Back to Details

security-audit

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Security Audit Workflow

安全审计工作流

Run a comprehensive security audit that combines automated static analysis, threat modeling, and multi-perspective council review. This skill produces a prioritized audit report with actionable remediation steps.
结合自动化静态分析、威胁建模和多视角委员会评审,开展全面的安全审计。本技能会生成一份包含可操作修复步骤的优先级审计报告。

Scope Exclusions

范围排除

[!IMPORTANT] This audit covers application-level security only. Production infrastructure (TLS termination, reverse proxy, network segmentation, firewall rules, DNS) is managed by a separate project and is out of scope. Do not flag missing TLS, reverse proxy configuration, network-level MITM risks, or production deployment topology as findings.
[!IMPORTANT] 本次审计仅覆盖应用级安全。生产基础设施(TLS终止、反向代理、网络分段、防火墙规则、DNS)由单独项目管理,不在本次审计范围内。请勿将缺失TLS配置、反向代理配置、网络层面MITM风险或生产部署拓扑标记为审计发现。

Step 1: Define Audit Scope

步骤1:定义审计范围

Ask the user:
  • Scope: Full codebase or specific area? (e.g., 
    apps/api/src/auth/
    , 
    apps/web/src/
    )
  • Trigger: What prompted this audit? (routine, pre-release, security incident, new feature, dependency update)
  • Focus areas: Authentication, API security, data protection, frontend security, or all?
询问用户:
  • 范围:整个代码库还是特定区域?(例如:
    apps/api/src/auth/
    apps/web/src/
  • 触发原因:本次审计的触发因素是什么?(例行检查、发布前准备、安全事件、新功能上线、依赖更新)
  • 重点领域:身份认证、API安全、数据保护、前端安全,还是全部?

CHECKPOINT: Confirm the audit scope and focus areas with the user before proceeding.

检查点:在继续前与用户确认审计范围和重点领域。

Step 2: Automated SAST Scanning

步骤2:自动化SAST扫描

Invoke 
/security-scanning:security-sast
on the defined scope.
Scan for:
  • Injection: SQL injection, NoSQL injection, command injection, LDAP injection
  • XSS: Reflected, stored, and DOM-based cross-site scripting
  • CSRF: Missing CSRF protections on state-changing endpoints
  • Authentication: Weak password policies, broken auth flows, session fixation
  • Secrets: Hardcoded API keys, passwords, tokens, connection strings
  • Dependencies: Known vulnerabilities in npm packages (CVEs)
  • Deserialization: Insecure deserialization patterns
  • Prototype pollution: JavaScript-specific object manipulation attacks
Collect every finding with:
  • Severity: Critical / High / Medium / Low / Info
  • Category: OWASP Top 10 mapping
  • Location: File path and line number
  • Description: What the vulnerability is
  • Evidence: The specific code pattern that triggered the finding
  • Remediation: How to fix it
在定义的范围内调用
/security-scanning:security-sast
扫描内容包括:
  • 注入攻击:SQL注入、NoSQL注入、命令注入、LDAP注入
  • XSS攻击:反射型、存储型和基于DOM的跨站脚本攻击
  • CSRF攻击:状态变更端点缺失CSRF防护
  • 身份认证:弱密码策略、身份认证流程漏洞、会话固定
  • 敏感信息泄露:硬编码的API密钥、密码、令牌、连接字符串
  • 依赖项漏洞:npm包中的已知漏洞(CVEs)
  • 反序列化:不安全的反序列化模式
  • 原型污染:JavaScript特有的对象操作攻击
收集所有发现并包含以下信息:
  • 严重程度:Critical / High / Medium / Low / Info
  • 类别:映射到OWASP Top 10
  • 位置:文件路径和行号
  • 描述:漏洞说明
  • 证据:触发扫描发现的具体代码模式
  • 修复方案:修复方法

Step 3: Security Hardening Review

步骤3:安全加固评审

Invoke 
/security-scanning:security-hardening
for a comprehensive hardening review:
调用
/security-scanning:security-hardening
进行全面的安全加固评审:

HTTP Security

HTTP安全

  • Security headers (HSTS, CSP, X-Frame-Options, X-Content-Type-Options)
  • CORS configuration (allowed origins, methods, headers)
  • Cookie security flags (HttpOnly, Secure, SameSite)
  • 安全头(HSTS、CSP、X-Frame-Options、X-Content-Type-Options)
  • CORS配置(允许的源、方法、请求头)
  • Cookie安全标记(HttpOnly、Secure、SameSite)

API Security

API安全

  • Rate limiting on all public endpoints
  • Input validation completeness (every user input validated)
  • Output encoding to prevent injection
  • API key and token management
  • Request size limits
  • 所有公共端点的速率限制
  • 输入验证完整性(所有用户输入均经过验证)
  • 输出编码以防止注入攻击
  • API密钥和令牌管理
  • 请求大小限制

Authentication and Authorization

身份认证与授权

  • Password hashing algorithm (bcrypt, argon2)
  • JWT configuration (algorithm, expiration, refresh)
  • Session management (timeout, invalidation, rotation)
  • Role-based access control enforcement
  • OAuth/OIDC configuration (if applicable)
  • 密码哈希算法(bcrypt、argon2)
  • JWT配置(算法、过期时间、刷新机制)
  • 会话管理(超时、失效、轮换)
  • 基于角色的访问控制实施
  • OAuth/OIDC配置(如适用)

Data Protection

数据保护

  • PII encrypted at rest
  • Sensitive data encrypted in transit (TLS 1.2+)
  • Logging does not include sensitive data
  • Error messages do not leak internal details
  • Database connection uses SSL
  • PII数据静态加密
  • 敏感数据传输加密(TLS 1.2+)
  • 日志不包含敏感数据
  • 错误信息不泄露内部细节
  • 数据库连接使用SSL

Environment Variables

环境变量

  • No secrets hardcoded in code or logs
  • Startup validation rejects weak/default secrets in production
  • 代码或日志中无硬编码的敏感信息
  • 启动验证会拒绝生产环境中的弱默认敏感信息

Step 4: STRIDE Threat Modeling

步骤4:STRIDE威胁建模

Invoke 
/security-scanning:stride-analysis-patterns
to systematically model threats:
调用
/security-scanning:stride-analysis-patterns
进行系统化威胁建模:

Spoofing

仿冒(Spoofing)

  • Can user identities be faked? (auth bypass, token theft)
  • Can service identities be spoofed? (service-to-service auth)
  • 用户身份是否可伪造?(身份认证绕过、令牌窃取)
  • 服务身份是否可仿冒?(服务间身份认证)

Tampering

篡改(Tampering)

  • Can request data be modified in transit?
  • Can database records be altered without authorization?
  • Can client-side data (localStorage, cookies) be tampered?
  • 请求数据在传输过程中是否可被修改?
  • 数据库记录是否可在未授权情况下被篡改?
  • 客户端数据(localStorage、Cookie)是否可被篡改?

Repudiation

抵赖(Repudiation)

  • Are all security-relevant actions logged?
  • Can a user deny performing an action?
  • Is there an audit trail for data changes?
  • 所有安全相关操作是否均已记录?
  • 用户是否可否认执行过某操作?
  • 数据变更是否有审计追踪?

Information Disclosure

信息泄露(Information Disclosure)

  • Can sensitive data leak through error messages?
  • Can unauthorized users access other users' data?
  • Are there timing attacks or side-channel leaks?
  • 敏感数据是否可通过错误信息泄露?
  • 未授权用户是否可访问其他用户的数据?
  • 是否存在时序攻击或侧信道泄露?

Denial of Service

拒绝服务(Denial of Service)

  • Can the system be overwhelmed by excessive requests?
  • Are there resource-intensive endpoints without rate limiting?
  • Can large payloads cause memory exhaustion?
  • 系统是否可被大量请求压垮?
  • 资源密集型端点是否未设置速率限制?
  • 大负载是否会导致内存耗尽?

Elevation of Privilege

权限提升(Elevation of Privilege)

  • Can a regular user access admin functionality?
  • Can horizontal privilege escalation occur (access another user's resources)?
  • Are there IDOR (Insecure Direct Object Reference) vulnerabilities?
Document each threat with:
  • Likelihood: High / Medium / Low
  • Impact: Critical / High / Medium / Low
  • Risk Score: Likelihood x Impact
  • Existing Mitigations: What's already in place
  • Gaps: What's missing
  • 普通用户是否可访问管理员功能?
  • 是否存在水平权限提升(访问其他用户资源)?
  • 是否存在IDOR(不安全的直接对象引用)漏洞?
记录每个威胁并包含以下信息:
  • 可能性:High / Medium / Low
  • 影响:Critical / High / Medium / Low
  • 风险评分:可能性 × 影响
  • 现有缓解措施:已实施的防护手段
  • 缺口:缺失的防护措施

