Back to Details

security-compliance-skills-suite-claude

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

🔒 Security & Compliance Skills Suite

🔒 安全与合规技能套件

Skill by ara.so — Security Skills collection.
A comprehensive skill suite for security audits, vulnerability management, compliance frameworks (GDPR, SOC2, ISO27001), and incident response. Derived from 
hesreallyhim/awesome-claude-code
with specialized commands and workflows for security professionals.
ara.so提供的技能——安全技能合集。
一套涵盖安全审计、漏洞管理、合规框架(GDPR、SOC2、ISO27001)及事件响应的综合性技能套件。衍生自
hesreallyhim/awesome-claude-code
,专为安全专业人士提供了专用命令与工作流。

What This Project Does

项目功能

This skill suite provides AI coding agents with 10 specialized security commands and 5 multi-step workflows to:
  • Perform OWASP Top-10 vulnerability scans
  • Audit dependencies for known CVEs
  • Generate GDPR/SOC2/ISO27001 compliance reports
  • Create STRIDE threat models
  • Detect secrets and credentials in code
  • Audit IAM permissions for least-privilege violations
  • Orchestrate security incident response
  • Design zero-trust architectures
All commands use structured output with progress tracking, severity-sorted findings, and actionable remediation steps.
该技能套件为AI编码Agent提供10个专用安全命令和5个多步骤工作流,可实现:
  • 执行OWASP Top-10漏洞扫描
  • 审计依赖项中的已知CVE
  • 生成GDPR/SOC2/ISO27001合规报告
  • 创建STRIDE威胁模型
  • 检测代码中的密钥与凭证
  • 审计IAM权限的最小权限违规情况
  • 编排安全事件响应流程
  • 设计零信任架构
所有命令均提供带进度跟踪、按严重程度排序的检测结果,以及可执行的修复步骤的结构化输出。

Installation

安装方法

Method 1: Direct Clone

方法1:直接克隆

bash
undefined
bash
undefined

Clone to Claude Code skills directory

克隆到Claude Code技能目录

mkdir -p ~/.claude/skills git clone https://github.com/sparkfinderoven/r01-hesreallyhim-awesome-claude-code-security.git
~/.claude/skills/security-compliance-suite
mkdir -p ~/.claude/skills git clone https://github.com/sparkfinderoven/r01-hesreallyhim-awesome-claude-code-security.git
~/.claude/skills/security-compliance-suite

Register in Claude Code session

在Claude Code会话中注册

/read ~/.claude/skills/security-compliance-suite/SKILL.md
undefined
/read ~/.claude/skills/security-compliance-suite/SKILL.md
undefined

Method 2: Manual Setup

方法2:手动设置

bash
undefined
bash
undefined

Create skill directory

创建技能目录

mkdir -p ~/.claude/skills/security-compliance-suite
mkdir -p ~/.claude/skills/security-compliance-suite

Copy skill files

复制技能文件

cp -r ./commands ~/.claude/skills/security-compliance-suite/ cp -r ./workflows ~/.claude/skills/security-compliance-suite/ cp ./SKILL.md ~/.claude/skills/security-compliance-suite/
undefined
cp -r ./commands ~/.claude/skills/security-compliance-suite/ cp -r ./workflows ~/.claude/skills/security-compliance-suite/ cp ./SKILL.md ~/.claude/skills/security-compliance-suite/
undefined

Verification

验证

In a Claude Code session:
bash
/skills list
在Claude Code会话中执行:
bash
/skills list

Should show: security-compliance-suite

应显示:security-compliance-suite

undefined
undefined

Core Commands

核心命令

/owasp-scan
- OWASP Top-10 Vulnerability Scan

/owasp-scan
- OWASP Top-10漏洞扫描

Scans code for OWASP Top-10 vulnerabilities with CVSS scores and remediation guidance.
Usage:
bash
/owasp-scan <target_path> [--format=json|md|html] [--severity=critical|high|medium|low]
Example:
bash
undefined
扫描代码中的OWASP Top-10漏洞,提供CVSS评分及修复指导。
使用方式:
bash
/owasp-scan <target_path> [--format=json|md|html] [--severity=critical|high|medium|low]
示例:
bash
undefined

Scan web API directory

扫描Web API目录

/owasp-scan ./src/api --format=md --severity=high
/owasp-scan ./src/api --format=md --severity=high

Scan specific file

扫描特定文件

/owasp-scan ./auth/login.py

**Output Structure:**
╔══════════════════════════════════════════════════╗ ║ OWASP Top-10 Scan — ./src/api ║ ╠══════════════════════════════════════════════════╣ ║ Files scanned: 47 ║ ║ Vulnerabilities: 12 ║ ║ Critical: 3 ║ ║ High: 5 ║ ╚══════════════════════════════════════════════════╝
FINDINGS (sorted by CVSS score) ┌─────┬────────────────────────────┬──────┬──────────┬─────────────┐ │ Sev │ Vulnerability │ CVSS │ Location │ CWE │ ├─────┼────────────────────────────┼──────┼──────────┼─────────────┤ │ 🔴 │ SQL Injection │ 9.8 │ api.py:45│ CWE-89 │ │ 🔴 │ Path Traversal │ 9.1 │ file.py:12│ CWE-22 │ │ 🔴 │ Command Injection │ 8.8 │ exec.py:89│ CWE-78 │ └─────┴────────────────────────────┴──────┴──────────┴─────────────┘
REMEDIATION (Priority: Critical)
  1. [SQL Injection] Use parameterized queries Code: cursor.execute("SELECT * FROM users WHERE id = ?", (user_id,))
  2. [Path Traversal] Validate and sanitize file paths Code: safe_path = os.path.realpath(os.path.join(base_dir, user_input))
undefined
/owasp-scan ./auth/login.py

