quanganh208/ck:security
.claude/skills/ck-security/SKILL.md
STRIDE + OWASP-based security audit with optional auto-fix. Scans code for vulnerabilities, categorizes by severity, and can iteratively fix findings using ck:autoresearch pattern.
development
Updated Apr 16, 2026
$ install --global
skillsauthnpx skillsauth add quanganh208/cookmate ck:securityInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 6:55 PM16.5s2 files scanned
SKILL.md
- name:
- ck:security
- description:
- STRIDE + OWASP-based security audit with optional auto-fix. Scans code for vulnerabilities, categorizes by severity, and can iteratively fix findings using ck:autoresearch pattern.
- argument-hint:
- <scope glob or 'full'> [--fix] [--iterations N]
- author:
- claudekit
- attribution:
- Security audit pattern adapted from autoresearch by Udit Goenka (MIT)
- license:
- MIT
- version:
- 1.0.0
ck:security — Security Audit
Runs a structured STRIDE + OWASP security audit on a given scope. Produces a severity-ranked findings report. With --fix, applies fixes iteratively using the ck:autoresearch guard pattern.
When to Use
- Before a release or major deployment
- After adding auth, payment, or data-handling features
- Periodic security review (monthly/quarterly)
- Compliance check (SOC 2, GDPR, PCI-DSS prep)
When NOT to Use
- Purely cosmetic changes (CSS, copy edits)
- No user-facing code or data handling involved
Modes
| Mode | Invocation | Behavior |
|------|-----------|----------|
| Audit only | /ck:security <scope> | Scan → categorize → report |
| Audit + Fix | /ck:security <scope> --fix | Scan → categorize → fix iteratively |
| Bounded fix | /ck:security <scope> --fix --iterations N | Limit fix iterations to N |
Audit Methodology
1. Scope Resolution
Expand the provided glob or full keyword into a file list. Read all in-scope files before analysis.
2. STRIDE Analysis
Evaluate each threat category systematically:
- Spoofing — identity/authentication weaknesses
- Tampering — input validation, integrity controls
- Repudiation — audit logging gaps
- Information Disclosure — data leakage, secret exposure
- Denial of Service — rate limits, resource exhaustion
- Elevation of Privilege — broken access control, RBAC gaps
3. OWASP Top 10 Check
Map findings to OWASP categories (A01–A10). See references/stride-owasp-checklist.md for per-category checks.
4. Dependency Audit
Run the appropriate package audit tool for the detected stack:
- Node.js:
npm audit - Python:
pip-audit - Go:
govulncheck - Ruby:
bundle audit
5. Secret Detection
Scan for hardcoded API keys, passwords, tokens, and private keys using regex patterns. See references/stride-owasp-checklist.md → Secret Patterns.
6. Finding Categorization
Assign each finding a severity level (see Severity Definitions below).
Output Format
## Security Audit Report
### Summary
- Files scanned: N
- Findings: X critical, Y high, Z medium, W low, V info
### Findings
| # | Severity | Category | File:Line | Description | Fix Recommendation |
|---|----------|----------|-----------|-------------|-------------------|
| 1 | Critical | Injection | api/users.ts:45 | SQL string concatenation | Use parameterized queries |
| 2 | High | Auth | auth/login.ts:12 | No rate limiting | Add express-rate-limit |
Fix Mode (--fix)
When --fix is provided, apply fixes iteratively after the audit:
- Sort all findings by severity (Critical → High → Medium → Low)
- For each finding:
a. Apply one targeted fix
b. Run guard (tests or lint) to verify no regression
c. Commit:
security(fix-N): <short description>d. Advance to next finding - Stop early if guard fails — report the failure instead of proceeding
- Uses
ck:autoresearchguard pattern for regression prevention
Tip: Use
--iterations Nto cap total fix iterations when scope is large.
Severity Definitions
| Severity | Description | Fix Priority | |----------|-------------|-------------| | Critical | Exploitable now, data breach or RCE risk | Immediate — block release | | High | Exploitable with moderate effort, significant impact | This sprint | | Medium | Limited exploitability or impact | Next sprint | | Low | Theoretical risk, defense-in-depth improvement | Backlog | | Info | Best practice suggestion, no direct risk | Optional |
Integration with Other Skills
- Run after
ck:predictwhen the security persona flags concerns - Feed Critical/High findings into
ck:autoresearch --fixfor automated remediation - Use
ck:scenariowith--focus authorizationfor deeper auth flow testing - Pair with
ck:planto schedule Medium/Low findings as sprint tasks
Example Invocations
# Audit API layer only
/ck:security src/api/**/*.ts
# Audit entire src/ and auto-fix, max 15 iterations
/ck:security src/ --fix --iterations 15
# Full codebase audit (no fix)
/ck:security full
See references/stride-owasp-checklist.md for the detailed per-category checklist and secret detection regex patterns.
Related Skills
quanganh208/ck:docx
development
VerifiedTrustedCommunity
Create, edit, analyze .docx Word documents. Use for document creation, tracked changes, comments, formatting preservation, text extraction, template modification.
SKILL.mdUpdated Apr 17, 2026
quanganh208/ck:docs
development
VerifiedTrustedCommunity
Analyze codebase and manage project documentation — init, update, summarize.
SKILL.mdUpdated Apr 17, 2026
quanganh208/ck:docs-seeker
development
VerifiedTrustedCommunity
Search library/framework documentation via llms.txt (context7.com). Use for API docs, GitHub repository analysis, technical documentation lookup, latest library features.
SKILL.mdUpdated Apr 17, 2026
quanganh208/ck:devops
development
VerifiedTrustedCommunity
Deploy to Cloudflare (Workers, R2, D1), Docker, GCP (Cloud Run, GKE), Kubernetes (kubectl, Helm). Use for serverless, containers, CI/CD, GitOps, security audit.
SKILL.mdUpdated Apr 17, 2026