skill-file-security

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

skill-file-security

Skill by ara.so — Security Skills collection.

skill-file-security installs 29 battle-tested security instruction files into your project that teach AI coding assistants to identify and fix vulnerabilities across OWASP Top 10, CWE Top 25, ASVS Level 3, and more — without leaving your IDE.

由ara.so开发的Skill——安全技能合集。

skill-file-security会在你的项目中安装29个久经考验的安全指令文件，指导AI代码助手识别并修复涵盖OWASP Top 10、CWE Top 25、ASVS Level 3等标准的漏洞——全程无需离开你的IDE。

What This Does

功能介绍

skill-file-security is a CLI tool that:

Installs security knowledge files to
```
.skills/security/
```
in your project
Auto-configures all major AI coding assistants (Claude, Cursor, Copilot, Windsurf, Cline, etc.)
Creates
```
memory-security.md
```
to track your security score over time
Hardens
```
.gitignore
```
with 6 security-focused entries

Provides 6 slash commands:

/security-scan

/security-audit

/security-fix

/security-status

/security-history

/security-incident

The AI assistant reads these instruction files and applies 29 security categories to YOUR specific stack (Next.js, Django, Laravel, Express, Docker, Supabase, Firebase, etc.).

skill-file-security是一款CLI工具，具备以下功能：

在项目的
```
.skills/security/
```
目录下安装安全知识文件
自动配置主流AI代码助手（Claude、Cursor、Copilot、Windsurf、Cline等）
创建
```
memory-security.md
```
文件，用于跟踪你的安全评分变化
为
```
.gitignore
```
添加6项安全相关配置

提供6个斜杠命令：

/security-scan

、

/security-audit

、

/security-fix

、

/security-status

、

/security-history

、

/security-incident

AI助手会读取这些指令文件，并针对你的特定技术栈（Next.js、Django、Laravel、Express、Docker、Supabase、Firebase等）应用29个安全分类的检查规则。

Installation

安装方法

Interactive Mode (Recommended)

交互式模式（推荐）

bash

npx @netxeo/security-skill

This launches a smart 5-question setup that:

Auto-detects your stack (Next.js, Supabase, Docker, etc.)
Asks about auth, database, API, deployment, and custom rules
Installs only the security rules you need

bash

npx @netxeo/security-skill

该模式会启动一个智能的5步设置流程：

自动检测你的技术栈（Next.js、Supabase、Docker等）
询问关于认证、数据库、API、部署和自定义规则的相关问题
仅安装你需要的安全规则

Fast Mode (Silent Install)

快速模式（静默安装）

bash

undefined

bash

undefined

Install everywhere (all AI assistants)

为所有AI助手安装

npx @netxeo/security-skill --yes

Install for specific assistants

为特定助手安装

npx @netxeo/security-skill --claude npx @netxeo/security-skill --cursor npx @netxeo/security-skill --copilot npx @netxeo/security-skill --windsurf npx @netxeo/security-skill --cline

undefined

npx @netxeo/security-skill --claude npx @netxeo/security-skill --cursor npx @netxeo/security-skill --copilot npx @netxeo/security-skill --windsurf npx @netxeo/security-skill --cline