**输出结构:**
╔══════════════════════════════════════════════════╗ ║ OWASP Top-10 Scan — ./src/api ║ ╠══════════════════════════════════════════════════╣ ║ Files scanned: 47 ║ ║ Vulnerabilities: 12 ║ ║ Critical: 3 ║ ║ High: 5 ║ ╚══════════════════════════════════════════════════╝
FINDINGS (sorted by CVSS score) ┌─────┬────────────────────────────┬──────┬──────────┬─────────────┐ │ Sev │ Vulnerability │ CVSS │ Location │ CWE │ ├─────┼────────────────────────────┼──────┼──────────┼─────────────┤ │ 🔴 │ SQL Injection │ 9.8 │ api.py:45│ CWE-89 │ │ 🔴 │ Path Traversal │ 9.1 │ file.py:12│ CWE-22 │ │ 🔴 │ Command Injection │ 8.8 │ exec.py:89│ CWE-78 │ └─────┴────────────────────────────┴──────┴──────────┴─────────────┘
REMEDIATION (Priority: Critical)
  1. [SQL Injection] Use parameterized queries Code: cursor.execute("SELECT * FROM users WHERE id = ?", (user_id,))
  2. [Path Traversal] Validate and sanitize file paths Code: safe_path = os.path.realpath(os.path.join(base_dir, user_input))
undefined

/dep-cve
- Dependency CVE Scanner

/dep-cve
- 依赖项CVE扫描器

Scans project dependencies for known CVEs with exploitability scores.
Usage:
bash
/dep-cve [--scope=prod|dev|all] [--output=json|md] [--min-cvss=7.0]
Example:
bash
undefined
扫描项目依赖项中的已知CVE,提供可利用性评分。
使用方式:
bash
/dep-cve [--scope=prod|dev|all] [--output=json|md] [--min-cvss=7.0]
示例:
bash
undefined

Scan production dependencies

扫描生产环境依赖项

/dep-cve --scope=prod --min-cvss=7.0
/dep-cve --scope=prod --min-cvss=7.0

Full dependency audit

完整依赖项审计

/dep-cve --scope=all --output=json

**Supported Ecosystems:**

- Python: `requirements.txt`, `Pipfile`, `pyproject.toml`
- JavaScript: `package.json`, `package-lock.json`, `yarn.lock`
- Ruby: `Gemfile.lock`
- Java: `pom.xml`, `build.gradle`
- Go: `go.mod`, `go.sum`
- Rust: `Cargo.lock`

**Output Example:**
CVE REPORT — 234 dependencies scanned ┌──────────────────┬─────────┬──────┬───────────────┬──────────────┐ │ Package │ Current │ CVSS │ CVE │ Fixed In │ ├──────────────────┼─────────┼──────┼───────────────┼──────────────┤ │ urllib3 │ 1.26.5 │ 9.8 │ CVE-2023-4567 │ 1.26.18 │ │ django │ 3.2.0 │ 8.1 │ CVE-2023-1234 │ 3.2.19 │ │ requests │ 2.25.0 │ 7.5 │ CVE-2023-7890 │ 2.31.0 │ └──────────────────┴─────────┴──────┴───────────────┴──────────────┘
UPGRADE PATH pip install urllib3==1.26.18 django==3.2.19 requests==2.31.0
EXPLOITABILITY • urllib3 CVE-2023-4567: Public exploit available, CVSS:3.1/AV:N/AC:L • django CVE-2023-1234: PoC available, requires authentication
undefined
/dep-cve --scope=all --output=json

**支持的生态系统:**

- Python: `requirements.txt`, `Pipfile`, `pyproject.toml`
- JavaScript: `package.json`, `package-lock.json`, `yarn.lock`
- Ruby: `Gemfile.lock`
- Java: `pom.xml`, `build.gradle`
- Go: `go.mod`, `go.sum`
- Rust: `Cargo.lock`

**输出示例:**
CVE REPORT — 234 dependencies scanned ┌──────────────────┬─────────┬──────┬───────────────┬──────────────┐ │ Package │ Current │ CVSS │ CVE │ Fixed In │ ├──────────────────┼─────────┼──────┼───────────────┼──────────────┤ │ urllib3 │ 1.26.5 │ 9.8 │ CVE-2023-4567 │ 1.26.18 │ │ django │ 3.2.0 │ 8.1 │ CVE-2023-1234 │ 3.2.19 │ │ requests │ 2.25.0 │ 7.5 │ CVE-2023-7890 │ 2.31.0 │ └──────────────────┴─────────┴──────┴───────────────┴──────────────┘
UPGRADE PATH pip install urllib3==1.26.18 django==3.2.19 requests==2.31.0
EXPLOITABILITY • urllib3 CVE-2023-4567: Public exploit available, CVSS:3.1/AV:N/AC:L • django CVE-2023-1234: PoC available, requires authentication
undefined

/gdpr-audit
- GDPR Compliance Audit

/gdpr-audit
- GDPR合规审计

Maps data flows, identifies consent gaps, and generates DPA checklist.
Usage:
bash
/gdpr-audit <codebase_path> [--output=report|checklist|map]
Example:
bash
undefined
映射数据流,识别同意缺口,并生成DPA检查表。
使用方式:
bash
/gdpr-audit <codebase_path> [--output=report|checklist|map]
示例:
bash
undefined

Full GDPR audit with data flow map

完整GDPR审计及数据流图

/gdpr-audit ./src --output=report
/gdpr-audit ./src --output=report

Generate Article 30 checklist

生成第30条检查表

/gdpr-audit ./src --output=checklist

**Analysis Coverage:**

- Personal data collection points
- Lawful basis for processing (Article 6)
- Consent mechanisms (Article 7)
- Data subject rights implementation (Articles 15-22)
- Data retention policies (Article 5)
- Third-party data processors (Article 28)
- Data breach notification (Articles 33-34)

**Output Example:**
╔══════════════════════════════════════════════════╗ ║ GDPR Compliance Audit — ./src ║ ╠══════════════════════════════════════════════════╣ ║ Personal data fields: 23 ║ ║ Processing activities: 8 ║ ║ Consent mechanisms: 3 ║ ║ Compliance gaps: 5 🔴 ║ ╚══════════════════════════════════════════════════╝
DATA FLOW MAP User Registration → [email, name, dob] → PostgreSQL ├─ Lawful basis: Consent (Art. 6.1.a) ├─ Retention: 2 years after last login └─ ⚠️ Missing: explicit consent checkbox
Email Marketing → [email, preferences] → Mailchimp (processor) ├─ Lawful basis: Legitimate interest (Art. 6.1.f) ├─ DPA status: ✓ Agreement signed └─ 🔴 Missing: opt-out mechanism
COMPLIANCE GAPS
  1. 🔴 No data breach notification procedure (Art. 33)
  2. 🔴 Data portability not implemented (Art. 20)
  3. 🟠 Privacy policy outdated (last updated 2021)
  4. 🟡 Cookie consent banner missing GDPR language
  5. 🟡 Data retention policy not documented
RECOMMENDED ACTIONS □ Implement breach detection and 72h notification workflow □ Add /api/data-export endpoint for data portability □ Update privacy policy with current processing activities □ Review and update cookie consent implementation
undefined
/gdpr-audit ./src --output=checklist