Step 5: Attack Tree Analysis

步骤5:攻击树分析

For the top 3 highest-risk threats identified in STRIDE:
Invoke 
/security-scanning:attack-tree-construction
to build attack trees showing:
  • Attack goal: What the attacker wants to achieve
  • Attack paths: Different ways to reach the goal
  • Sub-goals: Intermediate steps required
  • Required resources: Attacker skill level, tools, access needed
  • Existing defenses: Current mitigations along each path
  • Weakest links: Where defenses are thinnest
针对STRIDE中识别出的前3个最高风险威胁:
调用
/security-scanning:attack-tree-construction
构建攻击树,内容包括:
  • 攻击目标:攻击者想要达成的目的
  • 攻击路径:达成目标的不同方式
  • 子目标:所需的中间步骤
  • 所需资源:攻击者技能水平、工具、访问权限
  • 现有防御:各路径上的当前缓解措施
  • 最弱环节:防御最薄弱的地方

Step 6: Architecture Council Security Review

步骤6:架构委员会安全评审

Activate a subset of the Architecture Council (defined in 
.claude/councils/architecture-council.md
) for security review:
Model Selection: See the Model Selection section in README.md for mapping agent model specs to Task tool parameters.
激活架构委员会的子集(定义于
.claude/councils/architecture-council.md
)进行安全评审:
模型选择:请查看README.md中的模型选择部分,了解Agent模型规格与Task工具参数的映射关系。

Security Engineer (Lead) — consult: security-scanning

安全工程师(负责人)——咨询:security-scanning

  • Validate automated findings (identify false positives)
  • Prioritize remediation based on actual risk
  • Assess overall security posture
  • Assessment: Strong / Adequate / Needs Improvement / Critical Risk
  • 验证自动化扫描发现(识别误报)
  • 根据实际风险优先级确定修复顺序
  • 评估整体安全态势
  • 评估结果:Strong / Adequate / Needs Improvement / Critical Risk

Principal Engineer — consult: full-stack-orchestration

首席工程师——咨询:full-stack-orchestration

  • Assess architectural implications of required remediations
  • Identify systemic patterns that create vulnerabilities
  • Recommend architectural changes for defense-in-depth
  • Assessment: Architecturally sound / Needs refactoring / Fundamental issues
  • 评估所需修复措施对架构的影响
  • 识别导致漏洞的系统性模式
  • 推荐深度防御的架构变更
  • 评估结果:Architecturally sound / Needs refactoring / Fundamental issues

Backend Specialist — consult: backend-development

后端专家——咨询:backend-development

  • Evaluate backend-specific security patterns
  • Assess API security implementation quality
  • Review database access patterns for injection risks
  • Assessment: Well-secured / Some gaps / Significant concerns
  • 评估后端特定安全模式
  • 评估API安全实现质量
  • 审查数据库访问模式的注入风险
  • 评估结果:Well-secured / Some gaps / Significant concerns

Step 7: Present Audit Report

步骤7:提交审计报告

Generate a structured security audit report:
生成结构化的安全审计报告:

Executive Summary

执行摘要

  • Overall Security Posture: Strong / Adequate / Needs Improvement / Critical
  • Total Findings: Count by severity (Critical, High, Medium, Low)
  • Top 3 Risks: The most important issues to address
  • STRIDE Coverage: Summary of threat categories with risk levels
  • 整体安全态势:Strong / Adequate / Needs Improvement / Critical
  • 发现总数:按严重程度统计(Critical、High、Medium、Low)
  • 前3大风险:需优先处理的最重要问题
  • STRIDE覆盖情况:各威胁类别的风险等级摘要

Critical and High Findings (must-fix)

Critical和High级发现(必须修复)

For each finding:
  • Severity, category, and OWASP mapping
  • File and line number
  • Description with evidence
  • Step-by-step remediation
  • Effort estimate (quick fix / moderate / significant)
每个发现包含:
  • 严重程度、类别、OWASP映射
  • 文件和行号
  • 带证据的描述
  • 分步修复方案
  • 工作量估算(快速修复 / 中等 / 重大)

Medium Findings (should-fix)

Medium级发现(应该修复)

Same format as above, prioritized by risk.
格式同上,按风险优先级排序。

Low and Info Findings (track)

Low和Info级发现(跟踪)

Summary list for tracking as technical debt.
汇总列表,作为技术债务跟踪。

Threat Model Summary

威胁模型摘要

  • STRIDE analysis results table
  • Top 3 attack trees (visual or structured text)
  • Defense gap analysis
  • STRIDE分析结果表
  • 前3个攻击树(可视化或结构化文本)
  • 防御缺口分析

Recommended Actions (prioritized)

推荐行动(按优先级排序)

  1. Immediate (Critical): Must fix before next deployment
  2. This Sprint (High): Fix within current work cycle
  3. Next Sprint (Medium): Schedule for upcoming work
  4. Backlog (Low): Track as technical debt
  1. 立即处理(Critical):下次部署前必须修复
  2. 当前迭代(High):在当前工作周期内修复
  3. 下一迭代(Medium):安排到即将开展的工作中
  4. 待办事项(Low):作为技术债务跟踪

CHECKPOINT: Present the full audit report to the user. Ask which findings they want to remediate now, and which to track for later.

