Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

tranhieutt/security-audit

Name: security-audit
Author: tranhieutt

.claude/skills/security-audit/SKILL.md

npx skillsauth add tranhieutt/software_development_department security-audit

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

name: security-audit type: workflow description: "Conducts a comprehensive security audit covering web application vulnerabilities, API security, OWASP Top 10, and security hardening recommendations. Use when auditing a codebase for security or when the user mentions security audit, penetration testing, or vulnerability scan." context: fork agent: security-engineer when_to_use: "When performing security audits, vulnerability scanning, penetration testing, or hardening web applications and APIs" allowed-tools: Read, Glob, Grep, Bash argument-hint: "[target: api|frontend|backend|infra|full]" user-invocable: true effort: 5

Security Auditing Workflow

Systematic security review using static analysis tools available in the codebase. Covers OWASP Top 10, secrets exposure, auth patterns, and dependency risk.

Phase 1: Reconnaissance — Map the Attack Surface

Identify entry points — list all routes/controllers:

grep -rn "app\.\(get\|post\|put\|delete\|patch\)\|@app\.route\|router\." src/ --include="*.{js,ts,py}" | head -60

Identify auth middleware — check which routes are protected:

grep -rn "auth\|middleware\|guard\|require_login\|jwt\|bearer" src/ -i --include="*.{js,ts,py}" | head -40

Map external dependencies — check package files for known-risky libs:

cat package.json 2>/dev/null || cat requirements.txt 2>/dev/null || cat go.mod 2>/dev/null

Note findings — list: total endpoints found, unprotected routes, third-party auth libs.

Phase 2: Secrets & Sensitive Data Exposure

Scan for hardcoded secrets:

grep -rn "password\s*=\s*['\"][^'\"]\|api_key\s*=\s*['\"][^'\"]\|secret\s*=\s*['\"][^'\"]" src/ -i | grep -v ".example" | head -30

Scan for tokens/keys in source:

grep -rEn "(sk-|AIza|AKIA|ghp_|xox[baprs]-)[A-Za-z0-9]+" src/ | head -20

Check .env files are gitignored:

cat .gitignore | grep -i "\.env" ; ls -la .env* 2>/dev/null

Check for secrets in logs:

grep -rn "console\.log.*password\|logger.*token\|print.*secret" src/ -i | head -20

Flag: any hardcoded credential or unignored .env file is a P0 finding.

Phase 3: Injection & Input Validation

SQL injection risk — look for string concatenation in queries:

grep -rn "query.*+\|execute.*f\"\|raw.*%s\|SELECT.*\$\{" src/ --include="*.{js,ts,py}" | head -30

Command injection risk — shell execution with user input:

grep -rn "exec(\|spawn(\|subprocess\|os\.system\|child_process" src/ --include="*.{js,ts,py}" | head -20

XSS risk — unescaped HTML rendering:

grep -rn "innerHTML\|dangerouslySetInnerHTML\|v-html\|\.html(" src/ --include="*.{js,ts,jsx,tsx,vue}" | head -20

Check for input validation middleware — is there a schema validator at boundaries?

grep -rn "joi\|zod\|yup\|pydantic\|cerberus\|marshmallow" src/ --include="*.{js,ts,py}" | head -10

Phase 4: Authentication & Authorization

JWT / token handling — check for weak configs:

grep -rn "algorithm.*HS256\|expiresIn\|verify\|decode" src/ --include="*.{js,ts,py}" | head -20

Password hashing — confirm bcrypt/argon2, not MD5/SHA1:

grep -rn "md5\|sha1\|hashSync\|bcrypt\|argon2\|pbkdf2" src/ -i --include="*.{js,ts,py}" | head -20

CORS config — check for wildcard origins:

grep -rn "cors\|Access-Control-Allow-Origin\|\*" src/ --include="*.{js,ts,py}" | head -20

Authorization checks — look for missing ownership checks in update/delete:
```
grep -rn "findById\|findOne\|get_object_or_404" src/ --include="*.{js,ts,py}" | head -20
```
Review each — does the handler verify resource.userId === req.user.id?

Phase 5: Security Headers & Config

HTTP security headers — check if helmet/similar is configured:

grep -rn "helmet\|Content-Security-Policy\|X-Frame-Options\|Strict-Transport" src/ --include="*.{js,ts}" | head -10

Rate limiting — check for brute-force protection on auth routes:

grep -rn "rateLimit\|throttle\|rate_limit\|slowDown" src/ --include="*.{js,ts,py}" | head -10

HTTPS enforcement — check redirect config:

grep -rn "http://\|forceHttps\|redirectToHttps\|SECURE_SSL_REDIRECT" src/ --include="*.{js,ts,py}" | head -10

Phase 6: Report Findings

For each finding, record:

| Severity | Category | File:Line | Description | Remediation | |----------|----------|-----------|-------------|-------------| | P0 Critical | | | | | | P1 High | | | | | | P2 Medium | | | | | | P3 Low / Info | | | | |

Severity guide:

P0: Hardcoded credential, remote code execution, auth bypass
P1: SQL injection, XSS, IDOR, broken auth
P2: Missing rate limit, weak hashing, CORS wildcard
P3: Missing security header, verbose errors, info disclosure

Save report to docs/technical/security-audit-{YYYY-MM-DD}.md.