**分析覆盖范围:**

- 个人数据收集点
- 处理的合法依据(第6条)
- 同意机制(第7条)
- 数据主体权利实施(第15-22条)
- 数据保留政策(第5条)
- 第三方数据处理者(第28条)
- 数据泄露通知(第33-34条)

**输出示例:**
╔══════════════════════════════════════════════════╗ ║ GDPR Compliance Audit — ./src ║ ╠══════════════════════════════════════════════════╣ ║ Personal data fields: 23 ║ ║ Processing activities: 8 ║ ║ Consent mechanisms: 3 ║ ║ Compliance gaps: 5 🔴 ║ ╚══════════════════════════════════════════════════╝
DATA FLOW MAP User Registration → [email, name, dob] → PostgreSQL ├─ Lawful basis: Consent (Art. 6.1.a) ├─ Retention: 2 years after last login └─ ⚠️ Missing: explicit consent checkbox
Email Marketing → [email, preferences] → Mailchimp (processor) ├─ Lawful basis: Legitimate interest (Art. 6.1.f) ├─ DPA status: ✓ Agreement signed └─ 🔴 Missing: opt-out mechanism
COMPLIANCE GAPS
  1. 🔴 No data breach notification procedure (Art. 33)
  2. 🔴 Data portability not implemented (Art. 20)
  3. 🟠 Privacy policy outdated (last updated 2021)
  4. 🟡 Cookie consent banner missing GDPR language
  5. 🟡 Data retention policy not documented
RECOMMENDED ACTIONS □ Implement breach detection and 72h notification workflow □ Add /api/data-export endpoint for data portability □ Update privacy policy with current processing activities □ Review and update cookie consent implementation
undefined

/soc2-readiness
- SOC 2 Type II Readiness Assessment

/soc2-readiness
- SOC 2 Type II就绪评估

Gap analysis across all 5 Trust Service Criteria.
Usage:
bash
/soc2-readiness [--criteria=CC|A|C|P|PI] [--type=1|2]
Example:
bash
undefined
针对所有5项信任服务标准进行差距分析。
使用方式:
bash
/soc2-readiness [--criteria=CC|A|C|P|PI] [--type=1|2]
示例:
bash
undefined

Full SOC 2 Type II assessment

完整SOC 2 Type II评估

/soc2-readiness --type=2
/soc2-readiness --type=2

Focus on specific criteria

聚焦特定标准

/soc2-readiness --criteria=CC,A --type=2

**Trust Service Criteria:**

- **CC**: Common Criteria (governance, risk assessment, monitoring)
- **A**: Availability (uptime, incident management)
- **C**: Confidentiality (data protection, encryption)
- **P**: Processing Integrity (data accuracy, completeness)
- **PI**: Privacy (notice, choice, access)

**Output Example:**
SOC 2 TYPE II READINESS — 64 controls assessed ┌──────────┬─────────┬────────┬─────────┬──────────┐ │ Criteria │ Total │ Pass │ Fail │ Score │ ├──────────┼─────────┼────────┼─────────┼──────────┤ │ CC │ 17 │ 12 │ 5 │ 71% │ │ A │ 9 │ 8 │ 1 │ 89% │ │ C │ 14 │ 9 │ 5 │ 64% │ │ P │ 12 │ 11 │ 1 │ 92% │ │ PI │ 12 │ 7 │ 5 │ 58% │ └──────────┴─────────┴────────┴─────────┴──────────┘
CRITICAL GAPS (Type II POC blockers) 🔴 CC6.1: No formal risk assessment process documented 🔴 C1.2: Encryption at rest not enabled for all databases 🔴 PI1.2: Privacy notice not provided at data collection
EVIDENCE REQUIREMENTS CC2.1: Organizational chart → ✓ Available CC3.1: Security policies → ⚠️ Outdated (2022) A1.2: Incident response plan → ✓ Available C1.1: Data classification policy → 🔴 Missing
undefined
/soc2-readiness --criteria=CC,A --type=2

**信任服务标准:**

- **CC**: 通用标准(治理、风险评估、监控)
- **A**: 可用性(正常运行时间、事件管理)
- **C**: 保密性(数据保护、加密)
- **P**: 处理完整性(数据准确性、完整性)
- **PI**: 隐私(通知、选择、访问)

**输出示例:**
SOC 2 TYPE II READINESS — 64 controls assessed ┌──────────┬─────────┬────────┬─────────┬──────────┐ │ Criteria │ Total │ Pass │ Fail │ Score │ ├──────────┼─────────┼────────┼─────────┼──────────┤ │ CC │ 17 │ 12 │ 5 │ 71% │ │ A │ 9 │ 8 │ 1 │ 89% │ │ C │ 14 │ 9 │ 5 │ 64% │ │ P │ 12 │ 11 │ 1 │ 92% │ │ PI │ 12 │ 7 │ 5 │ 58% │ └──────────┴─────────┴────────┴─────────┴──────────┘
CRITICAL GAPS (Type II POC blockers) 🔴 CC6.1: No formal risk assessment process documented 🔴 C1.2: Encryption at rest not enabled for all databases 🔴 PI1.2: Privacy notice not provided at data collection
EVIDENCE REQUIREMENTS CC2.1: Organizational chart → ✓ Available CC3.1: Security policies → ⚠️ Outdated (2022) A1.2: Incident response plan → ✓ Available C1.1: Data classification policy → 🔴 Missing
undefined

/threat-model
- STRIDE Threat Modeling

/threat-model
- STRIDE威胁建模

Generates STRIDE threat models from architecture diagrams with risk matrices.
Usage:
bash
/threat-model <architecture_file> [--framework=STRIDE|PASTA|OCTAVE] [--output=md|drawio]
Example:
bash
undefined
从架构图生成STRIDE威胁模型及风险矩阵。
使用方式:
bash
/threat-model <architecture_file> [--framework=STRIDE|PASTA|OCTAVE] [--output=md|drawio]
示例:
bash
undefined