undefined

Install as a Dev Dependency

安装为开发依赖

bash

npm install --save-dev @netxeo/security-skill

bash

npm install --save-dev @netxeo/security-skill

Then run via package.json script

之后通过package.json脚本运行

npx security-skill

undefined

npx security-skill

undefined

What Gets Installed

安装内容

your-project/
├── .skills/
│   └── security/
│       ├── skill.md                      # Main security orchestrator
│       ├── 01-secrets-and-files.md
│       ├── 02-network-and-cors.md
│       ├── 03-http-headers.md
│       ├── 04-auth-and-sessions.md
│       ├── 05-cryptography.md
│       ├── 06-jwt-security.md
│       ├── 07-database-security.md
│       ├── 08-deployment-ci-cd.md
│       ├── 09-docker-security.md
│       ├── 10-protocols-graphql-websocket.md
│       ├── 11-advanced-attacks.md
│       ├── 12-all-injections.md
│       ├── 13-race-conditions.md
│       ├── 14-file-upload.md
│       ├── 15-dns-email.md
│       ├── 16-supply-chain.md
│       ├── 17-mobile-security.md
│       ├── 18-compliance-gdpr.md
│       ├── 19-monitoring-honeytokens.md
│       ├── 20-serverless-edge.md
│       ├── 21-source-code-analysis.md
│       ├── 22-ai-llm-security.md
│       ├── 23-bot-ddos.md
│       ├── 24-browser-apis.md
│       └── 25-modern-security.md
├── memory-security.md                     # Score tracker
├── CLAUDE.md                              # Claude / Antigravity config
├── .cursorrules                           # Cursor config
├── .cursor/rules/security.mdc             # Cursor new format
├── .github/copilot-instructions.md        # GitHub Copilot config
├── .windsurfrules                         # Windsurf config
├── .clinerules                            # Cline config
├── AGENTS.md                              # OpenAI Codex CLI config
├── GEMINI.md                              # Gemini Code Assist config
└── .gitignore                             # Updated with security entries

your-project/
├── .skills/
│   └── security/
│       ├── skill.md                      # 主安全编排文件
│       ├── 01-secrets-and-files.md
│       ├── 02-network-and-cors.md
│       ├── 03-http-headers.md
│       ├── 04-auth-and-sessions.md
│       ├── 05-cryptography.md
│       ├── 06-jwt-security.md
│       ├── 07-database-security.md
│       ├── 08-deployment-ci-cd.md
│       ├── 09-docker-security.md
│       ├── 10-protocols-graphql-websocket.md
│       ├── 11-advanced-attacks.md
│       ├── 12-all-injections.md
│       ├── 13-race-conditions.md
│       ├── 14-file-upload.md
│       ├── 15-dns-email.md
│       ├── 16-supply-chain.md
│       ├── 17-mobile-security.md
│       ├── 18-compliance-gdpr.md
│       ├── 19-monitoring-honeytokens.md
│       ├── 20-serverless-edge.md
│       ├── 21-source-code-analysis.md
│       ├── 22-ai-llm-security.md
│       ├── 23-bot-ddos.md
│       ├── 24-browser-apis.md
│       └── 25-modern-security.md
├── memory-security.md                     # 评分跟踪文件
├── CLAUDE.md                              # Claude / Antigravity 配置文件
├── .cursorrules                           # Cursor 配置文件
├── .cursor/rules/security.mdc             # Cursor 新格式配置
├── .github/copilot-instructions.md        # GitHub Copilot 配置文件
├── .windsurfrules                         # Windsurf 配置文件
├── .clinerules                            # Cline 配置文件
├── AGENTS.md                              # OpenAI Codex CLI 配置文件
├── GEMINI.md                              # Gemini Code Assist 配置文件
└── .gitignore                             # 更新后的安全相关配置

Key Commands

核心命令

After installation, use these slash commands in your AI coding assistant:

安装完成后，可在AI代码助手中使用以下斜杠命令：

/security-scan

/security-scan

Quick 30-second scan focusing on critical issues only.

javascript

// Example output:
// 🔴 CRITICAL #1 — Hardcoded Supabase service role key in .env.local
// 🔴 CRITICAL #2 — RLS disabled on 3 tables (users, orders, messages)
// 🟠 HIGH #3 — Missing rate limiting on /api/auth/login
// ⏱️ Scan completed in 28s

快速30秒扫描，仅聚焦关键问题。

javascript

// 示例输出:
// 🔴 严重问题 #1 — .env.local中存在硬编码的Supabase服务角色密钥
// 🔴 严重问题 #2 — 3个表（users、orders、messages）未启用RLS
// 🟠 高风险问题 #3 — /api/auth/login接口缺少速率限制
// ⏱️ 扫描完成耗时28秒

/security-audit

/security-audit

Full audit that generates a security score (/100) and detailed report file.