Security Checklist

OWASP Top 10

[ ] A01 Broken Access Control — ownership checks on every mutation
[ ] A02 Cryptographic Failures — no hardcoded secrets, strong hashing
[ ] A03 Injection — parameterized queries, no string concat in SQL/shell
[ ] A04 Insecure Design — auth required on all sensitive routes
[ ] A05 Security Misconfiguration — security headers, CORS, HTTPS
[ ] A06 Vulnerable Components — no known-CVE dependencies
[ ] A07 Auth & Session — JWT config, expiry, refresh token rotation
[ ] A08 Integrity Failures — no unverified package installs in CI
[ ] A09 Logging & Monitoring — no secrets in logs, audit trail exists
[ ] A10 SSRF — no unvalidated URL-fetch from user input

Protocol

Question: Reads target scope from argument (api / frontend / backend / infra / full)
Options: Skip
Decision: Skip — audit is comprehensive; scope from argument
Draft: Findings table shown in conversation before saving report
Approval: "May I write to docs/technical/security-audit-[YYYY-MM-DD].md?"

Output

Deliver exactly:

Findings table with severity (P0–P3), file:line, description, and remediation for each issue
OWASP Top 10 checklist — 10 items marked pass / fail / N/A
Report file saved to docs/technical/security-audit-{YYYY-MM-DD}.md
Verdict: CLEAN / LOW RISK / MEDIUM RISK / HIGH RISK — DO NOT DEPLOY

Related Skills

code-review — line-by-line review with security lens
guard — freeze check before deploying a fix

tranhieutt/security-audit

.claude/skills/security-audit/SKILL.md

Conducts a comprehensive security audit covering web application vulnerabilities, API security, OWASP Top 10, and security hardening recommendations. Use when auditing a codebase for security or when the user mentions security audit, penetration testing, or vulnerability scan.

60 stars

development

Updated Apr 15, 2026

$ install --global

skillsauth

npx skillsauth add tranhieutt/software_development_department security-audit

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 15, 2026, 11:49 PM4.5s1 file scanned

SKILL.md

name: security-audit type: workflow description: "Conducts a comprehensive security audit covering web application vulnerabilities, API security, OWASP Top 10, and security hardening recommendations. Use when auditing a codebase for security or when the user mentions security audit, penetration testing, or vulnerability scan." context: fork agent: security-engineer when_to_use: "When performing security audits, vulnerability scanning, penetration testing, or hardening web applications and APIs" allowed-tools: Read, Glob, Grep, Bash argument-hint: "[target: api|frontend|backend|infra|full]" user-invocable: true effort: 5

Security Auditing Workflow

Systematic security review using static analysis tools available in the codebase. Covers OWASP Top 10, secrets exposure, auth patterns, and dependency risk.

Phase 1: Reconnaissance — Map the Attack Surface

Identify entry points — list all routes/controllers:

grep -rn "app\.\(get\|post\|put\|delete\|patch\)\|@app\.route\|router\." src/ --include="*.{js,ts,py}" | head -60

Identify auth middleware — check which routes are protected:

grep -rn "auth\|middleware\|guard\|require_login\|jwt\|bearer" src/ -i --include="*.{js,ts,py}" | head -40

Map external dependencies — check package files for known-risky libs:

cat package.json 2>/dev/null || cat requirements.txt 2>/dev/null || cat go.mod 2>/dev/null

Note findings — list: total endpoints found, unprotected routes, third-party auth libs.

Phase 2: Secrets & Sensitive Data Exposure

Scan for hardcoded secrets:

grep -rn "password\s*=\s*['\"][^'\"]\|api_key\s*=\s*['\"][^'\"]\|secret\s*=\s*['\"][^'\"]" src/ -i | grep -v ".example" | head -30

Scan for tokens/keys in source:

grep -rEn "(sk-|AIza|AKIA|ghp_|xox[baprs]-)[A-Za-z0-9]+" src/ | head -20

Check .env files are gitignored:

cat .gitignore | grep -i "\.env" ; ls -la .env* 2>/dev/null

Check for secrets in logs:

grep -rn "console\.log.*password\|logger.*token\|print.*secret" src/ -i | head -20

Flag: any hardcoded credential or unignored .env file is a P0 finding.