Generate STRIDE threat model from diagram

从图生成STRIDE威胁模型

/threat-model ./docs/architecture.png --framework=STRIDE
/threat-model ./docs/architecture.png --framework=STRIDE

From text description

从文本描述生成

/threat-model ./docs/system-design.md

**STRIDE Categories:**

- **S**poofing: Authentication threats
- **T**ampering: Integrity threats
- **R**epudiation: Non-repudiation threats
- **I**nformation Disclosure: Confidentiality threats
- **D**enial of Service: Availability threats
- **E**levation of Privilege: Authorization threats

**Output Example:**
THREAT MODEL — E-Commerce Platform Architecture: Web App → API Gateway → Microservices → Database
TRUST BOUNDARIES IDENTIFIED
  1. Internet ↔ API Gateway (TLS termination)
  2. API Gateway ↔ Internal Services (VPC)
  3. Services ↔ Database (Encryption in transit)
THREATS (sorted by risk score) ┌──────┬─────────────────────────────┬──────────┬────────┬──────┐ │ Cat │ Threat │ Asset │ Impact │ Risk │ ├──────┼─────────────────────────────┼──────────┼────────┼──────┤ │ S │ JWT signature not validated │ API │ High │ 9.0 │ │ E │ IDOR in /api/orders/:id │ Orders │ High │ 8.5 │ │ I │ PII in server logs │ Database │ Medium │ 7.0 │ │ T │ No integrity checks on S3 │ Files │ Medium │ 6.5 │ │ D │ No rate limiting on /login │ Auth │ Low │ 5.0 │ └──────┴─────────────────────────────┴──────────┴────────┴──────┘
MITIGATIONS
  1. [S] Validate JWT signature with public key in middleware
  2. [E] Implement authorization check: user owns order
  3. [I] Sanitize PII from logs or use structured logging
  4. [T] Enable S3 object versioning and integrity checks
  5. [D] Add rate limiting: 5 attempts per 15 minutes
undefined
/threat-model ./docs/system-design.md

**STRIDE分类:**

- **S**poofing: 身份验证威胁
- **T**ampering: 完整性威胁
- **R**epudiation: 不可否认性威胁
- **I**nformation Disclosure: 保密性威胁
- **D**enial of Service: 可用性威胁
- **E**levation of Privilege: 授权威胁

**输出示例:**
THREAT MODEL — E-Commerce Platform Architecture: Web App → API Gateway → Microservices → Database
TRUST BOUNDARIES IDENTIFIED
  1. Internet ↔ API Gateway (TLS termination)
  2. API Gateway ↔ Internal Services (VPC)
  3. Services ↔ Database (Encryption in transit)
THREATS (sorted by risk score) ┌──────┬─────────────────────────────┬──────────┬────────┬──────┐ │ Cat │ Threat │ Asset │ Impact │ Risk │ ├──────┼─────────────────────────────┼──────────┼────────┼──────┤ │ S │ JWT signature not validated │ API │ High │ 9.0 │ │ E │ IDOR in /api/orders/:id │ Orders │ High │ 8.5 │ │ I │ PII in server logs │ Database │ Medium │ 7.0 │ │ T │ No integrity checks on S3 │ Files │ Medium │ 6.5 │ │ D │ No rate limiting on /login │ Auth │ Low │ 5.0 │ └──────┴─────────────────────────────┴──────────┴────────┴──────┘
MITIGATIONS
  1. [S] Validate JWT signature with public key in middleware
  2. [E] Implement authorization check: user owns order
  3. [I] Sanitize PII from logs or use structured logging
  4. [T] Enable S3 object versioning and integrity checks
  5. [D] Add rate limiting: 5 attempts per 15 minutes
undefined

/secret-detect
- Secret Detection

/secret-detect
- 密钥检测

Pre-commit hook configuration with entropy scanning.
Usage:
bash
/secret-detect [--setup] [--scan-history] [--config]
Example:
bash
undefined
带熵扫描的预提交钩子配置。
使用方式:
bash
/secret-detect [--setup] [--scan-history] [--config]
示例:
bash
undefined

Setup pre-commit hook

设置预提交钩子

/secret-detect --setup
/secret-detect --setup

Scan Git history

扫描Git历史

/secret-detect --scan-history
/secret-detect --scan-history

Generate configuration

生成配置

/secret-detect --config

**Detection Patterns:**

- AWS keys (AKIA*, ASIA*)
- API keys (high-entropy strings)
- Private keys (BEGIN PRIVATE KEY)
- OAuth tokens
- Database credentials
- JWT secrets
- Slack/Discord webhooks

**Setup Output:**

```bash
/secret-detect --config

**检测模式:**

- AWS密钥(AKIA*, ASIA*)
- API密钥(高熵字符串)
- 私钥(BEGIN PRIVATE KEY)
- OAuth令牌
- 数据库凭证
- JWT密钥
- Slack/Discord webhook

**设置输出:**

```bash

Creates .pre-commit-config.yaml

Creates .pre-commit-config.yaml

repos:
repos:

Creates .gitleaks.toml

Creates .gitleaks.toml

[extend] useDefault = true
[[rules]] id = "generic-api-key" description = "Generic API Key" regex = '''(?i)(api[_-]?key|apikey)['"]?\s*[:=]\s*['"]?([a-z0-9]{32,})''' entropy = 3.5
[extend] useDefault = true
[[rules]] id = "generic-api-key" description = "Generic API Key" regex = '''(?i)(api[_-]?key|apikey)['"]?\s*[:=]\s*['"]?([a-z0-9]{32,})''' entropy = 3.5

Install hook

Install hook

pre-commit install

**History Scan Example:**
SCANNING GIT HISTORY — 1,247 commits ⣾ Analyzing commit 892/1247 (71%)
SECRETS FOUND ┌─────────────┬──────────────────┬──────────────────┬─────────┐ │ Type │ File │ Commit │ Branch │ ├─────────────┼──────────────────┼──────────────────┼─────────┤ │ AWS Key │ config.py │ a4f3c21 (2023) │ main │ │ Private Key │ deploy_key.pem │ 7b8e912 (2022) │ prod │ │ API Token │ .env.example │ c2d4f98 (2024) │ develop │ └─────────────┴──────────────────┴──────────────────┴─────────┘
REMEDIATION
  1. Rotate compromised credentials immediately
  2. Remove secrets from history: git filter-repo --path config.py --invert-paths
  3. Add to .gitignore: .env, *.pem, secrets/
undefined
pre-commit install

