Back to Details

sparkfinderoven-claude-security-compliance-suite

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

🔒 Security & Compliance Skills Suite

🔒 安全与合规技能套件

Skill by ara.so — Security Skills collection.
This skill suite provides AI coding agents with specialized commands and workflows for security auditing, vulnerability management, compliance (GDPR/SOC2/ISO27001), and incident response. Derived from hesreallyhim/awesome-claude-code, it offers 10 specialized commands and 5 multi-step workflows with structured output.
ara.so开发的技能——安全技能合集。
该技能套件为AI编码Agent提供用于安全审计、漏洞管理、合规性(GDPR/SOC2/ISO27001)和事件响应的专用命令与工作流。它源自hesreallyhim/awesome-claude-code,提供10个专用命令和5个多步骤工作流,并支持结构化输出。

What This Project Does

项目功能

The Security & Compliance Skills Suite equips AI agents with:
  • OWASP Top-10 vulnerability scanning with CVSS scores
  • Dependency CVE detection with upgrade paths
  • Compliance auditing (GDPR, SOC2, ISO27001)
  • Threat modeling using STRIDE methodology
  • IAM security audits for least-privilege assessment
  • Secret detection for pre-commit hooks
  • Incident response playbooks with structured workflows
  • Penetration test reporting with executive summaries
All commands follow a consistent 5-step interaction pattern with visual progress tracking and prioritized action plans.
安全与合规技能套件为AI Agent配备以下能力:
  • 带CVSS评分的OWASP Top-10漏洞扫描
  • 带升级路径的依赖项CVE检测
  • 合规性审计(GDPR、SOC2、ISO27001)
  • 使用STRIDE方法论的威胁建模
  • 用于最小权限评估的IAM安全审计
  • 用于预提交钩子的密钥检测
  • 带结构化工作流的事件响应手册
  • 含执行摘要的渗透测试报告
所有命令遵循统一的5步交互模式,支持可视化进度跟踪和优先级行动计划。

Installation

安装方法

Method 1: Clone to Claude Skills Directory

方法1:克隆到Claude技能目录

bash
undefined
bash
undefined

Clone the repository

克隆仓库

git clone https://github.com/sparkfinderoven/r01-hesreallyhim-awesome-claude-code-security.git
git clone https://github.com/sparkfinderoven/r01-hesreallyhim-awesome-claude-code-security.git

Copy to Claude skills directory

复制到Claude技能目录

mkdir -p ~/.claude/skills cp -r r01-hesreallyhim-awesome-claude-code-security ~/.claude/skills/security-compliance-suite/
undefined
mkdir -p ~/.claude/skills cp -r r01-hesreallyhim-awesome-claude-code-security ~/.claude/skills/security-compliance-suite/
undefined

Method 2: Manual Setup

方法2:手动设置

bash
undefined
bash
undefined

Create skill directory

创建技能目录

mkdir -p ~/.claude/skills/security-compliance-suite
mkdir -p ~/.claude/skills/security-compliance-suite

Download and extract

下载并解压

cd ~/.claude/skills/security-compliance-suite
cd ~/.claude/skills/security-compliance-suite

Add skill files manually

手动添加技能文件

undefined
undefined

Activate in Claude Code

在Claude Code中激活

In a Claude Code session:
bash
/read ~/.claude/skills/security-compliance-suite/SKILL.md
Or reference in your project's 
.claude/config.json
:
json
{
  "skills": [
    "~/.claude/skills/security-compliance-suite"
  ]
}
在Claude Code会话中执行:
bash
/read ~/.claude/skills/security-compliance-suite/SKILL.md
或在项目的
.claude/config.json
中引用:
json
{
  "skills": [
    "~/.claude/skills/security-compliance-suite"
  ]
}

Core Commands

核心命令

/owasp-scan
- OWASP Top-10 Vulnerability Scan

/owasp-scan
- OWASP Top-10漏洞扫描

Scans code for OWASP Top-10 vulnerabilities with exploit descriptions, CVSS scores, and remediation steps.
Usage:
bash
/owasp-scan <target_path>
/owasp-scan src/api --verbose
/owasp-scan . --format json
Example Output Structure:
╔══════════════════════════════════════════════════╗
║  OWASP Scan  —  src/api/                        ║
╠══════════════════════════════════════════════════╣
║  Injection checks        ✓   23 files            ║
║  Auth checks             ✓   12 files            ║
║  XSS checks              ✓   45 files            ║
║  CSRF checks             ✓   8 files             ║
╚══════════════════════════════════════════════════╝

FINDINGS  (sort: severity desc)
┌──────┬────────────────────────────────────┬──────┬──────────┐
│ Sev  │ Finding                            │ CVSS │ File     │
├──────┼────────────────────────────────────┼──────┼──────────┤
│  🔴  │ SQL injection via string concat    │ 9.8  │ db.js:45 │
│  🔴  │ JWT algorithm confusion            │ 9.1  │ auth.js  │
│  🟠  │ Missing CSRF token validation      │ 6.5  │ form.js  │
└──────┴────────────────────────────────────┴──────┴──────────┘
Code Pattern for SQL Injection Detection:
javascript
// VULNERABLE - String concatenation
const query = "SELECT * FROM users WHERE id = " + userId;

// SECURE - Parameterized query
const query = "SELECT * FROM users WHERE id = ?";
db.execute(query, [userId]);
扫描代码中的OWASP Top-10漏洞,提供漏洞利用描述、CVSS评分和修复步骤。
用法:
bash
/owasp-scan <target_path>
/owasp-scan src/api --verbose
/owasp-scan . --format json
示例输出结构:
╔══════════════════════════════════════════════════╗
║  OWASP Scan  —  src/api/                        ║
╠══════════════════════════════════════════════════╣
║  Injection checks        ✓   23 files            ║
║  Auth checks             ✓   12 files            ║
║  XSS checks              ✓   45 files            ║
║  CSRF checks             ✓   8 files             ║
╚══════════════════════════════════════════════════╝