javascript

// Example output:
// ╔══════════════════════════════════════════════════╗
// ║      🔐  SECURITY AUDIT — myproject              ║
// ║         Stack: Next.js · Supabase · Vercel        ║
// ╠══════════════════════════════════════════════════╣
// ║  SECURITY SCORE  :  61 / 100  🟠                  ║
// ╠══════════════════════════════════════════════════╣
// ║  🔴  Secrets & Files          12/20  ← FIX NOW   ║
// ║  🟢  Auth & Sessions          16/20              ║
// ║  🔴  Database (Supabase RLS)   8/20  ← FIX NOW   ║
// ║  🟡  HTTP Headers             12/20              ║
// ...
// 📄 Full report → security-report.md

全面审计，生成安全评分（满分100）和详细报告文件。

javascript

// 示例输出:
// ╔══════════════════════════════════════════════════╗
// ║      🔐  安全审计 — myproject              ║
// ║         技术栈: Next.js · Supabase · Vercel        ║
// ╠══════════════════════════════════════════════════╣
// ║  安全评分  :  61 / 100  🟠                  ║
// ╠══════════════════════════════════════════════════╣
// ║  🔴  密钥与文件安全          12/20  ← 立即修复   ║
// ║  🟢  认证与会话安全          16/20              ║
// ║  🔴  数据库（Supabase RLS）   8/20  ← 立即修复   ║
// ║  🟡  HTTP头安全             12/20              ║
// ...
// 📄 完整报告 → security-report.md

/security-fix

/security-fix

Applies fixes with your approval. Always shows diffs before modifying code.

javascript

// Example interaction:
// You: /security-fix rls
// AI: I'll enable RLS on 3 tables. Here's what will change:
//
// --- a/supabase/migrations/add_rls.sql
// +++ b/supabase/migrations/add_rls.sql
// @@ -0,0 +1,12 @@
// +ALTER TABLE users ENABLE ROW LEVEL SECURITY;
// +ALTER TABLE orders ENABLE ROW LEVEL SECURITY;
// +ALTER TABLE messages ENABLE ROW LEVEL SECURITY;
//
// Apply these changes? (y/n)

在你确认后应用修复方案，修改代码前会始终展示差异对比。

javascript

// 示例交互:
// 你: /security-fix rls
// AI: 我将为3个表启用RLS，以下是即将修改的内容:
//
// --- a/supabase/migrations/add_rls.sql
// +++ b/supabase/migrations/add_rls.sql
// @@ -0,0 +1,12 @@
// +ALTER TABLE users ENABLE ROW LEVEL SECURITY;
// +ALTER TABLE orders ENABLE ROW LEVEL SECURITY;
// +ALTER TABLE messages ENABLE ROW LEVEL SECURITY;
//
// 是否应用这些修改？(y/n)

/security-status

/security-status

Shows your score history from

memory-security.md

javascript

// Example output:
// | Date       | Score  | Critical | High | Notes              |
// |------------|--------|----------|------|--------------------|
// | 2025-05-01 | 61/100 | 2        | 3    | First audit        |
// | 2025-05-03 | 84/100 | 0        | 1    | Fixed RLS + secret |
// | 2025-05-10 | 97/100 | 0        | 0    | 🟢 Excellent       |

展示

memory-security.md

中的评分历史。

javascript

// 示例输出:
// | 日期       | 评分  | 严重问题 | 高风险 | 备注              |
// |------------|--------|----------|------|--------------------|
// | 2025-05-01 | 61/100 | 2        | 3    | 首次审计        |
// | 2025-05-03 | 84/100 | 0        | 1    | 修复RLS和密钥问题 |
// | 2025-05-10 | 97/100 | 0        | 0    | 🟢 优秀       |

/security-history

/security-history

Shows before→after comparison to prove value.

展示修复前后的对比，验证修复价值。

/security-incident

/security-incident

Full incident response playbook for when something goes wrong.