**历史扫描示例:**
SCANNING GIT HISTORY — 1,247 commits ⣾ Analyzing commit 892/1247 (71%)
SECRETS FOUND ┌─────────────┬──────────────────┬──────────────────┬─────────┐ │ Type │ File │ Commit │ Branch │ ├─────────────┼──────────────────┼──────────────────┼─────────┤ │ AWS Key │ config.py │ a4f3c21 (2023) │ main │ │ Private Key │ deploy_key.pem │ 7b8e912 (2022) │ prod │ │ API Token │ .env.example │ c2d4f98 (2024) │ develop │ └─────────────┴──────────────────┴──────────────────┴─────────┘
REMEDIATION
  1. Rotate compromised credentials immediately
  2. Remove secrets from history: git filter-repo --path config.py --invert-paths
  3. Add to .gitignore: .env, *.pem, secrets/
undefined

/iam-audit
- IAM Least-Privilege Audit

/iam-audit
- IAM最小权限审计

Audits IAM roles for over-permissioned access, stale credentials, and MFA gaps.
Usage:
bash
/iam-audit [--provider=aws|azure|gcp] [--scope=users|roles|policies]
Example:
bash
undefined
审计IAM角色的权限过度、凭证过期及MFA缺口情况。
使用方式:
bash
/iam-audit [--provider=aws|azure|gcp] [--scope=users|roles|policies]
示例:
bash
undefined

Full AWS IAM audit

完整AWS IAM审计

/iam-audit --provider=aws
/iam-audit --provider=aws

Audit specific scope

审计特定范围

/iam-audit --provider=aws --scope=roles

**Configuration:**

```bash
/iam-audit --provider=aws --scope=roles

**配置:**

```bash

AWS credentials (use environment variables)

AWS credentials (use environment variables)

export AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID}" export AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY}" export AWS_REGION="us-east-1"

**Output Example:**
IAM AUDIT — AWS Account (123456789012) Users: 47 | Roles: 23 | Policies: 156
OVER-PERMISSIONED ROLES ┌──────────────────────┬─────────────┬──────────────────────┐ │ Role │ Risk Score │ Excessive Permission │ ├──────────────────────┼─────────────┼──────────────────────┤ │ DevOps-Engineer │ 8.5 🔴 │ iam:* (admin) │ │ Lambda-Execution │ 7.2 🟠 │ s3:* (all buckets) │ │ Analytics-Reader │ 6.1 🟠 │ dynamodb:DeleteTable │ └──────────────────────┴─────────────┴──────────────────────┘
STALE ACCESS • User: john.doe@company.com — Last activity: 347 days ago • Access key AKIA...XYZ — Created: 2021-03-15 (unused)
MFA GAPS • 12 users without MFA (26% of workforce) • Root account MFA: ✓ Enabled
RECOMMENDATIONS
  1. Replace DevOps-Engineer wildcard with specific actions
  2. Scope Lambda-Execution to specific S3 buckets
  3. Deactivate stale access keys older than 90 days
  4. Enforce MFA policy with conditional IAM deny
undefined
export AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID}" export AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY}" export AWS_REGION="us-east-1"

**输出示例:**
IAM AUDIT — AWS Account (123456789012) Users: 47 | Roles: 23 | Policies: 156
OVER-PERMISSIONED ROLES ┌──────────────────────┬─────────────┬──────────────────────┐ │ Role │ Risk Score │ Excessive Permission │ ├──────────────────────┼─────────────┼──────────────────────┤ │ DevOps-Engineer │ 8.5 🔴 │ iam:* (admin) │ │ Lambda-Execution │ 7.2 🟠 │ s3:* (all buckets) │ │ Analytics-Reader │ 6.1 🟠 │ dynamodb:DeleteTable │ └──────────────────────┴─────────────┴──────────────────────┘
STALE ACCESS • User: john.doe@company.com — Last activity: 347 days ago • Access key AKIA...XYZ — Created: 2021-03-15 (unused)
MFA GAPS • 12 users without MFA (26% of workforce) • Root account MFA: ✓ Enabled
RECOMMENDATIONS
  1. Replace DevOps-Engineer wildcard with specific actions
  2. Scope Lambda-Execution to specific S3 buckets
  3. Deactivate stale access keys older than 90 days
  4. Enforce MFA policy with conditional IAM deny
undefined

/incident-playbook
- Security Incident Response

/incident-playbook
- 安全事件响应

Orchestrates incident response: triage → contain → eradicate → recover → lessons.
Usage:
bash
/incident-playbook [--type=breach|ransomware|ddos|insider] [--severity=p0|p1|p2]
Example:
bash
undefined
编排事件响应流程:分类→遏制→根除→恢复→总结。
使用方式:
bash
/incident-playbook [--type=breach|ransomware|ddos|insider] [--severity=p0|p1|p2]
示例:
bash
undefined

Start data breach playbook

启动数据泄露响应手册

/incident-playbook --type=breach --severity=p0
/incident-playbook --type=breach --severity=p0

DDoS incident response

DDoS事件响应

/incident-playbook --type=ddos --severity=p1

**Incident Types:**

- **breach**: Data breach / unauthorized access
- **ransomware**: Ransomware infection
- **ddos**: Distributed denial of service
- **insider**: Insider threat / privilege abuse

**Playbook Flow:**
╔══════════════════════════════════════════════════╗ ║ INCIDENT RESPONSE — Data Breach (P0) ║ ╠══════════════════════════════════════════════════╣ ║ Phase: CONTAINMENT ║ ║ Elapsed: 00:37:12 ║ ║ Next deadline: GDPR notification (71h 22m) ║ ╚══════════════════════════════════════════════════╝
PHASE 1: TRIAGE ✓ Complete (00:15:00) ✓ Incident confirmed: Unauthorized database access ✓ Severity: P0 (>10,000 PII records exposed) ✓ Incident commander: Alice Chen ✓ War room: Slack #incident-2024-05-11
PHASE 2: CONTAINMENT (In Progress) ⟳ [00:37] Isolating affected database server ✓ [00:20] Disabled compromised credentials ✓ [00:10] Enabled detailed audit logging □ Pending: Block external database access □ Pending: Snapshot affected systems
NEXT ACTIONS
  1. Execute: aws ec2 create-snapshot --volume-id vol-abc123
  2. Execute: aws rds modify-db-instance --publicly-accessible false
  3. Notify: Legal team (GDPR 72h clock started)
  4. Document: Initial breach assessment in incident tracker
STAKEHOLDERS NOTIFIED ✓ Security team ✓ Engineering lead ✓ CTO ⚠️ Legal team (notification pending) □ Data Protection Officer
undefined
/incident-playbook --type=ddos --severity=p1