FINDINGS  (sort: severity desc)
┌──────┬────────────────────────────────────┬──────┬──────────┐
│ Sev  │ Finding                            │ CVSS │ File     │
├──────┼────────────────────────────────────┼──────┼──────────┤
│  🔴  │ SQL injection via string concat    │ 9.8  │ db.js:45 │
│  🔴  │ JWT algorithm confusion            │ 9.1  │ auth.js  │
│  🟠  │ Missing CSRF token validation      │ 6.5  │ form.js  │
└──────┴────────────────────────────────────┴──────┴──────────┘
SQL注入检测代码模式:
javascript
// 存在漏洞 - 字符串拼接
const query = "SELECT * FROM users WHERE id = " + userId;

// 安全写法 - 参数化查询
const query = "SELECT * FROM users WHERE id = ?";
db.execute(query, [userId]);

/dep-cve
- Dependency CVE Report

/dep-cve
- 依赖项CVE报告

Scans project dependencies for known CVEs with exploitability scores and upgrade paths.
Usage:
bash
/dep-cve
/dep-cve --scope full --output md
/dep-cve --severity high,critical
Example Implementation Pattern:
javascript
// package.json analysis
const auditDependencies = async (packageJsonPath) => {
  const pkg = require(packageJsonPath);
  const deps = { ...pkg.dependencies, ...pkg.devDependencies };
  
  const vulnerabilities = [];
  for (const [name, version] of Object.entries(deps)) {
    const cves = await queryNVD(name, version);
    vulnerabilities.push(...cves);
  }
  
  return vulnerabilities.sort((a, b) => b.cvss - a.cvss);
};
Expected Output:
CVE REPORT  —  234 dependencies scanned
┌─────────────┬─────────┬──────┬────────────────────────┐
│ Package     │ CVE     │ CVSS │ Fix                    │
├─────────────┼─────────┼──────┼────────────────────────┤
│ express     │ CVE-... │ 9.8  │ Upgrade to 4.18.2+     │
│ lodash      │ CVE-... │ 7.4  │ Upgrade to 4.17.21     │
│ axios       │ CVE-... │ 6.5  │ Upgrade to 1.6.0       │
└─────────────┴─────────┴──────┴────────────────────────┘

ACTION PLAN:
□ Critical: Upgrade express (15 min)
□ High: Upgrade lodash (10 min)
□ Medium: Review axios usage (30 min)
扫描项目依赖项中的已知CVE,提供可利用性评分和升级路径。
用法:
bash
/dep-cve
/dep-cve --scope full --output md
/dep-cve --severity high,critical
示例实现模式:
javascript
// package.json分析
const auditDependencies = async (packageJsonPath) => {
  const pkg = require(packageJsonPath);
  const deps = { ...pkg.dependencies, ...pkg.devDependencies };
  
  const vulnerabilities = [];
  for (const [name, version] of Object.entries(deps)) {
    const cves = await queryNVD(name, version);
    vulnerabilities.push(...cves);
  }
  
  return vulnerabilities.sort((a, b) => b.cvss - a.cvss);
};
预期输出:
CVE REPORT  —  234 dependencies scanned
┌─────────────┬─────────┬──────┬────────────────────────┐
│ Package     │ CVE     │ CVSS │ Fix                    │
├─────────────┼─────────┼──────┼────────────────────────┤
│ express     │ CVE-... │ 9.8  │ Upgrade to 4.18.2+     │
│ lodash      │ CVE-... │ 7.4  │ Upgrade to 4.17.21     │
│ axios       │ CVE-... │ 6.5  │ Upgrade to 1.6.0       │
└─────────────┴─────────┴──────┴────────────────────────┘

ACTION PLAN:
□ Critical: Upgrade express (15 min)
□ High: Upgrade lodash (10 min)
□ Medium: Review axios usage (30 min)

/gdpr-audit
- GDPR Compliance Audit

/gdpr-audit
- GDPR合规审计

Maps data flows, identifies consent gaps, and generates DPA checklists.
Usage:
bash
/gdpr-audit
/gdpr-audit --scope full
/gdpr-audit --output report.md
Code Example - Data Flow Detection:
python
undefined
梳理数据流、识别同意缺口并生成DPA检查表。
用法:
bash
/gdpr-audit
/gdpr-audit --scope full
/gdpr-audit --output report.md
数据流检测代码示例:
python
undefined

Detect personal data processing

检测个人数据处理

import ast
class GDPRAnalyzer(ast.NodeVisitor): PII_FIELDS = ['email', 'phone', 'address', 'ssn', 'name']
def __init__(self):
    self.data_flows = []

def visit_Assign(self, node):
    # Check for PII in assignments
    if isinstance(node.value, ast.Call):
        if any(pii in ast.dump(node) for pii in self.PII_FIELDS):
            self.data_flows.append({
                'line': node.lineno,
                'type': 'data_collection',
                'lawful_basis': 'NEEDS_REVIEW'
            })
    self.generic_visit(node)
import ast
class GDPRAnalyzer(ast.NodeVisitor): PII_FIELDS = ['email', 'phone', 'address', 'ssn', 'name']
def __init__(self):
    self.data_flows = []

def visit_Assign(self, node):
    # 检查赋值语句中的PII
    if isinstance(node.value, ast.Call):
        if any(pii in ast.dump(node) for pii in self.PII_FIELDS):
            self.data_flows.append({
                'line': node.lineno,
                'type': 'data_collection',
                'lawful_basis': 'NEEDS_REVIEW'
            })
    self.generic_visit(node)

Usage

使用示例

with open('user_service.py') as f: tree = ast.parse(f.read()) analyzer = GDPRAnalyzer() analyzer.visit(tree)