提供完整的事件响应手册，用于应对安全事故。

Real-World Usage Examples

实际使用示例

Example 1: Next.js + Supabase Project

示例1: Next.js + Supabase 项目

bash

undefined

bash

undefined

Install security skill

安装安全skill

npx @netxeo/security-skill

In your AI assistant:

在AI助手中:

You: /security-scan

你: /security-scan


**AI Response:**

🔴 CRITICAL #1 — Supabase service role key exposed in frontend File: .env.local:3 Found: NEXT_PUBLIC_SUPABASE_SERVICE_ROLE_KEY=eyJhbG... Risk: Full database access exposed to browser Fix: Move to server-only env var (no NEXT_PUBLIC_ prefix)

🔴 CRITICAL #2 — RLS disabled on users table File: supabase/migrations/001_create_users.sql Risk: Any authenticated user can read all user data Fix: /security-fix rls

🟠 HIGH #3 — Missing rate limiting on auth endpoints File: app/api/auth/login/route.ts Risk: Brute force attacks on login Fix: Add @upstash/ratelimit middleware


**Apply a fix:**
```javascript
// You: /security-fix rls

// AI shows diff and asks for approval:
// --- a/supabase/migrations/002_enable_rls.sql
// +++ b/supabase/migrations/002_enable_rls.sql
// +ALTER TABLE users ENABLE ROW LEVEL SECURITY;
// +
// +CREATE POLICY "Users can read own data"
// +  ON users FOR SELECT
// +  TO authenticated
// +  USING (auth.uid() = id);
// +
// +CREATE POLICY "Users can update own data"
// +  ON users FOR UPDATE
// +  TO authenticated
// +  USING (auth.uid() = id);

// You: yes
// AI: ✅ Applied RLS policy. Run migration with: supabase db push


**AI响应:**

🔴 严重问题 #1 — Supabase服务角色密钥暴露在前端文件: .env.local:3 问题: NEXT_PUBLIC_SUPABASE_SERVICE_ROLE_KEY=eyJhbG... 风险: 浏览器可获取完整数据库访问权限修复方案: 迁移至仅服务器端环境变量（移除NEXT_PUBLIC_前缀）

🔴 严重问题 #2 — users表未启用RLS 文件: supabase/migrations/001_create_users.sql 风险: 任何已认证用户可读取所有用户数据修复方案: /security-fix rls

🟠 高风险问题 #3 — 认证接口缺少速率限制文件: app/api/auth/login/route.ts 风险: 登录接口可能遭受暴力破解攻击修复方案: 添加@upstash/ratelimit中间件


**应用修复:**
```javascript
// 你: /security-fix rls

// AI展示差异并请求确认:
// --- a/supabase/migrations/002_enable_rls.sql
// +++ b/supabase/migrations/002_enable_rls.sql
// +ALTER TABLE users ENABLE ROW LEVEL SECURITY;
// +
// +CREATE POLICY "Users can read own data"
// +  ON users FOR SELECT
// +  TO authenticated
// +  USING (auth.uid() = id);
// +
// +CREATE POLICY "Users can update own data"
// +  ON users FOR UPDATE
// +  TO authenticated
// +  USING (auth.uid() = id);

// 你: yes
// AI: ✅ 已应用RLS策略。运行迁移命令: supabase db push

Example 2: Express API with PostgreSQL

示例2: Express API + PostgreSQL

javascript

// You: /security-audit

// AI detects SQL injection vulnerability
// 🔴 CRITICAL — SQL Injection in user search endpoint
//    File: routes/users.js:23
//    Code: db.query(`SELECT * FROM users WHERE name = '${req.query.name}'`)
//    Fix:  Use parameterized queries

// You: /security-fix sql-injection routes/users.js:23

// AI shows the fix:
// --- a/routes/users.js
// +++ b/routes/users.js
// @@ -20,7 +20,7 @@
//  router.get('/search', async (req, res) => {
// -  const results = await db.query(`SELECT * FROM users WHERE name = '${req.query.name}'`);
// +  const results = await db.query('SELECT * FROM users WHERE name = $1', [req.query.name]);
//    res.json(results.rows);
//  });

