a2mus/speckit-security-scan
.agent/skills/speckit-security-scan/SKILL.md
Mandatory security audit checklist covering secrets, injection, CSRF, rate limiting, dependencies.
testing
Updated Apr 16, 2026
$ install --global
skillsauthnpx skillsauth add a2mus/smart-da3m speckit-security-scanInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 24, 2026, 8:59 PM2.2s1 file scanned
SKILL.md
- name:
- speckit-security-scan
- description:
- Mandatory security audit checklist covering secrets, injection, CSRF,
- compatibility:
- Requires spec-kit project structure with .specify/ directory
- author:
- github-spec-kit
- source:
- templates/commands/security-scan.md
Speckit Security-Scan Skill
Security Scan Command
Perform a comprehensive security audit of the current codebase or specifically targeted files:
The Checklist
-
Secrets & Credentials
- No hardcoded API keys, passwords, or tokens in source code.
- Using
.envcorrectly, and.envis ignored by git. - Config files do not leak sensitive values.
-
Injection Prevention
- SQL queries use parameterized queries or ORMs (no string concatenation).
- Shell commands avoid user input or safely escape it.
- No dynamic evaluation (
eval,setTimeout(string), etc.) of user input.
-
Cross-Site Scripting (XSS) & CSRF
- User input rendered in HTML is safely escaped/encoded.
- CSRF tokens used for state-changing operations where applicable.
- Safe Headers (e.g., CSP, X-Frame-Options) exist when relevant.
-
Access Control & Auth
- Authentication checks cover all protected endpoints.
- Authorization/Roles verified appropriately.
- Passwords hashed (e.g., bcrypt, argon2).
- Session/JWT signatures are validated and appropriately scoped.
-
Rate Limiting & Resources
- Endpoints have reasonable rate limits to prevent Brute Force or DoS.
- Payloads have maximum size constraints.
-
Dependencies
- Check if any known vulnerable dependencies are requested (e.g.,
npm audit,pip-audit, etc.). - Are dependency versions securely pinned?
- Check if any known vulnerable dependencies are requested (e.g.,
Process
- Perform deep static analysis using search/regex for the above patterns.
- If vulnerabilities are found, classify by Severity: CRITICAL, HIGH, MEDIUM, LOW.
- Present findings and specific remediation strategies.
- If $ARGUMENTS requests fixes, apply safe fixes for each vulnerability, testing after each fix.
Related Skills
a2mus/speckit-analyze
testing
VerifiedTrustedCommunity
Perform cross-artifact consistency analysis across spec.md, plan.md, and tasks.md. Use after task generation to identify gaps, duplications, and inconsistencies before implementation.
SKILL.mdUpdated Apr 17, 2026
a2mus/speckit-verify
development
VerifiedTrustedCommunity
Run comprehensive verification on current codebase state.
SKILL.mdUpdated Apr 16, 2026
a2mus/speckit-update-upstream
testing
VerifiedTrustedCommunity
Intelligently sync your fork with the upstream spec-kit repository. Reads both versions of every changed file, compares quality, and produces the richest possible result by blending the best of each.
SKILL.mdUpdated Apr 16, 2026
a2mus/speckit-uidesign
development
VerifiedTrustedCommunity
Impeccable UI design workflow — create distinctive, production-grade interfaces or enhance existing ones. Integrates design context gathering, anti-pattern detection, heuristic scoring, and systematic polish. Works after speckit-brainstorm (new design) or on existing UI code (enhancement mode).
SKILL.mdUpdated Apr 16, 2026