quantumbitcz/forge-security-audit
skills/forge-security-audit/SKILL.md
[read-only] Run module-appropriate security scanners and aggregate vulnerability results. Use when preparing for a release, after dependency updates, when reviewing third-party package security, or when onboarding to a new codebase to assess its security posture.
development
Updated Apr 21, 2026
$ install --global
skillsauthnpx skillsauth add quantumbitcz/dev-pipeline forge-security-auditInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 20, 2026, 5:17 AM4.2s1 file scanned
SKILL.md
- name:
- forge-security-audit
- description:
- [read-only] Run module-appropriate security scanners and aggregate vulnerability results. Use when preparing for a release, after dependency updates, when reviewing third-party package security, or when onboarding to a new codebase to assess its security posture.
- allowed-tools:
- ['Read', 'Bash', 'Glob', 'Grep']
- disable-model-invocation:
- false
/forge-security-audit -- Security Audit
Run security vulnerability scanners appropriate for the current module.
Flags
- --help: print usage and exit 0
- --json: structured JSON output
Exit codes
See shared/skill-contract.md for the standard exit-code table.
Prerequisites
Before any action, verify:
- Git repository: Run
git rev-parse --show-toplevel 2>/dev/null. If fails: report "Not a git repository. Navigate to a project directory." and STOP. - Forge initialized: Check
.claude/forge.local.mdexists. If not: try to detect the module from project files (package.json, build.gradle.kts, Cargo.toml, go.mod, etc.). If detection also fails: report "Could not detect project type. Run/forge-initto configure, or specify the framework manually." and STOP. - Scanner available: Verify at least one appropriate scanner is installed for the detected framework (see scanner table below). If none: report which scanner to install and how.
Instructions
-
Read
.claude/forge.local.mdfor thecomponentssection (language, framework)- If the file does not exist: try to detect the module from project files (package.json, build.gradle.kts, Cargo.toml, go.mod, etc.)
-
Run the appropriate scanner based on module:
| Framework | Scanner Command | Fallback | |-----------|----------------|----------| | react, nextjs, sveltekit, express, angular, nestjs, vue, svelte |
npm audit --jsonorpnpm audit --jsonorbun audit|npx auditjs| | spring (kotlin or java) |./gradlew dependencyCheckAnalyze| Manual check of build.gradle.kts | | fastapi, django |pip-auditorsafety check|pip list --outdated| | axum |cargo audit|cargo deny check| | go-stdlib, gin |govulncheck ./...|go list -m -json all| | swiftui, vapor | Manual review of Package.resolved | -- | | jetpack-compose, kotlin-multiplatform, scala (sbt) |./gradlew dependencyCheckAnalyzeorsbt dependencyCheck| Manual check of build file | | aspnet |dotnet list package --vulnerable| Manual check of .csproj | | embedded |cppcheck --enable=all src/| -- | | k8s |trivy config .orkubeaudit all|helm lint charts/| | ruby |bundler-audit checkorbundle audit|gem list --outdated| | php |composer auditorlocal-php-security-checker|composer outdated| | elixir |mix deps.auditormix sobelow|mix hex.audit| -
Aggregate results:
## Security Audit Results - Critical: {count} - High: {count} - Medium: {count} - Low: {count} ### Top Issues 1. {package} {version} -- {vulnerability} -- {fix: upgrade to {version}} ...
Error Handling
| Condition | Action | |-----------|--------| | Prerequisites fail | Report specific error message and STOP | | Scanner not installed | Report "Scanner {name} not found. Install with: {command}" and suggest alternatives from the fallback column | | Scanner command fails | Report the error output. If it is a configuration issue, suggest how to configure the scanner | | No vulnerabilities found | Report "No known vulnerabilities detected" -- this is a positive result | | Multiple frameworks detected | Run scanners for all detected frameworks and aggregate results | | forge.local.md missing | Fall back to auto-detection from project files | | State corruption | This skill does not depend on state.json -- it runs independently |
Important
- Do NOT fix vulnerabilities -- only report them
- If scanner is not installed, report: "Scanner {name} not found. Install with: {command}"
- If no vulnerabilities found, report: "No known vulnerabilities detected"
See Also
/forge-review-- Review code for quality and security findings using forge review agents/forge-review-- Full codebase scan against convention rules including security patterns/forge-review-- Iteratively fix all codebase issues including security findings/forge-verify-- Quick build + lint + test check (does not include security scanning)
Related Skills
quantumbitcz/forge
development
VerifiedTrustedCommunity
[writes] Build, fix, deploy, review, or modify code in this project. Universal entry for the forge pipeline. Auto-bootstraps on first run; brainstorms before planning when given a feature description. Use when you want to take any productive action: implementing features, fixing bugs, reviewing branches, deploying, committing, running migrations.
SKILL.mdUpdated Apr 30, 2026
quantumbitcz/forge-admin
tools
VerifiedTrustedCommunity
[writes] Manage forge state and configuration: recovery, abort, config edits, session handoff, automations, playbooks, output compression, knowledge graph maintenance. Use when you need to recover from broken pipeline state, edit settings, or manage long-lived state.
SKILL.mdUpdated Apr 30, 2026
quantumbitcz/forge-handoff
development
VerifiedTrustedCommunity
[writes] Create, list, show, resume, or search forge session handoffs. Use when context is getting heavy and you want to transfer a forge run or conversation into a fresh Claude Code session, or to resume from a prior handoff artefact. Subcommands - no args (write), list, show, resume, search.
SKILL.mdUpdated Apr 23, 2026
quantumbitcz/forge-graph
development
VerifiedTrustedCommunity
[writes] Manage the Neo4j knowledge graph. Subcommands: init, rebuild (writes); status, query <cypher>, debug (read-only). Requires Docker. No default — an explicit subcommand is required. Use when setting up the graph for the first time, rebuilding after major refactors, checking graph health, or running ad-hoc Cypher diagnostics.
SKILL.mdUpdated Apr 21, 2026