OpenSkillIndex← back to search
claude-code

Agentic-qe qe-security-compliance

Security auditing, vulnerability scanning, and compliance validation for OWASP, SOC2, GDPR, and other standards.

install
source · Clone the upstream repo
git clone https://github.com/proffesor-for-testing/agentic-qe
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/proffesor-for-testing/agentic-qe "$T" && mkdir -p ~/.claude/skills && cp -r "$T/.kiro/skills/qe-security-compliance" ~/.claude/skills/proffesor-for-testing-agentic-qe-qe-security-compliance && rm -rf "$T"
manifest: .kiro/skills/qe-security-compliance/SKILL.md
source content

QE Security Compliance

Purpose

Guide the use of v3's security and compliance testing capabilities including SAST/DAST scanning, vulnerability detection, compliance auditing, and security gate enforcement.

Activation

  • When performing security audits
  • When scanning for vulnerabilities
  • When validating compliance
  • When checking dependencies
  • When setting up security gates

Quick Start

# Full security scan
aqe security scan --scope src/ --checks all

# Vulnerability check
aqe security vulns --dependencies --severity critical,high

# Compliance audit
aqe security compliance --standard soc2 --output report.html

# OWASP check
aqe security owasp --top-10 --scope src/

Agent Workflow

// Security audit
Task("Security audit", `
  Perform comprehensive security audit:
  - SAST scan for code vulnerabilities
  - Dependency vulnerability check
  - Secret detection in code and configs
  - OWASP Top 10 validation
  Generate security report with remediation steps.
`, "qe-security-auditor")

// Compliance validation
Task("SOC2 compliance check", `
  Validate SOC2 compliance requirements:
  - Access control verification
  - Encryption validation
  - Audit logging check
  - Data retention compliance
  Generate compliance evidence report.
`, "qe-compliance-checker")

Security Operations

1. SAST Scanning

await securityScanner.staticAnalysis({
  scope: 'src/**/*.ts',
  checks: [
    'sql-injection',
    'xss',
    'command-injection',
    'path-traversal',
    'insecure-crypto',
    'hardcoded-secrets'
  ],
  rules: 'owasp-top-10',
  severity: ['critical', 'high', 'medium']
});

2. Dependency Scanning

await securityScanner.dependencyCheck({
  sources: ['package.json', 'package-lock.json'],
  checks: {
    knownVulnerabilities: true,
    outdatedPackages: true,
    licenseCompliance: true,
    supplyChainRisk: true
  },
  severity: ['critical', 'high'],
  autoFix: {
    enabled: true,
    dryRun: false
  }
});

3. Compliance Audit

await complianceChecker.audit({
  standards: ['SOC2', 'GDPR', 'HIPAA'],
  scope: {
    code: 'src/',
    configs: 'config/',
    infrastructure: 'terraform/'
  },
  output: {
    gaps: true,
    evidence: true,
    recommendations: true
  }
});

4. Secret Detection

await securityScanner.detectSecrets({
  scope: ['.', 'config/', '.env*'],
  patterns: [
    'api-keys',
    'passwords',
    'tokens',
    'private-keys',
    'connection-strings'
  ],
  exclude: ['*.test.ts', 'mocks/'],
  action: {
    onDetect: 'block',
    notify: ['security-team']
  }
});

OWASP Top 10 Coverage

owasp_2021:
  A01_broken_access_control:
    checks: [privilege-escalation, idor, cors-misconfiguration]
    automated: true

  A02_cryptographic_failures:
    checks: [weak-encryption, missing-encryption, key-management]
    automated: true

  A03_injection:
    checks: [sql, nosql, command, xss, ldap]
    automated: true

  A04_insecure_design:
    checks: [threat-modeling, secure-patterns]
    automated: partial

  A05_security_misconfiguration:
    checks: [default-credentials, unnecessary-features]
    automated: true

  A06_vulnerable_components:
    checks: [outdated-deps, known-cves]
    automated: true

  A07_auth_failures:
    checks: [weak-passwords, session-issues]
    automated: true

  A08_software_data_integrity:
    checks: [insecure-deserialization, cicd-security]
    automated: partial

  A09_logging_monitoring:
    checks: [insufficient-logging, missing-alerts]
    automated: partial

  A10_ssrf:
    checks: [server-side-request-forgery]
    automated: true

Security Report

interface SecurityReport {
  summary: {
    score: number;  // 0-100
    critical: number;
    high: number;
    medium: number;
    low: number;
  };
  vulnerabilities: {
    id: string;
    type: string;
    severity: 'critical' | 'high' | 'medium' | 'low';
    location: string;
    description: string;
    remediation: string;
    cwe: string;
    owasp: string;
  }[];
  dependencies: {
    vulnerable: number;
    outdated: number;
    details: DependencyVuln[];
  };
  compliance: {
    standard: string;
    status: 'compliant' | 'non-compliant' | 'partial';
    gaps: ComplianceGap[];
    evidence: Evidence[];
  }[];
  secrets: {
    detected: number;
    locations: SecretLocation[];
  };
}

Security Gates

security_gates:
  block_merge:
    - critical_vulnerabilities > 0
    - high_vulnerabilities > 2
    - secrets_detected > 0
    - compliance_failures > 0

  warn:
    - medium_vulnerabilities > 5
    - outdated_dependencies > 10

  enforce:
    - signed_commits: required
    - code_review: required
    - security_scan: required

Compliance Standards

StandardScopeAuto-Check
SOC2Security controlsPartial
GDPRData privacyPartial
HIPAAHealth dataPartial
PCI-DSSPayment dataYes
ISO 27001InfoSecPartial

Coordination

Primary Agents: qe-security-auditor, qe-security-scanner, qe-compliance-checker Coordinator: qe-security-coordinator Related Skills: qe-quality-assessment, qe-contract-testing