Learn-skills.dev code-audit
install
source · Clone the upstream repo
git clone https://github.com/NeverSight/learn-skills.dev
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/NeverSight/learn-skills.dev "$T" && mkdir -p ~/.claude/skills && cp -r "$T/data/skills-md/3stonebrother/code-audit/code-audit" ~/.claude/skills/neversight-learn-skills-dev-code-audit && rm -rf "$T"
manifest:
data/skills-md/3stonebrother/code-audit/code-audit/SKILL.mdsource content
Code Audit Skill
专业代码安全审计技能 | Professional Code Security Audit 支持模式: quick / standard / deep
When to Use This Skill
This skill should be used when:
- User requests code audit, security audit, or vulnerability scanning
- User asks to check code security or find security issues
- User mentions /audit or /code-audit
- User wants to review code for vulnerabilities before deployment
- User needs penetration testing preparation or security assessment
Trigger phrases:
- "审计这个项目" / "Audit this project"
- "检查代码安全" / "Check code security"
- "找出安全漏洞" / "Find security vulnerabilities"
- "/audit", "/code-audit"
Quick Reference
Scan Modes
| Mode | Use Case | Scope |
|---|---|---|
| Quick | CI/CD, small projects | High-risk vulns, secrets, dependency CVEs |
| Standard | Regular audits | OWASP Top 10, auth, crypto |
| Deep | Critical projects, pentests | Full coverage, attack chains, business logic |
Core Workflow
1. Reconnaissance → Identify tech stack, map attack surface 2. Vulnerability Hunt → Search patterns, trace data flow 3. Verification → Confirm exploitability, filter false positives 4. Docker Verify → [NEW] Dynamic verification in sandbox (optional) 5. Report → Document findings with PoC and fixes
Docker部署验证
对于深度审计,可使用Docker沙箱进行动态验证:
# 生成验证环境 code-audit --generate-docker-env # 启动并验证 docker-compose up -d docker exec -it sandbox python /workspace/poc/verify_all.py
详见:
references/core/docker_verification.mdExecution Controller(执行控制器 — 必经路径)
⚠️ 以下步骤是审计执行的必经路径,不是参考建议。 每步有必须产出的输出,后续步骤依赖前序输出。不产出 = 用户可见缺失。
Step 1: 模式判定
根据用户指令确定审计模式:
| 用户指令关键词 | 模式 |
|---|---|
| "快速扫描" "quick" "CI检查" | quick |
| "审计" "扫描" "安全检查"(无特殊说明) | standard |
| "深度审计" "deep" "渗透测试准备" "全面审计" | deep |
| 无法判定 | 问用户,不得自行假设 |
反降级规则: 用户指定的模式不可自行降级。项目规模大不是降级理由,而是启用 Multi-Agent 的理由。降级需用户明确确认。
必须输出:
[MODE] {quick|standard|deep}
Step 2: 文档加载
按模式加载必要文档(用 Read 工具实际读取,不是"知道有这个文件"):
| 模式 | 必须 Read 的文档 |
|---|---|
| quick | 当前 SKILL.md 已加载,无需额外文档 |
| standard | + |
| deep | + |
deep 模式下 agent.md 是必读文档 — Step 4 的执行计划模板包含只有 agent.md 中才有的字段(维度权重、Agent 切分模板、门控条件、执行状态机)。
必须输出:
[LOADED] {实际 Read 的文档列表,含行数}
Step 3: 侦察(Reconnaissance)
对目标项目执行攻击面测绘。
必须输出:
[RECON] 项目规模: {X files, Y directories} 技术栈: {language, framework, version} 项目类型: {CMS | 金融 | SaaS | 数据平台 | 身份认证 | IoT | 通用Web} 入口点: {Controller/Router/Handler 数量} 关键模块: {列表}
Step 4: 执行计划 → STOP
基于 Step 1-3 的输出生成执行计划。输出后暂停,等待用户确认才能继续。
quick/standard 模板:
[PLAN] 模式: {mode} 技术栈: {from Step 3} 扫描维度: {计划覆盖的 D1-D10 维度} 已加载文档: {from Step 2}
deep 模板(全部字段必填 — 标注了信息来源文档):
[PLAN] 模式: deep 项目规模: {from Step 3} 技术栈: {from Step 3} 维度权重: {from agent.md 状态机 → 项目类型维度权重,如 CMS: D5(++), D1(+), D3(+), D6(+)} Agent 方案: {from agent.md Agent 模板 → 每个 Agent 负责的维度和 max_turns} Agent 数量: {from agent.md 规模建议 → 小型(<10K) 2-3, 中型(10K-100K) 3-5, 大型(>100K) 5-9} D9 覆盖策略: {若项目有后台管理/多角色/多租户 → D9 必查,D3 Agent 须同时覆盖 D9a(IDOR+权限一致性+Mass Assignment)} 轮次规划: R1 广度扫描 → R1 评估 → R2 增量补漏(按需) 门控条件: PHASE_1_RECON → ROUND_N_RUNNING → ROUND_N_EVALUATION → REPORT 预估总 turns: {Agent数 × max_turns} 已加载文档: {from Step 2}
⚠️ STOP — 输出执行计划后暂停。等待用户确认后才能开始审计。
Step 5: 执行
用户确认后,按执行计划和已加载文档执行:
- quick: 高危模式匹配扫描,直接输出
- standard: 按 Phase 1→5 顺序执行
- deep: 严格按 agent.md 执行状态机
- 启动 Multi-Agent 并行(按 Step 4 确认的 Agent 方案)
- 遵守每个 State 的门控条件
- 轮次评估使用 agent.md 三问法则
Step 6: 报告门控
生成报告前验证:
| 前置条件 | quick | standard | deep |
|---|---|---|---|
| 高危模式扫描完成 | ✅ | ✅ | ✅ |
| D1-D10 覆盖率标记(✅已覆盖/⚠️浅覆盖/❌未覆盖) | — | ✅ | ✅ |
| 所有 Agent 完成或超时标注 | — | — | ✅ |
| 轮次评估三问通过 | — | — | ✅ |
不满足前置条件 → 不得生成最终报告。
Anti-Hallucination Rules (MUST FOLLOW)
⚠️ Every finding MUST be based on actual code read via tools ✗ Do NOT guess file paths based on "typical project structure" ✗ Do NOT fabricate code snippets from memory ✗ Do NOT report vulnerabilities in files you haven't read ✓ MUST use Read/Glob to verify file exists before reporting ✓ MUST quote actual code from Read tool output ✓ MUST match project's actual tech stack
Core principle: Better to miss a vulnerability than report a false positive.