**事件类型:**

- **breach**: 数据泄露/未授权访问
- **ransomware**: 勒索软件感染
- **ddos**: 分布式拒绝服务
- **insider**: 内部威胁/权限滥用

**响应流程:**
╔══════════════════════════════════════════════════╗ ║ INCIDENT RESPONSE — Data Breach (P0) ║ ╠══════════════════════════════════════════════════╣ ║ Phase: CONTAINMENT ║ ║ Elapsed: 00:37:12 ║ ║ Next deadline: GDPR notification (71h 22m) ║ ╚══════════════════════════════════════════════════╝
PHASE 1: TRIAGE ✓ Complete (00:15:00) ✓ Incident confirmed: Unauthorized database access ✓ Severity: P0 (>10,000 PII records exposed) ✓ Incident commander: Alice Chen ✓ War room: Slack #incident-2024-05-11
PHASE 2: CONTAINMENT (In Progress) ⟳ [00:37] Isolating affected database server ✓ [00:20] Disabled compromised credentials ✓ [00:10] Enabled detailed audit logging □ Pending: Block external database access □ Pending: Snapshot affected systems
NEXT ACTIONS
  1. Execute: aws ec2 create-snapshot --volume-id vol-abc123
  2. Execute: aws rds modify-db-instance --publicly-accessible false
  3. Notify: Legal team (GDPR 72h clock started)
  4. Document: Initial breach assessment in incident tracker
STAKEHOLDERS NOTIFIED ✓ Security team ✓ Engineering lead ✓ CTO ⚠️ Legal team (notification pending) □ Data Protection Officer
undefined

/privacy-policy
- Privacy Policy Generator

/privacy-policy
- 隐私政策生成器

Generates GDPR/CCPA-compliant privacy policies from data inventory.
Usage:
bash
/privacy-policy [--framework=gdpr|ccpa|pipeda] [--language=en|de|fr]
Example:
bash
undefined
从数据清单生成符合GDPR/CCPA要求的隐私政策。
使用方式:
bash
/privacy-policy [--framework=gdpr|ccpa|pipeda] [--language=en|de|fr]
示例:
bash
undefined

Generate GDPR-compliant policy

生成符合GDPR的政策

/privacy-policy --framework=gdpr --language=en
/privacy-policy --framework=gdpr --language=en

Multi-jurisdiction policy

多司法管辖区政策

/privacy-policy --framework=gdpr,ccpa

**Input (Data Inventory):**

```yaml
/privacy-policy --framework=gdpr,ccpa

**输入(数据清单):**

```yaml

data-inventory.yaml

data-inventory.yaml

company: name: "Acme Corp" dpo_email: "dpo@acme.com"
personal_data:
  • type: "email" purpose: "Account authentication" lawful_basis: "Contract (Art. 6.1.b)" retention: "Account lifetime + 30 days"
  • type: "name, address" purpose: "Order fulfillment" lawful_basis: "Contract (Art. 6.1.b)" retention: "7 years (tax law)"
processors:
  • name: "AWS" service: "Database hosting" dpa_status: "Signed"

**Generated Policy Sections:**

```markdown
company: name: "Acme Corp" dpo_email: "dpo@acme.com"
personal_data:
  • type: "email" purpose: "Account authentication" lawful_basis: "Contract (Art. 6.1.b)" retention: "Account lifetime + 30 days"
  • type: "name, address" purpose: "Order fulfillment" lawful_basis: "Contract (Art. 6.1.b)" retention: "7 years (tax law)"
processors:
  • name: "AWS" service: "Database hosting" dpa_status: "Signed"

**生成的政策章节:**

```markdown

Privacy Policy

Privacy Policy

Effective Date: May 11, 2024
Data Protection Officer: dpo@acme.com
Effective Date: May 11, 2024
Data Protection Officer: dpo@acme.com

1. Data Controller

1. Data Controller

Acme Corp is the data controller for personal data processed through this service.
Acme Corp is the data controller for personal data processed through this service.

2. Personal Data We Collect

2. Personal Data We Collect

Account Authentication

Account Authentication

  • Data: Email address
  • Legal Basis: Performance of contract (GDPR Art. 6.1.b)
  • Retention: Account lifetime + 30 days after deletion
  • Your Rights: Access, rectification, deletion, portability
  • Data: Email address
  • Legal Basis: Performance of contract (GDPR Art. 6.1.b)
  • Retention: Account lifetime + 30 days after deletion
  • Your Rights: Access, rectification, deletion, portability

Order Fulfillment

Order Fulfillment

  • Data: Name, postal address
  • Legal Basis: Performance of contract (GDPR Art. 6.1.b)
  • Retention: 7 years (legal obligation - tax records)
  • Your Rights: Access, rectification (deletion limited by law)
  • Data: Name, postal address
  • Legal Basis: Performance of contract (GDPR Art. 6.1.b)
  • Retention: 7 years (legal obligation - tax records)
  • Your Rights: Access, rectification (deletion limited by law)

3. Data Processors

3. Data Processors

We use third-party processors who have access to your data:
  • AWS — Database hosting (Data Processing Agreement signed)
We use third-party processors who have access to your data:
  • AWS — Database hosting (Data Processing Agreement signed)

4. Your Rights (GDPR)

4. Your Rights (GDPR)

You have the right to:
  • Access your personal data (Art. 15)
  • Rectify inaccurate data (Art. 16)
  • Request deletion (Art. 17)
  • Restrict processing (Art. 18)
  • Data portability (Art. 20)
  • Object to processing (Art. 21)
  • Lodge a complaint with supervisory authority
You have the right to:
  • Access your personal data (Art. 15)
  • Rectify inaccurate data (Art. 16)
  • Request deletion (Art. 17)
  • Restrict processing (Art. 18)
  • Data portability (Art. 20)
  • Object to processing (Art. 21)
  • Lodge a complaint with supervisory authority

5. Data Breach Notification

5. Data Breach Notification

We will notify you within 72 hours of discovering a breach that affects your rights.
We will notify you within 72 hours of discovering a breach that affects your rights.

