renolation/english
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
english/.opencode/skills/ck-security/SKILL.md
renolation 10d660cbcb init
2026-04-12 01:06:31 +07:00

4.6 KiB
Raw Permalink Blame History

name, description, argument-hint, metadata
name description argument-hint metadata
ck:security STRIDE + OWASP-based security audit with optional auto-fix. Scans code for vulnerabilities, categorizes by severity, and can iteratively fix findings using ck:autoresearch pattern. <scope glob or 'full'> [--fix] [--iterations N]
author attribution license version
claudekit Security audit pattern adapted from autoresearch by Udit Goenka (MIT) MIT 1.0.0

ck:security — Security Audit

Runs a structured STRIDE + OWASP security audit on a given scope. Produces a severity-ranked findings report. With --fix, applies fixes iteratively using the ck:autoresearch guard pattern.

When to Use

  • Before a release or major deployment
  • After adding auth, payment, or data-handling features
  • Periodic security review (monthly/quarterly)
  • Compliance check (SOC 2, GDPR, PCI-DSS prep)

When NOT to Use

  • Purely cosmetic changes (CSS, copy edits)
  • No user-facing code or data handling involved

Modes

Mode Invocation Behavior
Audit only /ck:security <scope> Scan → categorize → report
Audit + Fix /ck:security <scope> --fix Scan → categorize → fix iteratively
Bounded fix /ck:security <scope> --fix --iterations N Limit fix iterations to N

Audit Methodology

1. Scope Resolution

Expand the provided glob or full keyword into a file list. Read all in-scope files before analysis.

2. STRIDE Analysis

Evaluate each threat category systematically:

  • Spoofing — identity/authentication weaknesses
  • Tampering — input validation, integrity controls
  • Repudiation — audit logging gaps
  • Information Disclosure — data leakage, secret exposure
  • Denial of Service — rate limits, resource exhaustion
  • Elevation of Privilege — broken access control, RBAC gaps

3. OWASP Top 10 Check

Map findings to OWASP categories (A01A10). See references/stride-owasp-checklist.md for per-category checks.

4. Dependency Audit

Run the appropriate package audit tool for the detected stack:

  • Node.js: npm audit
  • Python: pip-audit
  • Go: govulncheck
  • Ruby: bundle audit

5. Secret Detection

Scan for hardcoded API keys, passwords, tokens, and private keys using regex patterns. See references/stride-owasp-checklist.md → Secret Patterns.

6. Finding Categorization

Assign each finding a severity level (see Severity Definitions below).

Output Format

## Security Audit Report

### Summary
- Files scanned: N
- Findings: X critical, Y high, Z medium, W low, V info

### Findings

| # | Severity | Category | File:Line | Description | Fix Recommendation |
|---|----------|----------|-----------|-------------|-------------------|
| 1 | Critical  | Injection | api/users.ts:45 | SQL string concatenation | Use parameterized queries |
| 2 | High      | Auth      | auth/login.ts:12 | No rate limiting | Add express-rate-limit |

Fix Mode (--fix)

When --fix is provided, apply fixes iteratively after the audit:

  1. Sort all findings by severity (Critical → High → Medium → Low)
  2. For each finding: a. Apply one targeted fix b. Run guard (tests or lint) to verify no regression c. Commit: security(fix-N): <short description> d. Advance to next finding
  3. Stop early if guard fails — report the failure instead of proceeding
  4. Uses ck:autoresearch guard pattern for regression prevention

Tip: Use --iterations N to cap total fix iterations when scope is large.

Severity Definitions

Severity Description Fix Priority
Critical Exploitable now, data breach or RCE risk Immediate — block release
High Exploitable with moderate effort, significant impact This sprint
Medium Limited exploitability or impact Next sprint
Low Theoretical risk, defense-in-depth improvement Backlog
Info Best practice suggestion, no direct risk Optional

Integration with Other Skills

  • Run after ck:predict when the security persona flags concerns
  • Feed Critical/High findings into ck:autoresearch --fix for automated remediation
  • Use ck:scenario with --focus authorization for deeper auth flow testing
  • Pair with ck:plan to schedule Medium/Low findings as sprint tasks

Example Invocations

# Audit API layer only
/ck:security src/api/**/*.ts

# Audit entire src/ and auto-fix, max 15 iterations
/ck:security src/ --fix --iterations 15

# Full codebase audit (no fix)
/ck:security full

See references/stride-owasp-checklist.md for the detailed per-category checklist and secret detection regex patterns.