**Audit Checklist Output:**
GDPR DATA FLOW MAP ┌──────────────────┬────────────────┬──────────────────┐ │ Data Type │ Lawful Basis │ Retention │ ├──────────────────┼────────────────┼──────────────────┤ │ Email │ ✓ Consent │ ✓ 2 years │ │ Phone │ ✗ NEEDS REVIEW │ ✗ Indefinite │ │ IP Address │ ⚠ Legitimate │ ✓ 90 days │ └──────────────────┴────────────────┴──────────────────┘
GAPS FOUND: □ Phone number: No consent mechanism □ IP logging: Review retention policy □ Cookie banner: Missing granular controls
undefined
with open('user_service.py') as f: tree = ast.parse(f.read()) analyzer = GDPRAnalyzer() analyzer.visit(tree)

**审计检查表输出:**
GDPR DATA FLOW MAP ┌──────────────────┬────────────────┬──────────────────┐ │ Data Type │ Lawful Basis │ Retention │ ├──────────────────┼────────────────┼──────────────────┤ │ Email │ ✓ Consent │ ✓ 2 years │ │ Phone │ ✗ NEEDS REVIEW │ ✗ Indefinite │ │ IP Address │ ⚠ Legitimate │ ✓ 90 days │ └──────────────────┴────────────────┴──────────────────┘
GAPS FOUND: □ Phone number: No consent mechanism □ IP logging: Review retention policy □ Cookie banner: Missing granular controls
undefined

/soc2-readiness
- SOC2 Compliance Assessment

/soc2-readiness
- SOC2合规性评估

Performs gap analysis across all 5 SOC2 Trust Service Criteria.
Usage:
bash
/soc2-readiness
/soc2-readiness --criteria availability,confidentiality
Assessment Framework:
yaml
undefined
对所有5项SOC2信任服务准则进行缺口分析。
用法:
bash
/soc2-readiness
/soc2-readiness --criteria availability,confidentiality
评估框架:
yaml
undefined

SOC2 Control Matrix

SOC2控制矩阵

trust_service_criteria:
  • id: CC6.1 criterion: Security control: Logical access controls evidence_required:
    • IAM policies
    • MFA enforcement
    • Access logs
  • id: CC7.2 criterion: Availability control: System monitoring evidence_required:
    • Uptime metrics
    • Incident response logs
    • Backup verification

**Output Format:**
SOC2 TYPE II READINESS — 5 criteria assessed
SECURITY (Common Criteria) CC6.1 Logical Access ⚠ MFA not enforced (gap: 23%) CC6.6 Encryption ✓ TLS 1.3, AES-256 CC6.7 Key Management ✗ Manual key rotation
AVAILABILITY A1.1 System Monitoring ✓ 24/7 alerting A1.2 Backup & Recovery ⚠ RPO exceeds policy
READINESS SCORE: 67% (needs 85%+ for audit)
PRIORITY ACTIONS:
  1. Enforce MFA org-wide (2 weeks)
  2. Automate key rotation (1 week)
  3. Improve backup RPO (3 days)
undefined
trust_service_criteria:
  • id: CC6.1 criterion: Security control: Logical access controls evidence_required:
    • IAM policies
    • MFA enforcement
    • Access logs
  • id: CC7.2 criterion: Availability control: System monitoring evidence_required:
    • Uptime metrics
    • Incident response logs
    • Backup verification

**输出格式:**
SOC2 TYPE II READINESS — 5 criteria assessed
SECURITY (Common Criteria) CC6.1 Logical Access ⚠ MFA not enforced (gap: 23%) CC6.6 Encryption ✓ TLS 1.3, AES-256 CC6.7 Key Management ✗ Manual key rotation
AVAILABILITY A1.1 System Monitoring ✓ 24/7 alerting A1.2 Backup & Recovery ⚠ RPO exceeds policy
READINESS SCORE: 67% (needs 85%+ for audit)
PRIORITY ACTIONS:
  1. Enforce MFA org-wide (2 weeks)
  2. Automate key rotation (1 week)
  3. Improve backup RPO (3 days)
undefined

/threat-model
- STRIDE Threat Modeling

/threat-model
- STRIDE威胁建模

Generates STRIDE threat models for architecture diagrams with risk matrices.
Usage:
bash
/threat-model architecture.png
/threat-model --format mermaid --output threats.md
STRIDE Analysis Pattern:
python
undefined
为架构图生成STRIDE威胁模型和风险矩阵。
用法:
bash
/threat-model architecture.png
/threat-model --format mermaid --output threats.md
STRIDE分析模式:
python
undefined

STRIDE threat categories

STRIDE威胁类别

STRIDE = { 'Spoofing': ['authentication', 'identity'], 'Tampering': ['data_integrity', 'code_integrity'], 'Repudiation': ['logging', 'audit_trail'], 'Information_Disclosure': ['encryption', 'access_control'], 'Denial_of_Service': ['rate_limiting', 'resource_exhaustion'], 'Elevation_of_Privilege': ['authorization', 'input_validation'] }
def analyze_component(component, data_flows): threats = [] for category, indicators in STRIDE.items(): if not has_controls(component, indicators): threats.append({ 'category': category, 'severity': calculate_severity(component, data_flows), 'mitigation': suggest_controls(category) }) return threats