6. Contact

6. Contact

For privacy inquiries: dpo@acme.com
undefined
For privacy inquiries: dpo@acme.com
undefined

Multi-Step Workflows

多步骤工作流

secure-sdlc
- Secure Software Development Lifecycle

secure-sdlc
- 安全软件开发生命周期

Shift-left security workflow: threat model → SAST → DAST → pen test → sign-off.
Usage:
bash
/workflows:secure-sdlc <project_path> [--stage=all|threat|sast|dast|pentest]
Workflow Stages:
1. THREAT MODELING
   ├─ /threat-model ./docs/architecture.md
   └─ Output: Risk matrix with mitigations

2. STATIC ANALYSIS (SAST)
   ├─ /owasp-scan ./src
   ├─ /secret-detect --scan-history
   └─ Output: Vulnerability report

3. DEPENDENCY AUDIT
   ├─ /dep-cve --scope=all
   └─ Output: CVE report with upgrade path

4. DYNAMIC ANALYSIS (DAST)
   ├─ Run web app security scanner
   └─ Output: Runtime vulnerability findings

5. PENETRATION TEST
   ├─ /pentest-report ./results
   └─ Output: Executive summary + findings

6. SECURITY SIGN-OFF
   └─ Risk acceptance form
左移安全工作流:威胁建模→SAST→DAST→渗透测试→签字确认。
使用方式:
bash
/workflows:secure-sdlc <project_path> [--stage=all|threat|sast|dast|pentest]
工作流阶段:
1. THREAT MODELING
   ├─ /threat-model ./docs/architecture.md
   └─ Output: Risk matrix with mitigations

2. STATIC ANALYSIS (SAST)
   ├─ /owasp-scan ./src
   ├─ /secret-detect --scan-history
   └─ Output: Vulnerability report

3. DEPENDENCY AUDIT
   ├─ /dep-cve --scope=all
   └─ Output: CVE report with upgrade path

4. DYNAMIC ANALYSIS (DAST)
   ├─ Run web app security scanner
   └─ Output: Runtime vulnerability findings

5. PENETRATION TEST
   ├─ /pentest-report ./results
   └─ Output: Executive summary + findings

6. SECURITY SIGN-OFF
   └─ Risk acceptance form

breach-response
- Data Breach Response

breach-response
- 数据泄露响应

Orchestrates breach response: detect → assess → notify → remediate → post-mortem.
Usage:
bash
/workflows:breach-response [--type=confirmed|suspected]
Workflow:
PHASE 1: DETECTION (0-1 hour)
□ Confirm breach indicator
□ Assign incident commander
□ Start incident log

PHASE 2: ASSESSMENT (1-4 hours)
□ Identify affected systems
□ Estimate data exposure scope
□ Classify data sensitivity

PHASE 3: NOTIFICATION (Within 72h for GDPR)
□ Notify Data Protection Officer
□ Notify supervisory authority (if Art. 33 threshold met)
□ Notify affected individuals (if Art. 34 threshold met)
□ Document notification timeline

PHASE 4: REMEDIATION
□ Close security gap
□ Revoke compromised credentials
□ Deploy security patches

PHASE 5: POST-MORTEM
□ Root cause analysis
□ Timeline reconstruction
□ Preventive measures
编排泄露响应流程:检测→评估→通知→修复→事后分析。
使用方式:
bash
/workflows:breach-response [--type=confirmed|suspected]
工作流:
PHASE 1: DETECTION (0-1 hour)
□ Confirm breach indicator
□ Assign incident commander
□ Start incident log

PHASE 2: ASSESSMENT (1-4 hours)
□ Identify affected systems
□ Estimate data exposure scope
□ Classify data sensitivity

PHASE 3: NOTIFICATION (Within 72h for GDPR)
□ Notify Data Protection Officer
□ Notify supervisory authority (if Art. 33 threshold met)
□ Notify affected individuals (if Art. 34 threshold met)
□ Document notification timeline

PHASE 4: REMEDIATION
□ Close security gap
□ Revoke compromised credentials
□ Deploy security patches

PHASE 5: POST-MORTEM
□ Root cause analysis
□ Timeline reconstruction
□ Preventive measures

compliance-audit
- Full Compliance Audit

compliance-audit
- 完整合规审计

End-to-end audit: scope → gap analysis → evidence collection → remediation plan.
Usage:
bash
/workflows:compliance-audit [--framework=soc2|iso27001|gdpr]
端到端审计:范围→差距分析→证据收集→修复计划。
使用方式:
bash
/workflows:compliance-audit [--framework=soc2|iso27001|gdpr]

zero-trust-design
- Zero Trust Architecture

zero-trust-design
- 零信任架构

Design workflow: identity → network → workload → data layer security.
Usage:
bash
/workflows:zero-trust-design <architecture_file>
Design Layers:
1. IDENTITY LAYER
   ├─ Multi-factor authentication
   ├─ Identity federation (SSO)
   └─ /iam-audit for least privilege

2. NETWORK LAYER
   ├─ Micro-segmentation
   ├─ Software-defined perimeter
   └─ Zero-trust network access (ZTNA)

3. WORKLOAD LAYER
   ├─ Container security
   ├─ Runtime protection
   └─ /owasp-scan for vulnerabilities

4. DATA LAYER
   ├─ Encryption at rest and in transit
   ├─ Data classification
   └─ /gdpr-audit for data governance
设计工作流:身份→网络→工作负载→数据层安全。
使用方式:
bash
/workflows:zero-trust-design <architecture_file>
设计层级:
1. IDENTITY LAYER
   ├─ Multi-factor authentication
   ├─ Identity federation (SSO)
   └─ /iam-audit for least privilege

