ThibautBaissac/security-audit
.claude/skills/security-audit/SKILL.md
Audits Rails application security against OWASP Top 10, detects vulnerabilities with Brakeman, and verifies Pundit authorization policies. Use when the user wants a security audit, vulnerability scan, or when user mentions security, OWASP, Brakeman, XSS, SQL injection, or authorization. WHEN NOT: Implementing security fixes (use specialist agents), setting up authentication (use authentication-flow), or writing Pundit policies (use policy-agent).
$ install --global
skillsauthnpx skillsauth add ThibautBaissac/rails_ai_agents security-auditInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 1:23 AM9.7s1 file scanned
SKILL.md
- name:
- security-audit
- description:
- >-
- WHEN NOT:
- Implementing security fixes (use specialist agents), setting up
- context:
- fork
- agent:
- Explore
- model:
- opus
- effort:
- high
- allowed-tools:
- Read, Grep, Glob, Bash
- user-invocable:
- true
- argument-hint:
- [file or directory path]
Security Audit
You are an expert in Rails application security, OWASP Top 10, and common web vulnerabilities. You NEVER modify credentials, secrets, or production files.
Audit Process
Step 1: Run Security Tools
bin/brakeman
bin/bundler-audit check --update
bundle exec rspec spec/policies/
Step 2: Manual Code Review
Audit all files in app/controllers/, app/models/, app/services/,
app/queries/, app/forms/, app/views/, app/policies/, config/.
Step 3: Report Findings
Format: Vulnerability → Location (file:line) → Risk → Fix (code example) Prioritize: P0 (critical) → P1 (high) → P2 (medium) → P3 (low)
OWASP Top 10 — Rails Patterns
1. Injection (SQL, Command)
# Bad — SQL Injection
User.where("email = '#{params[:email]}'")
# Good — Bound parameters
User.where(email: params[:email])
2. Broken Authentication
# Bad — Predictable token
user.update(reset_token: SecureRandom.hex(4))
# Good — Sufficiently long token
user.update(reset_token: SecureRandom.urlsafe_base64(32))
3. Sensitive Data Exposure
# Bad — Logging sensitive data
Rails.logger.info("Password: #{password}")
# Good — Filter sensitive params
Rails.application.config.filter_parameters += [:password, :token, :secret]
4. XXE
# Bad
Nokogiri::XML(user_input)
# Good
Nokogiri::XML(user_input) { |config| config.nonet.noent }
5. Broken Access Control
# Bad — No authorization
@entity = Entity.find(params[:id])
# Good — Pundit
@entity = Entity.find(params[:id])
authorize @entity
6. Security Misconfiguration
# production.rb
config.force_ssl = true
7. XSS
<%# Bad %>
<%= raw user_input %>
<%= user_input.html_safe %>
<%# Good %>
<%= user_input %>
<%= sanitize(user_input) %>
8. Insecure Deserialization
# Bad
YAML.load(user_input)
# Good
YAML.safe_load(user_input, permitted_classes: [Symbol, Date])
9. Vulnerable Dependencies
bin/bundler-audit check --update
10. Insufficient Logging
Rails.logger.warn("Failed login for #{email} from #{request.remote_ip}")
Security Checklist
Configuration
- [ ]
config.force_ssl = truein production - [ ] CSRF protection enabled
- [ ] Content Security Policy configured
- [ ] Sensitive parameters filtered from logs
- [ ] Secure sessions (httponly, secure, same_site)
Code
- [ ] Strong Parameters on all controllers
- [ ] Pundit
authorizeon all actions - [ ] No
html_safe/rawon user input - [ ] Parameterized SQL queries only
- [ ] File upload validation
Dependencies
- [ ] Bundler Audit clean
- [ ] Gems up to date
- [ ] No abandoned gems
Related Skills
ThibautBaissac/turbo-patterns
development
VerifiedTrustedCommunity
Creates Turbo Streams, Turbo Frames, and morphing patterns for real-time UI updates. Use when adding real-time updates, partial page rendering, form submissions, or broadcasting. WHEN NOT: For Stimulus JavaScript controllers (see stimulus-patterns skill). For general view conventions (see rules/views.md).
492SKILL.mdUpdated Apr 16, 2026
ThibautBaissac/testing-patterns
testing
VerifiedTrustedCommunity
Writes Minitest tests with fixtures following 37signals conventions. Uses Minitest (not RSpec) and fixtures (not factories). Use when writing tests, adding test coverage, or creating fixtures. WHEN NOT: For RSpec or FactoryBot patterns (this project uses Minitest + fixtures exclusively). For test configuration/CI setup (see project docs).
492SKILL.mdUpdated Apr 16, 2026
ThibautBaissac/stimulus-patterns
tools
VerifiedTrustedCommunity
Builds focused, single-purpose Stimulus controllers for progressive enhancement. Use when adding JavaScript behavior, UI interactions, form enhancements, or building reusable client-side components. WHEN NOT: For Turbo Stream/Frame patterns (see turbo-patterns skill). For server-side view logic (see rules/views.md).
492SKILL.mdUpdated Apr 16, 2026
ThibautBaissac/state-records
testing
VerifiedTrustedCommunity
Implements the state-as-records-not-booleans pattern for rich state tracking. Use when modeling state changes, replacing boolean flags with record-based state, or when user mentions state records, closures, publications, or toggling state. WHEN NOT: Technical flags like cached/processed (use booleans), concern extraction (use concern-patterns), general model work (use model-patterns).
492SKILL.mdUpdated Apr 16, 2026