asiaostrich/locales/zh-CN/skills/security-scan-assistant
locales/zh-CN/skills/security-scan-assistant/SKILL.md
引导自动化安全扫描、依赖包审计和机密检测。 使用时机:依赖审计、CVE 扫描、机密检测、许可证合规。 关键字:scan, audit, CVE, dependency, secret, SBOM, vulnerability, 扫描, 漏洞。
$ install --global
skillsauthnpx skillsauth add asiaostrich/universal-dev-standards locales/zh-CN/skills/security-scan-assistantInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 3, 2026, 10:51 AM5.1s1 file scanned
SKILL.md
- source:
- ../../../../skills/security-scan-assistant/SKILL.md
- source_version:
- 1.0.0
- translation_version:
- 1.0.0
- last_synced:
- 2026-03-23
- status:
- current
- description:
- |
安全扫描助手
语言: English | 简体中文
自动化依赖包、机密信息和许可证合规的安全扫描。
扫描类型
| 类型 | 工具范例 | 用途 | |------|----------|------| | 依赖包审计 | npm audit, pip-audit, Snyk | 检测已知 CVE | | 机密检测 | gitleaks, trufflehog | 检测泄露的凭证 | | 许可证合规 | license-checker, SPDX | 验证开源许可证兼容性 | | SAST | Semgrep, CodeQL | 静态分析代码模式 |
工具整合
| 工具 | 命令 | 范围 |
|------|------|------|
| npm audit | npm audit --json | Node.js 依赖包 |
| Snyk | npx snyk test | 多语言依赖包 |
| Trivy | trivy fs . | 文件系统与容器 |
| gitleaks | gitleaks detect | Git 历史机密 |
| SPDX | npx spdx-tool | 许可证 SBOM 产出 |
严重程度分类与 SLA
| 严重程度 | SLA | 标准 | |----------|-----|------| | Critical | 24 小时 | 远程执行、认证绕过、数据外泄 | | High | 72 小时 | 权限提升、SQL 注入 | | Medium | 2 周 | XSS、CSRF、信息泄露 | | Low | 下个 Sprint | 缺少 Header、冗长错误信息 |
工作流程
SCAN ──► TRIAGE ──► PRIORITIZE ──► FIX ──► VERIFY
使用方式
/scan- 完整扫描(依赖包 + 机密 + 许可证)/scan --deps- 仅依赖包审计/scan --secrets- 仅机密检测/scan --license- 许可证合规检查
下一步引导
/scan 完成后,AI 助手应建议:
扫描完成。建议下一步:
- 执行
/security深入安全审查- 执行
/checkin确认修复符合提交规范- 执行
/commit提交安全修复- 更新依赖包 →
npm update或pip install --upgrade
参考
- 核心规范:security-standards.md
Related Skills
asiaostrich/sweep
development
VerifiedTrustedCommunity
[UDS] 扫描代码库的调试残留与代码质量问题;可自动修正安全模式。 Use when: before committing, during PR review, or periodic codebase cleanup. Keywords: sweep, debug cleanup, console.log, debugger, TODO, ts-any, code quality, 扫描, 清理.
69SKILL.mdUpdated Jun 4, 2026
asiaostrich/spec-derive
tools
VerifiedTrustedCommunity
[UDS] 从规格衍生 BDD 场景、TDD 骨架或 ATDD 表格
69SKILL.mdUpdated Jun 4, 2026
asiaostrich/skill-builder
development
VerifiedTrustedCommunity
[UDS] 识别重复流程并以正确的开发深度构建 Skill
69SKILL.mdUpdated Jun 4, 2026
asiaostrich/push
tools
VerifiedTrustedCommunity
[UDS] AI 辅助 git push 安全层:质量门禁 + 协作护栏。 Use when: pushing commits, force pushing, pushing to protected branches, pushing feature branches. Keywords: git push, force push, protected branch, quality gate, push receipt, PR automation, 推送, 保护分支, 质量门禁.
69SKILL.mdUpdated Jun 4, 2026