code-review (PR security checks)