检查点:向用户提交完整审计报告。询问用户希望立即修复哪些发现,哪些留待后续跟踪。

Step 8: Remediation (Optional)

步骤8:修复(可选)

If the user chooses to remediate findings now:
  1. Address findings in priority order (Critical first, then High)
  2. For each fix:
    • Apply the remediation
    • Re-run the relevant SAST scan to verify the fix
    • Run tests to ensure no regressions
  3. Commit each fix with: 
    fix(security): remediate <finding-description>
After remediation, suggest the next step (see below).
如果用户选择立即修复发现:
  1. 按优先级顺序处理发现(先Critical,再High)
  2. 每个修复步骤:
    • 应用修复方案
    • 重新运行相关SAST扫描以验证修复效果
    • 运行测试确保无回归问题
  3. 提交每个修复时使用以下格式: 
    fix(security): remediate <finding-description>
修复完成后,建议下一步操作(见下文)。

Step 9: Create Issues for Tracked Findings

步骤9:为跟踪的发现创建Issue

For any findings that the user chooses to track for later (not remediated immediately in Step 8), create GitHub issues so they are not lost.
对于用户选择留待后续处理的发现(未在步骤8中立即修复),创建GitHub Issue以避免遗漏。

CHECKPOINT: Present a summary table of findings to be created as issues before proceeding.

检查点:在继续前向用户展示将创建为Issue的发现汇总表。

#FindingSeverityEst. SizeLabel 
build-ready
?
1<description>MediumSYes
Ask the user to confirm which findings should become issues. Wait for approval before creating.
[!NOTE] Add the 
build-ready
label to findings with a clear, scoped remediation (the fix is known and does not require architectural decisions). Omit 
build-ready
for findings that need further planning via 
/plan-feature
— for example, findings that require schema changes, new infrastructure, or cross-cutting architectural decisions.
  1. For each approved finding, create a GitHub issue:
    bash
    ISSUE_URL=$(gh issue create \
  --title "security: <finding-description>" \
  --body "<body>" \
  --label "enhancement" \
  --label "security-audit" \
  --label "build-ready")

ISSUE_NUM=$(echo "$ISSUE_URL" | grep -o '[0-9]*$')
    Omit 
    --label "build-ready"
    for findings that need further planning (see NOTE above).
    The issue body should include:
    • Context: Which audit identified this finding and the audit date
    • Problem: Description with file path and line number
    • Recommended Fix: Step-by-step remediation from the audit report
    • Priority: Severity rating and recommended timeline
    • Files: Affected file paths
  2. Add each created issue to the project board and set fields:
    bash
    ITEM_ID=$(gh project item-add {PROJECT_NUMBER} --owner {OWNER} --url "$ISSUE_URL" --format json | python3 -c "import json,sys; print(json.load(sys.stdin)['id'])")
gh project item-edit --project-id {PROJECT_ID} --id "$ITEM_ID" --field-id {PHASE_FIELD_ID} --single-select-option-id <phase-option-id>
gh project item-edit --project-id {PROJECT_ID} --id "$ITEM_ID" --field-id {SIZE_FIELD_ID} --single-select-option-id <size-option-id>
gh project item-edit --project-id {PROJECT_ID} --id "$ITEM_ID" --field-id {START_FIELD_ID} --date <start-date>
gh project item-edit --project-id {PROJECT_ID} --id "$ITEM_ID" --field-id {TARGET_FIELD_ID} --date <target-date>
    Set phase, size, and dates appropriate to the finding's priority and the current milestone:
    SeverityTypical SizeSchedule Priority
    Critical/HighM (3 days) or L (5 days)Current active milestone, near the front of the queue
    MediumS (2 days)Current milestone, after existing scheduled items
    Low/InfoXS (1 day)Current milestone or next, at the end of the queue
  3. Report all created issue numbers (
    $ISSUE_NUM
    ) and URLs to the user.
[!IMPORTANT] Every tracked finding must have both a GitHub issue and a project board entry. Creating an issue without adding it to the project board is what causes orphaned work items that 
/build-feature
cannot discover via auto-pick.
#发现内容严重程度估算工作量是否添加
build-ready
标签?
1<description>MediumSYes
请用户确认哪些发现应创建为Issue,获得批准后再执行。
[!NOTE] 对于修复方案明确、范围清晰的发现(修复方法已知,无需架构决策),添加
build-ready
标签。对于需要通过
/plan-feature
进一步规划的发现(例如需要 schema 变更、新基础设施或跨领域架构决策的发现),请勿添加
build-ready
标签。
  1. 为每个获批的发现创建GitHub Issue:
    bash
    ISSUE_URL=$(gh issue create \
  --title "security: <finding-description>" \
  --body "<body>" \
  --label "enhancement" \
  --label "security-audit" \
  --label "build-ready")

