Skip to main content

/security-audit

Source: ~/.claude/skills/security-audit/SKILL.md

name: security-audit version: 2.0 description: > Run comprehensive security audit following OWASP and ALAI LAWS. Use for: "security review", "audit this code", "check for vulnerabilities", "OWASP check", "before deploying", "security scan", "/security-audit". level: 3 company: Securion

/security-audit — Security Review

Purpose

Systematic security review covering OWASP Top 10, ALAI internal LAWS, and code-specific vulnerabilities.

Variables

Variable Type Description Default
target path/scope File, directory, or "full system" current project
depth string quick | standard | deep standard
focus string owasp | laws | auth | api | all all

Workflow

Step 1: Scope

  • Read $ARGUMENTS to determine target and depth
  • if no target → audit current working directory
  • if depth=quick → run only LAWS + auth checks
  • if depth=deep → run all + tob-* skill checks

Step 2: ALAI LAWS Compliance

Check each LAW:

  • ZAKON 0 (Tajnost): No secrets in code, no internal URLs exposed, no employee data hardcoded
  • ZAKON 1 (Ne škodi): No destructive ops without confirm, backups exist for critical data
  • ZAKON 2 (Slušaj): Auth on all endpoints, RBAC, admin routes protected
  • ZAKON 3 (Čuvaj sebe): Error handling, graceful degradation, no crash on bad input

Step 3: OWASP Top 10 Check

For each category, scan target:

  1. Injection (SQL, NoSQL, command injection)
  2. Broken Authentication (weak JWT, no rate limit, session issues)
  3. Sensitive Data Exposure (logs, responses, hardcoded secrets)
  4. Security Misconfiguration (CORS, headers, default credentials)
  5. XSS (reflected, stored, DOM-based)
  6. Broken Access Control (IDOR, privilege escalation)
  7. Vulnerable Dependencies (npm audit or equivalent)
  8. Insecure Deserialization
  9. Logging & Monitoring gaps
  10. SSRF

Step 4: Run Available Tools

  • if tob-static-analysis available → run on target
  • if tob-insecure-defaults available → check configs
  • if tob-sharp-edges available → check dangerous patterns
  • npm audit --audit-level=high if package.json exists

Step 5: Report

  • if CRITICAL found → flag for immediate fix, offer to create MC task
  • if HIGH found → list with recommended fixes
  • if depth=deep → include code snippets for each finding

Report Format

SECURITY AUDIT REPORT
Target: [scope]
Depth: [quick|standard|deep]
Date: [timestamp]

CRITICAL (block deployment):
  [C1] [finding] — [file:line] — [fix]

HIGH (fix before next release):
  [H1] [finding] — [fix]

MEDIUM:
  [M1] [finding]

LAWS: [PASS|FAIL — list failures]
OWASP: [X/10 categories clean]
Tools run: [list]

$ARGUMENTS

Back to top