// You: yes
// AI: ✅ Fixed. SQL injection prevented using parameterized query.

javascript

// 你: /security-audit

// AI检测到SQL注入漏洞
// 🔴 严重问题 — 用户搜索接口存在SQL注入
//    文件: routes/users.js:23
//    代码: db.query(`SELECT * FROM users WHERE name = '${req.query.name}'`)
//    修复方案: 使用参数化查询

// 你: /security-fix sql-injection routes/users.js:23

// AI展示修复方案:
// --- a/routes/users.js
// +++ b/routes/users.js
// @@ -20,7 +20,7 @@
//  router.get('/search', async (req, res) => {
// -  const results = await db.query(`SELECT * FROM users WHERE name = '${req.query.name}'`);
// +  const results = await db.query('SELECT * FROM users WHERE name = $1', [req.query.name]);
//    res.json(results.rows);
//  });

// 你: yes
// AI: ✅ 修复完成。通过参数化查询阻止了SQL注入。

Example 3: Docker + CI/CD Security

示例3: Docker + CI/CD 安全

dockerfile

undefined

dockerfile

undefined

You: /security-scan

你: /security-scan

AI finds Docker security issues:

AI发现Docker安全问题:

🔴 CRITICAL — Running as root in production container

🔴 严重问题 — 生产容器以root用户运行

File: Dockerfile:15

文件: Dockerfile:15

Code: USER root

代码: USER root

Fix: Create non-root user

修复方案: 创建非root用户

🟠 HIGH — Secrets in environment variables

🟠 高风险问题 — 环境变量中存储密钥

File: .github/workflows/deploy.yml:34

文件: .github/workflows/deploy.yml:34

Code: DB_PASSWORD: ${{ secrets.DB_PASSWORD }}

代码: DB_PASSWORD: ${{ secrets.DB_PASSWORD }}

Fix: Use secret management service (AWS Secrets Manager, Vault)

修复方案: 使用密钥管理服务（AWS Secrets Manager、Vault）

You: /security-fix dockerfile

你: /security-fix dockerfile

AI rewrites Dockerfile:

AI重写Dockerfile:

--- a/Dockerfile

+++ b/Dockerfile

@@ -12,5 +12,8 @@

COPY . .

RUN npm run build

-USER root

+RUN addgroup -S appgroup && adduser -S appuser -G appgroup

+RUN chown -R appuser:appgroup /app

+USER appuser

+

CMD ["npm", "start"]

undefined

undefined

Configuration

配置说明

Environment Variables

环境变量

No environment variables required. skill-file-security works entirely through instruction files.

无需配置环境变量。skill-file-security完全通过指令文件运行。

Custom Rules

自定义规则

Add custom security rules by creating

.skills/security/26-custom.md

markdown

---
name: custom-security-rules
category: Custom
priority: high
---

通过创建

.skills/security/26-custom.md

添加自定义安全规则：

markdown

---
name: custom-security-rules
category: Custom
priority: high
---

Custom Security Rules

自定义安全规则

Rule 1: No console.log in production

规则1: 生产环境禁止使用console.log

Check all
```
console.log()
```
calls
Verify
```
NODE_ENV === 'production'
```
removes them
Suggest using structured logging (winston, pino)

检查所有
```
console.log()
```
调用
验证
```
NODE_ENV === 'production'
```
时是否移除这些调用
建议使用结构化日志工具（winston、pino）

Rule 2: API keys must be rotated every 90 days

规则2: API密钥需每90天轮换一次

Check
```
memory-security.md
```
for last rotation date
Alert if > 90 days since rotation

undefined

检查
```
memory-security.md
```
中的上次轮换日期
若超过90天未轮换则发出警报

undefined

Stack-Specific Configuration

技术栈专属配置

skill-file-security auto-detects your stack from:

```
package.json
```
(Next.js, Express, React, Vue)
```
requirements.txt
```
/
```
Pipfile
```
(Django, Flask)
```
composer.json
```
(Laravel, Symfony)
```
Gemfile
```
(Rails)
```
pom.xml
```
/
```
build.gradle
```
(Spring Boot)
```
Dockerfile
```
(Docker)
```
supabase/
```
directory (Supabase)
```
firebase.json
```
(Firebase)