Phase 3: Injection & Input Validation

SQL injection risk — look for string concatenation in queries:

grep -rn "query.*+\|execute.*f\"\|raw.*%s\|SELECT.*\$\{" src/ --include="*.{js,ts,py}" | head -30

Command injection risk — shell execution with user input:

grep -rn "exec(\|spawn(\|subprocess\|os\.system\|child_process" src/ --include="*.{js,ts,py}" | head -20

XSS risk — unescaped HTML rendering:

grep -rn "innerHTML\|dangerouslySetInnerHTML\|v-html\|\.html(" src/ --include="*.{js,ts,jsx,tsx,vue}" | head -20

Check for input validation middleware — is there a schema validator at boundaries?

grep -rn "joi\|zod\|yup\|pydantic\|cerberus\|marshmallow" src/ --include="*.{js,ts,py}" | head -10

Phase 4: Authentication & Authorization

JWT / token handling — check for weak configs:

grep -rn "algorithm.*HS256\|expiresIn\|verify\|decode" src/ --include="*.{js,ts,py}" | head -20

Password hashing — confirm bcrypt/argon2, not MD5/SHA1:

grep -rn "md5\|sha1\|hashSync\|bcrypt\|argon2\|pbkdf2" src/ -i --include="*.{js,ts,py}" | head -20

CORS config — check for wildcard origins:

grep -rn "cors\|Access-Control-Allow-Origin\|\*" src/ --include="*.{js,ts,py}" | head -20

Authorization checks — look for missing ownership checks in update/delete:
```
grep -rn "findById\|findOne\|get_object_or_404" src/ --include="*.{js,ts,py}" | head -20
```
Review each — does the handler verify resource.userId === req.user.id?

Phase 5: Security Headers & Config

HTTP security headers — check if helmet/similar is configured:

grep -rn "helmet\|Content-Security-Policy\|X-Frame-Options\|Strict-Transport" src/ --include="*.{js,ts}" | head -10

Rate limiting — check for brute-force protection on auth routes:

grep -rn "rateLimit\|throttle\|rate_limit\|slowDown" src/ --include="*.{js,ts,py}" | head -10

HTTPS enforcement — check redirect config:

grep -rn "http://\|forceHttps\|redirectToHttps\|SECURE_SSL_REDIRECT" src/ --include="*.{js,ts,py}" | head -10

Phase 6: Report Findings

For each finding, record:

Severity guide:

P0: Hardcoded credential, remote code execution, auth bypass
P1: SQL injection, XSS, IDOR, broken auth
P2: Missing rate limit, weak hashing, CORS wildcard
P3: Missing security header, verbose errors, info disclosure

Save report to docs/technical/security-audit-{YYYY-MM-DD}.md.

Security Checklist

OWASP Top 10

[ ] A01 Broken Access Control — ownership checks on every mutation
[ ] A02 Cryptographic Failures — no hardcoded secrets, strong hashing
[ ] A03 Injection — parameterized queries, no string concat in SQL/shell
[ ] A04 Insecure Design — auth required on all sensitive routes
[ ] A05 Security Misconfiguration — security headers, CORS, HTTPS
[ ] A06 Vulnerable Components — no known-CVE dependencies
[ ] A07 Auth & Session — JWT config, expiry, refresh token rotation
[ ] A08 Integrity Failures — no unverified package installs in CI
[ ] A09 Logging & Monitoring — no secrets in logs, audit trail exists
[ ] A10 SSRF — no unvalidated URL-fetch from user input

Protocol

Question: Reads target scope from argument (api / frontend / backend / infra / full)
Options: Skip
Decision: Skip — audit is comprehensive; scope from argument
Draft: Findings table shown in conversation before saving report
Approval: "May I write to docs/technical/security-audit-[YYYY-MM-DD].md?"

Output

Deliver exactly:

Findings table with severity (P0–P3), file:line, description, and remediation for each issue
OWASP Top 10 checklist — 10 items marked pass / fail / N/A
Report file saved to docs/technical/security-audit-{YYYY-MM-DD}.md
Verdict: CLEAN / LOW RISK / MEDIUM RISK / HIGH RISK — DO NOT DEPLOY

Related Skills

code-review — line-by-line review with security lens
guard — freeze check before deploying a fix

Related Skills

tranhieutt/visual-engineer

testing

VerifiedTrustedCommunity

Generates high-fidelity architecture diagrams, sequence flows, and component maps for SDD projects. Use when finalizing a design phase, documenting system architecture, or visualizing agentic workflows. Default style: Style 6 (Claude Official).

60SKILL.mdUpdated Apr 15, 2026

tranhieutt/visual-engineer

tranhieutt/vector-database-engineer

data-ai

VerifiedTrustedCommunity

Provides vector database and semantic search patterns for Pinecone, Weaviate, Qdrant, Milvus, and pgvector in RAG and recommendation systems. Use when implementing vector search or when the user mentions vector database, semantic search, embeddings, or similarity search.

60SKILL.mdUpdated Apr 15, 2026

tranhieutt/vector-database-engineer

tranhieutt/update-codemap

development

VerifiedTrustedCommunity

Updates docs/technical/CODEMAP.md by scanning the current codebase structure. Run after a significant feature merge, refactor, or when CODEMAP feels stale.

60SKILL.mdUpdated Apr 15, 2026

tranhieutt/update-codemap

tranhieutt/unfreeze

development

VerifiedTrustedCommunity

Unlocks the codebase after a release freeze or incident freeze period to resume normal development. Use when a freeze period ends or when the user mentions unfreezing or lifting the code freeze.

60SKILL.mdUpdated Apr 15, 2026

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/tranhieutt/software_development_department.git

# Copy into Claude Code skills folder (global)
cp -r software_development_department/.claude/skills/security-audit ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

tranhieutt/software_development_department

60 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT