catlog22/security-audit
.claude/skills/security-audit/SKILL.md
OWASP Top 10 and STRIDE security auditing with supply chain analysis. Triggers on "security audit", "security scan", "cso".
$ install --global
skillsauthnpx skillsauth add catlog22/claude-code-workflow security-auditInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 12, 2026, 3:00 AM5.8s7 files scanned
SKILL.md
- name:
- security-audit
- description:
- OWASP Top 10 and STRIDE security auditing with supply chain analysis. Triggers on "security audit", "security scan", "cso".
- allowed-tools:
- Read, Write, Bash, Glob, Grep
Security Audit
4-phase security audit covering supply chain risks, OWASP Top 10 code review, STRIDE threat modeling, and trend-tracked reporting. Produces structured JSON findings in .workflow/.security/.
Architecture Overview
+-------------------------------------------------------------------+
| Phase 1: Supply Chain Scan |
| -> Dependency audit, secrets detection, CI/CD review, LLM risks |
| -> Output: supply-chain-report.json |
+-----------------------------------+-------------------------------+
|
+-----------------------------------v-------------------------------+
| Phase 2: OWASP Review |
| -> OWASP Top 10 2021 code-level analysis via ccw cli |
| -> Output: owasp-findings.json |
+-----------------------------------+-------------------------------+
|
+-----------------------------------v-------------------------------+
| Phase 3: Threat Modeling (STRIDE) |
| -> 6 threat categories mapped to architecture components |
| -> Output: threat-model.json |
+-----------------------------------+-------------------------------+
|
+-----------------------------------v-------------------------------+
| Phase 4: Report & Tracking |
| -> Score calculation, trend comparison, dated report |
| -> Output: .workflow/.security/audit-report-{date}.json |
+-------------------------------------------------------------------+
Key Design Principles
- Infrastructure-first: Phase 1 catches low-hanging fruit (leaked secrets, vulnerable deps) before deeper analysis
- Standards-based: OWASP Top 10 2021 and STRIDE provide systematic coverage
- Scoring gates: Daily quick-scan must score 8/10; comprehensive audit minimum 2/10 for initial baseline
- Trend tracking: Each audit compares against prior results in
.workflow/.security/
Execution Flow
Quick-Scan Mode (daily)
Run Phase 1 only. Must score >= 8/10 to pass.
Comprehensive Mode (full audit)
Run all 4 phases sequentially. Initial baseline minimum 2/10.
Phase Sequence
- Phase 1: Supply Chain Scan -- phases/01-supply-chain-scan.md
- Dependency audit (npm audit / pip-audit / safety check)
- Secrets detection (API keys, tokens, passwords in source)
- CI/CD config review (injection risks in workflow YAML)
- LLM/AI prompt injection check
- Phase 2: OWASP Review -- phases/02-owasp-review.md
- Systematic OWASP Top 10 2021 code review
- Uses
ccw cli --tool gemini --mode analysis --rule analysis-assess-security-risks
- Phase 3: Threat Modeling -- phases/03-threat-modeling.md
- STRIDE threat model mapped to architecture components
- Trust boundary identification and attack surface assessment
- Phase 4: Report & Tracking -- phases/04-report-tracking.md
- Score calculation with severity weights
- Trend comparison with previous audits
- Date-stamped report to
.workflow/.security/
Scoring Overview
See specs/scoring-gates.md for full specification.
| Severity | Weight | Example | |----------|--------|---------| | Critical | 10 | RCE, SQL injection, leaked credentials | | High | 7 | Broken auth, SSRF, privilege escalation | | Medium | 4 | XSS, CSRF, verbose error messages | | Low | 1 | Missing headers, informational disclosures |
Gates: Daily quick-scan >= 8/10, Comprehensive initial >= 2/10.
Directory Setup
mkdir -p .workflow/.security
WORK_DIR=".workflow/.security"
Output Structure
.workflow/.security/
audit-report-{YYYY-MM-DD}.json # Dated audit report
supply-chain-report.json # Latest supply chain scan
owasp-findings.json # Latest OWASP findings
threat-model.json # Latest STRIDE threat model
Reference Documents
| Document | Purpose | |----------|---------| | phases/01-supply-chain-scan.md | Dependency, secrets, CI/CD, LLM risk scan | | phases/02-owasp-review.md | OWASP Top 10 2021 code review | | phases/03-threat-modeling.md | STRIDE threat modeling | | phases/04-report-tracking.md | Report generation and trend tracking | | specs/scoring-gates.md | Scoring system and quality gates | | specs/owasp-checklist.md | OWASP Top 10 detection patterns |
Completion Status Protocol
This skill follows the Completion Status Protocol defined in _shared/SKILL-DESIGN-SPEC.md sections 13-14.
Possible termination statuses:
- DONE: All phases completed, score calculated, report generated
- DONE_WITH_CONCERNS: Audit completed but findings exceed acceptable thresholds
- BLOCKED: Required tools unavailable (e.g., npm/pip not installed), permission denied
- NEEDS_CONTEXT: Ambiguous project scope, unclear trust boundaries
Escalation follows the Three-Strike Rule (section 14) per step.
Related Skills
catlog22/workflow-test-fix-cycle
testing
VerifiedTrustedCommunity
End-to-end test-fix workflow generate test sessions with progressive layers (L0-L3), then execute iterative fix cycles until pass rate >= 95%. Combines test-fix-gen and test-cycle-execute into a unified pipeline. Triggers on "workflow:test-fix-cycle".
1,784SKILL.mdUpdated Apr 12, 2026
catlog22/workflow-lite-plan
devops
VerifiedTrustedCommunity
Explore-first wave pipeline. Decomposes requirement into exploration angles, runs wave exploration via spawn_agents_on_csv, synthesizes findings into execution tasks with cross-phase context linking (E*→T*), then wave-executes via spawn_agents_on_csv.
1,784SKILL.mdUpdated Apr 12, 2026
catlog22/spec-setup
data-ai
VerifiedTrustedCommunity
Initialize project-level state and configure specs via interactive questionnaire.
1,784SKILL.mdUpdated Apr 12, 2026
catlog22/spec-add
documentation
VerifiedTrustedCommunity
Add specs, conventions, constraints, or learnings to project guidelines interactively or automatically
1,784SKILL.mdUpdated Apr 12, 2026