**Example Output:**
THREAT MODEL — Web API Architecture
COMPONENTS: [Client] → [API Gateway] → [Auth Service] → [Database]
STRIDE THREATS: ┌─────────────────────┬──────────┬──────────────────────────┐ │ Threat │ Risk │ Mitigation │ ├─────────────────────┼──────────┼──────────────────────────┤ │ Spoofing: API keys │ 🔴 High │ Implement JWT + refresh │ │ Tampering: API req │ 🟠 Med │ Add HMAC signatures │ │ Info Disclosure │ 🔴 High │ Encrypt data at rest │ │ DoS: Rate limiting │ 🟡 Low │ Add WAF rules │ └─────────────────────┴──────────┴──────────────────────────┘
RISK MATRIX: Impact → Low Med High L ┌──────┬──────┬──────┐ i │ 🟢 │ 🟡 │ 🟠 │ k ├──────┼──────┼──────┤ e │ 🟡 │ 🟠 │ 🔴 │ ← API Spoofing l ├──────┼──────┼──────┤ i │ 🟠 │ 🔴 │ 🔴 │ h └──────┴──────┴──────┘ o o d
undefined
STRIDE = { 'Spoofing': ['authentication', 'identity'], 'Tampering': ['data_integrity', 'code_integrity'], 'Repudiation': ['logging', 'audit_trail'], 'Information_Disclosure': ['encryption', 'access_control'], 'Denial_of_Service': ['rate_limiting', 'resource_exhaustion'], 'Elevation_of_Privilege': ['authorization', 'input_validation'] }
def analyze_component(component, data_flows): threats = [] for category, indicators in STRIDE.items(): if not has_controls(component, indicators): threats.append({ 'category': category, 'severity': calculate_severity(component, data_flows), 'mitigation': suggest_controls(category) }) return threats

**示例输出:**
THREAT MODEL — Web API Architecture
COMPONENTS: [Client] → [API Gateway] → [Auth Service] → [Database]
STRIDE THREATS: ┌─────────────────────┬──────────┬──────────────────────────┐ │ Threat │ Risk │ Mitigation │ ├─────────────────────┼──────────┼──────────────────────────┤ │ Spoofing: API keys │ 🔴 High │ Implement JWT + refresh │ │ Tampering: API req │ 🟠 Med │ Add HMAC signatures │ │ Info Disclosure │ 🔴 High │ Encrypt data at rest │ │ DoS: Rate limiting │ 🟡 Low │ Add WAF rules │ └─────────────────────┴──────────┴──────────────────────────┘
RISK MATRIX: Impact → Low Med High L ┌──────┬──────┬──────┐ i │ 🟢 │ 🟡 │ 🟠 │ k ├──────┼──────┼──────┤ e │ 🟡 │ 🟠 │ 🔴 │ ← API Spoofing l ├──────┼──────┼──────┤ i │ 🟠 │ 🔴 │ 🔴 │ h └──────┴──────┴──────┘ o o d
undefined

/secret-detect
- Pre-commit Secret Detection

/secret-detect
- 预提交密钥检测

Configures pre-commit hooks to detect secrets with entropy scanning.
Usage:
bash
/secret-detect --install
/secret-detect --scan .
/secret-detect --config .secrets.yaml
Hook Configuration:
yaml
undefined
配置预提交钩子以通过熵扫描检测密钥。
用法:
bash
/secret-detect --install
/secret-detect --scan .
/secret-detect --config .secrets.yaml
钩子配置:
yaml
undefined

.pre-commit-config.yaml

.pre-commit-config.yaml

repos:
  • repo: local hooks:
    • id: detect-secrets name: Detect secrets entry: detect-secrets-hook language: system files: .* exclude: | (?x)^( package-lock.json| .secrets.baseline )$
repos:
  • repo: local hooks:
    • id: detect-secrets name: Detect secrets entry: detect-secrets-hook language: system files: .* exclude: | (?x)^( package-lock.json| .secrets.baseline )$

.secrets.yaml

.secrets.yaml

plugins:
  • name: ArtifactoryDetector
  • name: AWSKeyDetector
  • name: Base64HighEntropyString limit: 4.5
  • name: PrivateKeyDetector
filters:
  • path: tests/fixtures/
  • path: docs/examples/

**Entropy Detection Implementation:**
```python
import math
from collections import Counter

def calculate_entropy(string):
    """Calculate Shannon entropy to detect high-entropy secrets"""
    if not string:
        return 0
    
    entropy = 0
    for count in Counter(string).values():
        probability = count / len(string)
        entropy -= probability * math.log2(probability)
    
    return entropy

def scan_for_secrets(content, entropy_threshold=4.5):
    """Scan content for potential secrets"""
    findings = []
    
    # Regex patterns for known secret types
    patterns = {
        'AWS_KEY': r'AKIA[0-9A-Z]{16}',
        'PRIVATE_KEY': r'-----BEGIN (RSA|EC|OPENSSH) PRIVATE KEY-----',
        'JWT': r'eyJ[A-Za-z0-9-_=]+\.eyJ[A-Za-z0-9-_=]+\.[A-Za-z0-9-_.+/=]*',
        'GITHUB_TOKEN': r'gh[ps]_[A-Za-z0-9]{36}'
    }
    
    for secret_type, pattern in patterns.items():
        matches = re.finditer(pattern, content)
        for match in matches:
            findings.append({
                'type': secret_type,
                'value': match.group()[:8] + '...',
                'line': content[:match.start()].count('\n') + 1
            })
    
    # High-entropy string detection
    for word in content.split():
        if len(word) > 20 and calculate_entropy(word) > entropy_threshold:
            findings.append({
                'type': 'HIGH_ENTROPY',
                'entropy': calculate_entropy(word),
                'line': 'N/A'
            })
    
    return findings
Example Scan Output:
SECRET DETECTION  —  Pre-commit hook scan

SECRETS FOUND:
┌────────────────┬──────────────┬──────────────────────┐
│ Type           │ Location     │ Value                │
├────────────────┼──────────────┼──────────────────────┤
│ AWS_KEY        │ config.js:12 │ AKIA4ODZ...          │
│ PRIVATE_KEY    │ auth.py:45   │ -----BEGIN RSA...    │
│ HIGH_ENTROPY   │ utils.js:89  │ entropy: 5.2         │
└────────────────┴──────────────┴──────────────────────┘

REMEDIATION:
□ Move secrets to environment variables
□ Add affected files to .gitignore
□ Rotate exposed credentials
□ Update .secrets.baseline
plugins:
  • name: ArtifactoryDetector
  • name: AWSKeyDetector
  • name: Base64HighEntropyString limit: 4.5
  • name: PrivateKeyDetector
filters:
  • path: tests/fixtures/
  • path: docs/examples/

**熵检测实现:**
```python
import math
from collections import Counter

def calculate_entropy(string):
    """计算香农熵以检测高熵密钥"""
    if not string:
        return 0
    
    entropy = 0
    for count in Counter(string).values():
        probability = count / len(string)
        entropy -= probability * math.log2(probability)
    
    return entropy

def scan_for_secrets(content, entropy_threshold=4.5):
    """扫描内容中的潜在密钥"""
    findings = []
    