No manual configuration needed.

skill-file-security会从以下文件自动检测你的技术栈：

```
package.json
```
（Next.js、Express、React、Vue）
```
requirements.txt
```
/
```
Pipfile
```
（Django、Flask）
```
composer.json
```
（Laravel、Symfony）
```
Gemfile
```
（Rails）
```
pom.xml
```
/
```
build.gradle
```
（Spring Boot）
```
Dockerfile
```
（Docker）
```
supabase/
```
目录（Supabase）
```
firebase.json
```
（Firebase）

无需手动配置。

Coverage

覆盖范围

OWASP Top 10 (2025)

A01: Broken Access Control
A02: Cryptographic Failures
A03: Injection
A04: Insecure Design
A05: Security Misconfiguration
A06: Vulnerable Components
A07: Auth & Session Management Failures
A08: Software & Data Integrity Failures
A09: Logging & Monitoring Failures
A10: SSRF

A01: 访问控制失效
A02: 加密失败
A03: 注入攻击
A04: 不安全设计
A05: 安全配置错误
A06: 易受攻击的组件
A07: 认证与会话管理失败
A08: 软件与数据完整性失败
A09: 日志与监控失败
A10: SSRF攻击

CWE Top 25

All 25 covered, including:

CWE-79 (XSS)
CWE-89 (SQL Injection)
CWE-22 (Path Traversal)
CWE-352 (CSRF)
CWE-434 (Unrestricted File Upload)
CWE-862 (Missing Authorization)
CWE-798 (Hard-coded Credentials)
CWE-918 (SSRF)
And 17 more...

覆盖全部25项，包括：

CWE-79（XSS）
CWE-89（SQL注入）
CWE-22（路径遍历）
CWE-352（CSRF）
CWE-434（无限制文件上传）
CWE-862（缺少授权）
CWE-798（硬编码凭证）
CWE-918（SSRF）
以及其他17项...

ASVS Level 3

Session Management (V3)
Access Control (V4)
Cryptography (V6)
Error Handling (V7)
Data Protection (V8)
Communications (V9)
Business Logic (V11)
Files & Resources (V12)
API & Web Services (V13)
Configuration (V14)

会话管理（V3）
访问控制（V4）
加密（V6）
错误处理（V7）
数据保护（V8）
通信安全（V9）
业务逻辑（V11）
文件与资源（V12）
API与Web服务（V13）
配置安全（V14）

Troubleshooting

故障排除

AI doesn't respond to /security-scan

AI未响应/security-scan命令

Cause: AI assistant config file not properly loaded.

Fix:

bash

undefined

原因: AI助手配置文件未正确加载。

修复方案:

bash

undefined

Reinstall for specific AI

为特定AI重新安装

npx @netxeo/security-skill --claude

or

或

npx @netxeo/security-skill --cursor

Restart your AI assistant after installation

安装完成后重启AI助手

undefined

undefined

Security score not updating in memory-security.md

memory-security.md中的安全评分未更新

Cause: AI hasn't written to memory file yet.

Fix:

javascript

// You: Update my security score after this audit
// AI will append new row to memory-security.md

原因: AI尚未写入评分文件。

修复方案:

javascript

// 你: 本次审计后更新我的安全评分
// AI会将新记录追加到memory-security.md中

False positives in security scan

安全扫描出现误报

Cause: Context-specific code patterns that are actually safe.

Fix:

javascript

// You: /security-scan --ignore-false-positives

// Or add exception comment in code:
const html = userInput; // security-skill-ignore: sanitized by DOMPurify on line 12

原因: 特定上下文的代码模式实际是安全的，但被误判。

修复方案:

javascript

// 你: /security-scan --ignore-false-positives

// 或在代码中添加例外注释:
const html = userInput; // security-skill-ignore: sanitized by DOMPurify on line 12

Skill files not found

Skill文件未找到

Cause: Installation didn't complete or files were deleted.