ISSUE_NUM=$(echo "$ISSUE_URL" | grep -o '[0-9]*$')
    对于需要进一步规划的发现,省略
    --label "build-ready"
    (见上方注意事项)。
    Issue正文应包含:
    • 背景:哪次审计发现了该问题及审计日期
    • 问题:包含文件路径和行号的描述
    • 推荐修复方案:审计报告中的分步修复步骤
    • 优先级:严重程度和建议时间线
    • 文件:受影响的文件路径
  2. 将每个创建的Issue添加到项目看板并设置字段:
    bash
    ITEM_ID=$(gh project item-add {PROJECT_NUMBER} --owner {OWNER} --url "$ISSUE_URL" --format json | python3 -c "import json,sys; print(json.load(sys.stdin)['id'])")
gh project item-edit --project-id {PROJECT_ID} --id "$ITEM_ID" --field-id {PHASE_FIELD_ID} --single-select-option-id <phase-option-id>
gh project item-edit --project-id {PROJECT_ID} --id "$ITEM_ID" --field-id {SIZE_FIELD_ID} --single-select-option-id <size-option-id>
gh project item-edit --project-id {PROJECT_ID} --id "$ITEM_ID" --field-id {START_FIELD_ID} --date <start-date>
gh project item-edit --project-id {PROJECT_ID} --id "$ITEM_ID" --field-id {TARGET_FIELD_ID} --date <target-date>
    根据发现的优先级和当前里程碑设置阶段、工作量和日期:
    严重程度典型工作量排期优先级
    Critical/HighM(3天)或L(5天)当前活跃里程碑,队列靠前位置
    MediumS(2天)当前里程碑,现有排期任务之后
    Low/InfoXS(1天)当前或下一里程碑,队列末尾
  3. 向用户报告所有创建的Issue编号(
    $ISSUE_NUM
    )和URL。
[!IMPORTANT] 每个跟踪的发现必须同时拥有GitHub Issue 项目看板条目。仅创建Issue而不添加到项目看板会导致孤立工作项,
/build-feature
无法通过自动选择发现这些项。

Step 10: Close Tracking Issue (Conditional)

步骤10:关闭跟踪Issue(可选)

If the user provided a GitHub issue number as an argument (e.g., 
/security-audit #137
):
  1. Check off any audit checklist items in the issue body using 
    gh issue edit
  2. CHECKPOINT: Ask the user whether to close the issue now that the audit is complete. Present the issue number and title for confirmation.
  3. If approved, close the issue:
    bash
    gh issue close <number> --reason completed
If no issue number was provided, skip this step.
如果用户提供了GitHub Issue编号作为参数(例如:
/security-audit #137
):
  1. 使用
    gh issue edit
    勾选Issue正文中的所有审计 checklist 项
  2. 检查点:询问用户审计完成后是否关闭该Issue。展示Issue编号和标题供确认。
  3. 如获批准,关闭Issue:
    bash
    gh issue close <number> --reason completed
如果未提供Issue编号,跳过此步骤。

Step 11: Hand Off

步骤11:交接

Present the next step to the user:
  • If code was changed (remediation applied): Run 
    /review-code
    to verify fixes in context of other changes
  • If no code was changed (audit-only): No further action needed — track findings as issues or technical debt
  • If starting a new feature: Run 
    /plan-feature
    to begin the next feature with audit findings in mind
Pipeline: 
/plan-feature
/build-feature
or 
/build-api
/review-code
/submit-pr
Standalone: 
/security-audit
can be run at any point in the pipeline or independently.
向用户展示下一步操作建议:
  • 如果代码已变更(已应用修复):运行
    /review-code
    以结合其他变更验证修复效果
  • 如果代码未变更(仅审计):无需进一步操作 — 将发现作为Issue或技术债务跟踪
  • 如果启动新功能:运行
    /plan-feature
    ,在新功能开发中考虑审计发现
流水线
/plan-feature
/build-feature
/build-api
/review-code
/submit-pr
独立运行
/security-audit
可在流水线的任何阶段运行或独立执行。