    # 已知密钥类型的正则表达式
    patterns = {
        'AWS_KEY': r'AKIA[0-9A-Z]{16}',
        'PRIVATE_KEY': r'-----BEGIN (RSA|EC|OPENSSH) PRIVATE KEY-----',
        'JWT': r'eyJ[A-Za-z0-9-_=]+\.eyJ[A-Za-z0-9-_=]+\.[A-Za-z0-9-_.+/=]*',
        'GITHUB_TOKEN': r'gh[ps]_[A-Za-z0-9]{36}'
    }
    
    for secret_type, pattern in patterns.items():
        matches = re.finditer(pattern, content)
        for match in matches:
            findings.append({
                'type': secret_type,
                'value': match.group()[:8] + '...',
                'line': content[:match.start()].count('\n') + 1
            })
    
    # 高熵字符串检测
    for word in content.split():
        if len(word) > 20 and calculate_entropy(word) > entropy_threshold:
            findings.append({
                'type': 'HIGH_ENTROPY',
                'entropy': calculate_entropy(word),
                'line': 'N/A'
            })
    
    return findings
示例扫描输出:
SECRET DETECTION  —  Pre-commit hook scan

SECRETS FOUND:
┌────────────────┬──────────────┬──────────────────────┐
│ Type           │ Location     │ Value                │
├────────────────┼──────────────┼──────────────────────┤
│ AWS_KEY        │ config.js:12 │ AKIA4ODZ...          │
│ PRIVATE_KEY    │ auth.py:45   │ -----BEGIN RSA...    │
│ HIGH_ENTROPY   │ utils.js:89  │ entropy: 5.2         │
└────────────────┴──────────────┴──────────────────────┘

REMEDIATION:
□ Move secrets to environment variables
□ Add affected files to .gitignore
□ Rotate exposed credentials
□ Update .secrets.baseline

/iam-audit
- IAM Least Privilege Audit

/iam-audit
- IAM最小权限审计

Audits IAM roles for over-permissioned access, stale users, and MFA gaps.
Usage:
bash
/iam-audit
/iam-audit --provider aws
/iam-audit --output report.json
Audit Logic Example:
python
undefined
审计IAM角色的过度权限访问、过期用户和MFA缺口。
用法:
bash
/iam-audit
/iam-audit --provider aws
/iam-audit --output report.json
审计逻辑示例:
python
undefined

AWS IAM audit example

AWS IAM审计示例

import boto3 from datetime import datetime, timedelta
def audit_iam_users(): iam = boto3.client('iam') findings = []
users = iam.list_users()['Users']

for user in users:
    username = user['UserName']
    
    # Check MFA
    mfa_devices = iam.list_mfa_devices(UserName=username)
    if not mfa_devices['MFADevices']:
        findings.append({
            'user': username,
            'issue': 'NO_MFA',
            'severity': 'HIGH'
        })
    
    # Check last access
    last_used = iam.get_user(UserName=username).get('PasswordLastUsed')
    if last_used:
        days_inactive = (datetime.now(last_used.tzinfo) - last_used).days
        if days_inactive > 90:
            findings.append({
                'user': username,
                'issue': 'STALE_ACCESS',
                'days_inactive': days_inactive,
                'severity': 'MEDIUM'
            })
    
    # Check attached policies
    policies = iam.list_attached_user_policies(UserName=username)
    for policy in policies['AttachedPolicies']:
        if policy['PolicyName'] in ['AdministratorAccess', 'PowerUserAccess']:
            findings.append({
                'user': username,
                'issue': 'OVERPRIVILEGED',
                'policy': policy['PolicyName'],
                'severity': 'HIGH'
            })

return findings

**Output Format:**
IAM AUDIT — AWS Account (account-id: 123456789012)
FINDINGS: ┌──────────────────┬─────────────────┬──────────┬──────────────┐ │ User/Role │ Issue │ Severity │ Remediation │ ├──────────────────┼─────────────────┼──────────┼──────────────┤ │ admin-user │ NO_MFA │ 🔴 High │ Enable MFA │ │ deploy-role │ OVERPRIVILEGED │ 🔴 High │ Scope policy │ │ old-contractor │ STALE (180d) │ 🟠 Med │ Deactivate │ │ dev-service │ UNUSED_KEY │ 🟡 Low │ Rotate key │ └──────────────────┴─────────────────┴──────────┴──────────────┘
STATISTICS: Total users: 47 Without MFA: 12 (26%) Stale (90d+): 8 (17%) Admin access: 5 (11%)
PRIORITY ACTIONS:
  1. Enforce MFA policy (1 day)
  2. Remove stale users (2 hours)
  3. Replace admin roles with scoped policies (1 week)
undefined
import boto3 from datetime import datetime, timedelta
def audit_iam_users(): iam = boto3.client('iam') findings = []
users = iam.list_users()['Users']

for user in users:
    username = user['UserName']
    
    # 检查MFA
    mfa_devices = iam.list_mfa_devices(UserName=username)
    if not mfa_devices['MFADevices']:
        findings.append({
            'user': username,
            'issue': 'NO_MFA',
            'severity': 'HIGH'
        })
    