Anti-Confirmation-Bias Rules (MUST FOLLOW)
⚠️ Audit MUST be methodology-driven, NOT case-driven ✗ Do NOT say "基于之前的审计经验,我将重点关注..." ✗ Do NOT prioritize certain vuln types based on "known CVEs" ✗ Do NOT skip checklist items because they seem "less likely" ✓ MUST enumerate ALL sensitive operations, then verify EACH one ✓ MUST complete the full checklist for EACH vulnerability type ✓ MUST treat all potential vulnerabilities with equal rigor
Core principle: Discover ALL potential vulnerabilities, not just familiar patterns.
Two-Layer Checklist (两层检查清单)
Layer 1:
— Phase 2A后加载,验证10个安全维度覆盖率 Layer 2: 语言语义提示 — 仅对未覆盖维度按需加载对应段落coverage_matrix.md
| 文件 | 用途 |
|---|---|
| 覆盖率矩阵 (D1-D10) |
| 通用架构/逻辑级语义提示 |
| Java 语义提示 (10维度) |
| Python 语义提示 |
| PHP 语义提示 |
| JavaScript/Node.js 语义提示 |
| Go 语义提示 |
| .NET/C# 语义提示 |
| Ruby 语义提示 |
| C/C++ 语义提示 |
| Rust 语义提示 |
核心原则: Checklist 不驱动审计,而是验证覆盖。LLM 先自由审计(Phase 2A),再用矩阵查漏(Phase 2B)。
Module Reference
Core Modules (Load First)
| Module | Path | Purpose |
|---|---|---|
| Capability Baseline | | 防止能力丢失的回归测试框架 |
| Anti-Hallucination | | Prevent false positives |
| Audit Methodology | | Systematic framework, coverage tracking |
| Taint Analysis | | Data flow tracking, LSP-enhanced tracking, Slot type classification |
| PoC Generation | | Verification templates |
| External Tools | | Semgrep/Bandit integration |
Language Modules (Load by Tech Stack)
| Language | Module | Key Vulnerabilities |
|---|---|---|
| Java | | SQL injection, XXE, deserialization |
| Python | | Pickle, SSTI, command injection |
| Go | | Race conditions, SSRF |
| PHP | | File inclusion, deserialization |
| JavaScript | | Prototype pollution, XSS |
Security Domain Modules (Load as Needed)
| Domain | Module | When to Load |
|---|---|---|
| API Security | | REST/GraphQL APIs |
| LLM Security | | AI/ML applications |
| Serverless | | AWS Lambda, Azure Functions |
| Cryptography | | Encryption, TLS, JWT |
| Race Conditions | | Concurrent operations |
Tool Priority Strategy
Priority 1: External Professional Tools (if available) ├─ semgrep scan --config auto # Multi-language SAST ├─ bandit -r ./src # Python security ├─ gosec ./... # Go security └─ gitleaks detect # Secret scanning Priority 2: Built-in Analysis (always available) ├─ LSP semantic analysis # goToDefinition, findReferences, incomingCalls ├─ Read + Grep pattern matching # Core analysis └─ Module knowledge base # 55+ vuln patterns Priority 3: Verification ├─ PoC templates from references/core/poc_generation.md └─ Confidence scoring from references/core/verification_methodology.md
Detailed Documentation
For complete audit methodology, vulnerability patterns, and detection rules, see:
- Full Workflow:
- Complete audit process and detection commandsagent.md - Vulnerability Details:
- Language/framework-specific patternsreferences/ - Tool Integration:
references/core/external_tools_guide.md - Report Templates:
references/core/taint_analysis.md
Version
- Current: 1.0
- Updated: 2026-02-13
v1.0 (Initial Public Release)
- 9语言143项强制检测清单 (
)references/checklists/ - 双轨并行审计框架: Sink-driven + Control-driven + Config-driven
- Docker部署验证框架 (
)references/core/docker_verification.md - WooYun 88,636案例库集成
- 安全控制矩阵框架