2. NETWORK LAYER
   ├─ Micro-segmentation
   ├─ Software-defined perimeter
   └─ Zero-trust network access (ZTNA)

3. WORKLOAD LAYER
   ├─ Container security
   ├─ Runtime protection
   └─ /owasp-scan for vulnerabilities

4. DATA LAYER
   ├─ Encryption at rest and in transit
   ├─ Data classification
   └─ /gdpr-audit for data governance

vendor-security
- Third-Party Vendor Assessment

vendor-security
- 第三方供应商评估

Vendor risk assessment: questionnaire → risk scoring → decision framework.
Usage:
bash
/workflows:vendor-security <vendor_name>
Assessment Domains:
  • Security certifications (SOC 2, ISO 27001)
  • Data processing agreements
  • Incident response capabilities
  • Business continuity plans
  • Subprocessor disclosure
供应商风险评估:问卷→风险评分→决策框架。
使用方式:
bash
/workflows:vendor-security <vendor_name>
评估领域:
  • 安全认证(SOC 2、ISO 27001)
  • 数据处理协议
  • 事件响应能力
  • 业务连续性计划
  • 子处理者披露

Configuration

配置

Global Settings

全局设置

Create 
~/.security-skills/config.yaml
:
yaml
undefined
创建
~/.security-skills/config.yaml
yaml
undefined

Output preferences

Output preferences

output: format: "markdown" # markdown | json | html severity_colors: true progress_bars: true
output: format: "markdown" # markdown | json | html severity_colors: true progress_bars: true

CVSS scoring

CVSS scoring

cvss: min_reportable: 4.0 critical_threshold: 9.0 high_threshold: 7.0
cvss: min_reportable: 4.0 critical_threshold: 9.0 high_threshold: 7.0

Compliance frameworks

Compliance frameworks

compliance: primary: "gdpr" # gdpr | soc2 | iso27001 data_residency: "eu"
compliance: primary: "gdpr" # gdpr | soc2 | iso27001 data_residency: "eu"

Notifications

Notifications

notifications: slack_webhook: "${SLACK_WEBHOOK_URL}" email: "security@company.com"
notifications: slack_webhook: "${SLACK_WEBHOOK_URL}" email: "security@company.com"

Cloud providers

Cloud providers

cloud: aws: profile: "default" regions: ["us-east-1", "eu-west-1"] azure: subscription_id: "${AZURE_SUBSCRIPTION_ID}" gcp: project_id: "${GCP_PROJECT_ID}"
undefined
cloud: aws: profile: "default" regions: ["us-east-1", "eu-west-1"] azure: subscription_id: "${AZURE_SUBSCRIPTION_ID}" gcp: project_id: "${GCP_PROJECT_ID}"
undefined

Environment Variables

环境变量

bash
undefined
bash
undefined

Cloud provider credentials

Cloud provider credentials

export AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID}" export AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY}" export AZURE_SUBSCRIPTION_ID="${AZURE_SUBSCRIPTION_ID}" export GCP_PROJECT_ID="${GCP_PROJECT_ID}"
export AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID}" export AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY}" export AZURE_SUBSCRIPTION_ID="${AZURE_SUBSCRIPTION_ID}" export GCP_PROJECT_ID="${GCP_PROJECT_ID}"

Notifications

Notifications

export SLACK_WEBHOOK_URL="${SLACK_WEBHOOK_URL}"
export SLACK_WEBHOOK_URL="${SLACK_WEBHOOK_URL}"

CVE databases

CVE databases

export NVD_API_KEY="${NVD_API_KEY}" # Optional: faster CVE lookups
export NVD_API_KEY="${NVD_API_KEY}" # Optional: faster CVE lookups

Scanning tools

Scanning tools

export GITLEAKS_CONFIG="~/.security-skills/gitleaks.toml"
undefined
export GITLEAKS_CONFIG="~/.security-skills/gitleaks.toml"
undefined

Common Patterns

常见模式

Pattern 1: Pre-Deployment Security Gate

模式1:部署前安全网关

bash
undefined
bash
undefined

Run before each deployment

每次部署前运行

/owasp-scan ./src --severity=high /dep-cve --scope=prod --min-cvss=7.0 /secret-detect
/owasp-scan ./src --severity=high /dep-cve --scope=prod --min-cvss=7.0 /secret-detect

If any critical findings, block deployment

如果存在严重问题,阻止部署

if [ $? -ne 0 ]; then echo "❌ Security gate failed - deployment blocked" exit 1 fi
undefined
if [ $? -ne 0 ]; then echo "❌ Security gate failed - deployment blocked" exit 1 fi
undefined

Pattern 2: Continuous Compliance Monitoring

模式2:持续合规监控

bash
undefined
bash
undefined

Weekly compliance check

每周合规检查

/gdpr-audit ./src --output=report /soc2-readiness --type=2 /iam-audit --provider=aws
/gdpr-audit ./src --output=report /soc2-readiness --type=2 /iam-audit --provider=aws

Generate compliance dashboard

生成合规仪表板

Send to stakeholders

发送给相关人员

undefined
undefined

Pattern 3: Incident Response Automation

模式3:事件响应自动化

bash
undefined
bash
undefined

Triggered by security alert

由安全警报触发

/incident-playbook --type=breach --severity=p0
/incident-playbook --type=breach --severity=p0

Automatic containment actions

自动遏制操作

aws ec2 modify-instance-attribute
--instance-id i-1234567890abcdef0
--no-source-dest-check
aws ec2 modify-instance-attribute
--instance-id i-1234567890abcdef0
--no-source-dest-check

Notify stakeholders

通知相关人员

curl -X POST "${SLACK_WEBHOOK_URL}"
-H "Content-Type: application/json"
-d '{"text": "🚨 P0 Security Incident - War room #incident-active"}'
undefined
curl -X POST "${SLACK_WEBHOOK_URL}"
-H "Content-Type: application/json"
-d '{"text": "🚨 P0 Security Incident - War room #incident-active"}'
undefined

Pattern 4: Shift-Left Security in CI/CD

模式4:CI/CD中的左移安全

yaml
undefined
yaml
undefined

.github/workflows/security.yml

.github/workflows/security.yml

name: Security Checks on: [push, pull_request]
jobs: security: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3
  - name: OWASP Scan
    run: /owasp-scan ./src --format=json --output=owasp.json
    
  - name: Dependency CVE Check
    run: /dep-cve --scope=all --output=json --output=cve.json
    
  - name: Secret Detection
    run: /secret-detect
name: Security Checks on: [push, pull_request]
jobs: security: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3
  - name: OWASP Scan
    run: /owasp-scan ./src --format=json --output=owasp.json
    
  - name: Dependency CVE Check
    run: /dep-cve --scope=all --output=json --output=cve.json
    
  - name: Secret Detection
    run: /secret-detect