    # 检查最后访问时间
    last_used = iam.get_user(UserName=username).get('PasswordLastUsed')
    if last_used:
        days_inactive = (datetime.now(last_used.tzinfo) - last_used).days
        if days_inactive > 90:
            findings.append({
                'user': username,
                'issue': 'STALE_ACCESS',
                'days_inactive': days_inactive,
                'severity': 'MEDIUM'
            })
    
    # 检查附加策略
    policies = iam.list_attached_user_policies(UserName=username)
    for policy in policies['AttachedPolicies']:
        if policy['PolicyName'] in ['AdministratorAccess', 'PowerUserAccess']:
            findings.append({
                'user': username,
                'issue': 'OVERPRIVILEGED',
                'policy': policy['PolicyName'],
                'severity': 'HIGH'
            })

return findings

**输出格式:**
IAM AUDIT — AWS Account (account-id: 123456789012)
FINDINGS: ┌──────────────────┬─────────────────┬──────────┬──────────────┐ │ User/Role │ Issue │ Severity │ Remediation │ ├──────────────────┼─────────────────┼──────────┼──────────────┤ │ admin-user │ NO_MFA │ 🔴 High │ Enable MFA │ │ deploy-role │ OVERPRIVILEGED │ 🔴 High │ Scope policy │ │ old-contractor │ STALE (180d) │ 🟠 Med │ Deactivate │ │ dev-service │ UNUSED_KEY │ 🟡 Low │ Rotate key │ └──────────────────┴─────────────────┴──────────┴──────────────┘
STATISTICS: Total users: 47 Without MFA: 12 (26%) Stale (90d+): 8 (17%) Admin access: 5 (11%)
PRIORITY ACTIONS:
  1. Enforce MFA policy (1 day)
  2. Remove stale users (2 hours)
  3. Replace admin roles with scoped policies (1 week)
undefined

/incident-playbook
- Security Incident Response

/incident-playbook
- 安全事件响应

Generates incident response playbooks: triage → contain → eradicate → recover → lessons learned.
Usage:
bash
/incident-playbook --type data-breach
/incident-playbook --type ransomware
/incident-playbook --custom
Playbook Template:
yaml
undefined
生成事件响应手册:分类→遏制→根除→恢复→经验总结。
用法:
bash
/incident-playbook --type data-breach
/incident-playbook --type ransomware
/incident-playbook --custom
手册模板:
yaml
undefined

Data Breach Response Playbook

Data Breach Response Playbook

incident_type: data_breach severity: HIGH owner: CISO
phases: 1_triage: duration: 0-2 hours steps: - id: T1 action: Confirm breach scope checklist: - Identify affected systems - Estimate data volume - Determine data sensitivity
  - id: T2
    action: Assemble response team
    roles:
      - Incident Commander (CISO)
      - Technical Lead (SecOps)
      - Legal Counsel
      - Communications Lead
2_containment: duration: 2-8 hours steps: - id: C1 action: Isolate affected systems commands: - aws ec2 modify-instance-attribute --instance-id $INSTANCE_ID --no-source-dest-check - iptables -A INPUT -j DROP
  - id: C2
    action: Preserve forensic evidence
    commands:
      - dd if=/dev/sda of=/mnt/forensics/disk.img bs=4M
      - tar czf logs-$(date +%Y%m%d).tar.gz /var/log/
3_eradication: duration: 8-24 hours steps: - id: E1 action: Remove threat actor access checklist: - Rotate all credentials - Revoke API keys - Patch vulnerabilities
4_recovery: duration: 24-72 hours steps: - id: R1 action: Restore from clean backups - id: R2 action: Monitor for re-infection
5_lessons_learned: duration: 1 week post-incident steps: - id: L1 action: Post-mortem report - id: L2 action: Update runbooks
notifications:
  • type: regulatory condition: PII affected deadline: 72 hours recipients:
    • Data Protection Authority
    • Affected individuals
  • type: internal condition: always recipients:
    • Executive team
    • Legal
    • Board of Directors

**Interactive Execution:**
INCIDENT RESPONSE — Data Breach
PHASE 1: TRIAGE (0-2 hours) [T1] Confirm breach scope ☐ Identify affected systems ☐ Estimate data volume: ___________ ☐ Determine sensitivity: [PII] [PHI] [PCI] [Other]
[T2] Assemble response team ✓ Incident Commander: Jane Doe (CISO) ✓ Technical Lead: John Smith (SecOps) ⏳ Legal Counsel: Contacting...
PHASE 2: CONTAINMENT (2-8 hours) [C1] Isolate affected systems Command: aws ec2 modify-instance-attribute --instance-id i-abc123 Execute? [y/N]: _
TIMELINE: 00:00 - Breach detected 00:15 - Response team assembled 00:45 - Systems isolated [Current: 01:23]
NEXT STEPS: → Complete containment checklist → Begin forensic analysis → Prepare regulatory notification
undefined
incident_type: data_breach severity: HIGH owner: CISO
phases: 1_triage: duration: 0-2 hours steps: - id: T1 action: Confirm breach scope checklist: - Identify affected systems - Estimate data volume - Determine data sensitivity
  - id: T2
    action: Assemble response team
    roles:
      - Incident Commander (CISO)
      - Technical Lead (SecOps)
      - Legal Counsel
      - Communications Lead
2_containment: duration: 2-8 hours steps: - id: C1 action: Isolate affected systems commands: - aws ec2 modify-instance-attribute --instance-id $INSTANCE_ID --no-source-dest-check - iptables -A INPUT -j DROP
  - id: C2
    action: Preserve forensic evidence
    commands:
      - dd if=/dev/sda of=/mnt/forensics/disk.img bs=4M
      - tar czf logs-$(date +%Y%m%d).tar.gz /var/log/
3_eradication: duration: 8-24 hours steps: - id: E1 action: Remove threat actor access checklist: - Rotate all credentials - Revoke API keys - Patch vulnerabilities
4_recovery: duration: 24-72 hours steps: - id: R1 action: Restore from clean backups - id: R2 action: Monitor for re-infection
5_lessons_learned: duration: 1 week post-incident steps: - id: L1 action: Post-mortem report - id: L2 action: Update runbooks
notifications:
  • type: regulatory condition: PII affected deadline: 72 hours recipients:
    • Data Protection Authority
    • Affected individuals
  • type: internal condition: always recipients:
    • Executive team
    • Legal
    • Board of Directors