Fix:

bash

undefined

原因: 安装未完成或文件已被删除。

修复方案:

bash

undefined

Reinstall

重新安装

npx @netxeo/security-skill --yes

Verify installation

验证安装

ls -la .skills/security/

Should show 25+ .md files

应显示25个以上.md文件

undefined

undefined

Conflicts with existing .cursorrules or CLAUDE.md

与现有.cursorrules或CLAUDE.md冲突

Cause: You already have custom AI instructions.

Fix:

bash

undefined

原因: 你已存在自定义AI指令文件。

修复方案:

bash

undefined

Backup existing files

备份现有文件

cp .cursorrules .cursorrules.backup cp CLAUDE.md CLAUDE.md.backup

Reinstall (will merge with existing)

重新安装（将与现有文件合并）

npx @netxeo/security-skill --cursor

Manually merge if needed

如有需要手动合并内容

undefined

undefined

Advanced Patterns

高级用法

CI/CD Integration

CI/CD集成

Add security checks to GitHub Actions:

yaml

undefined

将安全检查添加到GitHub Actions：

yaml

undefined

.github/workflows/security.yml

name: Security Audit

on: [push, pull_request]

jobs: security: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - uses: actions/setup-node@v3 - run: npx @netxeo/security-skill --yes - run: | # Use AI CLI to run audit # (requires AI with CLI support like aider or continue.dev) echo "/security-audit" | npx continue

undefined

name: Security Audit

on: [push, pull_request]

jobs: security: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - uses: actions/setup-node@v3 - run: npx @netxeo/security-skill --yes - run: | # 使用AI CLI运行审计 # (需要支持CLI的AI工具，如aider或continue.dev) echo "/security-audit" | npx continue

undefined

Pre-commit Hook

提交前钩子

bash

undefined

bash

undefined

.husky/pre-commit

#!/bin/sh npx @netxeo/security-skill --yes echo "/security-scan" | npx aider --yes-always

undefined

#!/bin/sh npx @netxeo/security-skill --yes echo "/security-scan" | npx aider --yes-always

undefined

Custom Security Categories

自定义安全分类

Extend with your own categories:

bash

undefined

扩展自定义分类：

bash

undefined

Create custom category

创建自定义分类

cat > .skills/security/26-internal-compliance.md << 'EOF'

name: internal-compliance category: Custom priority: high

cat > .skills/security/26-internal-compliance.md << 'EOF'

name: internal-compliance category: Custom priority: high

Internal Compliance Rules

内部合规规则

PCI DSS Requirements

PCI DSS要求

Credit card numbers must be masked in logs
Payment forms must use tokenization
No credit card data in URLs or GET requests

日志中必须屏蔽信用卡号
支付表单必须使用令牌化
信用卡数据不得出现在URL或GET请求中

SOC 2 Requirements

SOC 2要求

All database queries must be logged
User actions must be auditable
Access controls must be reviewed quarterly EOF

所有数据库查询必须记录日志
用户操作必须可审计
访问控制必须每季度审核一次 EOF

AI will now check these rules during scans

AI现在会在扫描时检查这些规则

undefined

undefined

Integration with Other Tools

与其他工具集成

skill-file-security complements (doesn't replace):

ESLint/Prettier: Code style and basic checks
SonarQube: Static analysis for code quality
Snyk/Dependabot: Dependency vulnerability scanning
OWASP ZAP: Dynamic application security testing

skill-file-security focuses on semantic security analysis that understands business logic and context — things static analyzers miss.

skill-file-security是对以下工具的补充（而非替代）：

ESLint/Prettier: 代码风格和基础检查
SonarQube: 代码质量静态分析
Snyk/Dependabot: 依赖漏洞扫描
OWASP ZAP: 动态应用安全测试

skill-file-security专注于语义安全分析，能够理解业务逻辑和上下文——这些是静态分析工具无法覆盖的内容。