**交互式执行示例:**
INCIDENT RESPONSE — Data Breach
PHASE 1: TRIAGE (0-2 hours) [T1] Confirm breach scope ☐ Identify affected systems ☐ Estimate data volume: ___________ ☐ Determine sensitivity: [PII] [PHI] [PCI] [Other]
[T2] Assemble response team ✓ Incident Commander: Jane Doe (CISO) ✓ Technical Lead: John Smith (SecOps) ⏳ Legal Counsel: Contacting...
PHASE 2: CONTAINMENT (2-8 hours) [C1] Isolate affected systems Command: aws ec2 modify-instance-attribute --instance-id i-abc123 Execute? [y/N]: _
TIMELINE: 00:00 - Breach detected 00:15 - Response team assembled 00:45 - Systems isolated [Current: 01:23]
NEXT STEPS: → Complete containment checklist → Begin forensic analysis → Prepare regulatory notification
undefined

Multi-Step Workflows

多步骤工作流

secure-sdlc
- Secure Software Development Lifecycle

secure-sdlc
- 安全软件开发生命周期

Implements shift-left security: threat model → static scan → dynamic scan → pen test → sign-off.
Usage:
bash
/workflows:secure-sdlc <project_path> --scope full
/workflows:secure-sdlc . --phase threat-model
Workflow Steps:
SECURE SDLC WORKFLOW

Phase 1: Requirements & Design
  ├─ [W1] Threat modeling (STRIDE)
  ├─ [W2] Security requirements gathering
  └─ [W3] Architecture security review

Phase 2: Development
  ├─ [W4] Pre-commit secret scanning
  ├─ [W5] SAST (static analysis)
  └─ [W6] Dependency CVE scanning

Phase 3: Testing
  ├─ [W7] DAST (dynamic analysis)
  ├─ [W8] API security testing
  └─ [W9] Penetration testing

Phase 4: Deployment
  ├─ [W10] Container security scanning
  ├─ [W11] IaC security review
  └─ [W12] Security sign-off

Phase 5: Operations
  ├─ [W13] Runtime security monitoring
  ├─ [W14] Vulnerability management
  └─ [W15] Incident response drills
实现左移安全:威胁建模→静态扫描→动态扫描→渗透测试→签字确认。
用法:
bash
/workflows:secure-sdlc <project_path> --scope full
/workflows:secure-sdlc . --phase threat-model
工作流步骤:
SECURE SDLC WORKFLOW

Phase 1: Requirements & Design
  ├─ [W1] Threat modeling (STRIDE)
  ├─ [W2] Security requirements gathering
  └─ [W3] Architecture security review

Phase 2: Development
  ├─ [W4] Pre-commit secret scanning
  ├─ [W5] SAST (static analysis)
  └─ [W6] Dependency CVE scanning

Phase 3: Testing
  ├─ [W7] DAST (dynamic analysis)
  ├─ [W8] API security testing
  └─ [W9] Penetration testing

Phase 4: Deployment
  ├─ [W10] Container security scanning
  ├─ [W11] IaC security review
  └─ [W12] Security sign-off

Phase 5: Operations
  ├─ [W13] Runtime security monitoring
  ├─ [W14] Vulnerability management
  └─ [W15] Incident response drills

breach-response
- Data Breach Response

breach-response
- 数据泄露响应

Data breach workflow: detect → assess → notify → remediate → post-mortem.
Usage:
bash
/workflows:breach-response --severity high
数据泄露工作流:检测→评估→通知→修复→事后分析。
用法:
bash
/workflows:breach-response --severity high

compliance-audit
- Full Compliance Audit

compliance-audit
- 全面合规审计

Comprehensive audit: scope → gap analysis → evidence collection → remediation plan.
Usage:
bash
/workflows:compliance-audit --framework soc2
/workflows:compliance-audit --framework gdpr,iso27001
综合审计:范围界定→缺口分析→证据收集→修复计划。
用法:
bash
/workflows:compliance-audit --framework soc2
/workflows:compliance-audit --framework gdpr,iso27001

zero-trust-design
- Zero Trust Architecture

zero-trust-design
- 零信任架构

Design zero-trust architecture: identity → network → workload → data layers.
Usage:
bash
/workflows:zero-trust-design --output architecture.md
设计零信任架构:身份→网络→工作负载→数据层。
用法:
bash
/workflows:zero-trust-design --output architecture.md

vendor-security
- Third-Party Security Assessment

vendor-security
- 第三方安全评估

Vendor security assessment: questionnaire → risk score → decision matrix.
Usage:
bash
/workflows:vendor-security --vendor "Acme SaaS Provider"
供应商安全评估:问卷调查→风险评分→决策矩阵。
用法:
bash
/workflows:vendor-security --vendor "Acme SaaS Provider"

Configuration

配置

Global Configuration

全局配置

Create 
~/.claude/skills/security-compliance-suite/config.yaml
:
yaml
undefined
创建
~/.claude/skills/security-compliance-suite/config.yaml
yaml
undefined

Security & Compliance Suite Configuration

Security & Compliance Suite Configuration

defaults: output_format: table # table | json | markdown severity_threshold: medium # low | medium | high | critical
integrations: nvd: api_key_env: NVD_API_KEY cache_ttl: 86400
github: token_env: GITHUB_TOKEN
aws: profile: default region: us-east-1
scanning: owasp: categories: - injection - broken_auth - sensitive_data - xxe - broken_access - security_misconfig - xss - insecure_deserialization - components_with_vulnerabilities - insufficient_logging
dependencies: package_managers: - npm - pip - maven - go severity_threshold: medium
compliance: gdpr: dpo_contact: ${DPO_EMAIL} retention_policy_days: 730
soc2: audit_period_months: 12 required_score: 85
reporting: template: standard include_remediation: true export_formats: - markdown - json - pdf
undefined
defaults: output_format: table # table | json | markdown severity_threshold: medium # low | medium | high | critical
integrations: nvd: api_key_env: NVD_API_KEY cache_ttl: 86400
github: token_env: GITHUB_TOKEN
aws: profile: default region: us-east-1
scanning: owasp: categories: - injection - broken_auth - sensitive_data - xxe - broken_access - security_misconfig - xss - insecure_deserialization - components_with_vulnerabilities - insufficient_logging
dependencies: package_managers: - npm - pip - maven - go severity_threshold: medium
compliance: gdpr: dpo_contact: ${DPO_EMAIL} retention_policy_days: 730
soc2: audit_period_months: 12 required_score: 85
reporting: template: standard include_remediation: true export_formats: - markdown - json - pdf
undefined

Project-Level Configuration

项目级配置

Create 
.security-config.yaml
in your project root:
yaml
undefined
在项目根目录创建
.security-config.yaml
yaml
undefined

Project-specific security configuration

Project-specific security configuration

project: name: My Application criticality: high # low | medium | high | critical
scan_exclusions: paths: - node_modules/ - vendor/ - .git/ - tests/fixtures/
files: - ".min.js" - ".test.js"
compliance: frameworks: - soc2 - gdpr
data_classification: pii_fields: - email - phone_number - ssn retention_days: 365
threat_model: assets: - name: User Database classification: confidential threats: - sql_injection - unauthorized_access
- name: API Gateway
  classification: internal
  threats:
    - ddos
    - injection
contacts: security_team: security@example.com dpo: dpo@example.com incident_response: incidents@example.com
undefined
project: name: My Application criticality: high # low | medium | high | critical
scan_exclusions: paths: - node_modules/ - vendor/ - .git/ - tests/fixtures/
files: - ".min.js" - ".test.js"
compliance: frameworks: - soc2 - gdpr
data_classification: pii_fields: - email - phone_number - ssn retention_days: 365
threat_model: assets: - name: User Database classification: confidential threats: - sql_injection - unauthorized_access
- name: API Gateway
  classification: internal
  threats:
    - ddos
    - injection
contacts: security_team: security@example.com dpo: dpo@example.com incident_response: incidents@example.com
undefined

Environment Variables

环境变量

Set these environment variables for external integrations:
bash
undefined
设置以下环境变量用于外部集成:
bash
undefined

NVD (National Vulnerability Database)

NVD (National Vulnerability Database)

export NVD_API_KEY=your_nvd_api_key_here
export NVD_API_KEY=your_nvd_api_key_here

GitHub (for dependency scanning)

GitHub (for dependency scanning)

export GITHUB_TOKEN=your_github_token_here
export GITHUB_TOKEN=your_github_token_here

AWS (for IAM audits)

AWS (for IAM audits)

export AWS_PROFILE=your_aws_profile export AWS_REGION=us-east-1
export AWS_PROFILE=your_aws_profile export AWS_REGION=us-east-1

Slack (for incident notifications)

Slack (for incident notifications)

export SLACK_WEBHOOK_URL=https://hooks.slack.com/services/YOUR/WEBHOOK/URL
export SLACK_WEBHOOK_URL=https://hooks.slack.com/services/YOUR/WEBHOOK/URL

Email (for compliance notifications)

Email (for compliance notifications)

export SMTP_HOST=smtp.example.com export SMTP_PORT=587 export SMTP_USER=alerts@example.com export SMTP_PASSWORD=your_smtp_password
undefined
export SMTP_HOST=smtp.example.com export SMTP_PORT=587 export SMTP_USER=alerts@example.com export SMTP_PASSWORD=your_smtp_password
undefined

Common Patterns

常见模式

Pattern 1: Daily Security Scan

模式1:每日安全扫描

bash
#!/bin/bash
bash
#!/bin/bash

daily-security-scan.sh

daily-security-scan.sh

Run OWASP scan

Run OWASP scan

/owasp-scan src/ --output reports/owasp-$(date +%Y%m%d).md
/owasp-scan src/ --output reports/owasp-$(date +%Y%m%d).md

Check dependencies

Check dependencies

/dep-cve --severity high,critical --output reports/cve-$(date +%Y%m%d).json
/dep-cve --severity high,critical --output reports/cve-$(date +%Y%m%d).json

Secret detection

Secret detection

/secret-detect --scan . --exclude node_modules/
/secret-detect --scan . --exclude node_modules/

Send summary

Send summary

if [ $? -eq 0 ]; then echo "✓ Security scan completed successfully" else echo "⚠ Security issues found - review reports/" exit 1 fi
undefined
if [ $? -eq 0 ]; then echo "✓ Security scan completed successfully" else echo "⚠ Security issues found - review reports/" exit 1 fi
undefined

Pattern 2: Pre-Deployment Security Gate

模式2:预部署安全网关

bash
#!/bin/bash
bash
#!/bin/bash

pre-deploy-checks.sh

pre-deploy-checks.sh

set -e
echo "Running pre-deployment security checks..."
set -e
echo "Running pre-deployment security checks..."

Static analysis

Static analysis

/owasp-scan src/
/owasp-scan src/

Dependency check

Dependency check

/dep-cve --severity critical
/dep-cve --severity critical

Container scan (if using Docker)

Container scan (if using Docker)

docker scan myapp:latest
docker scan myapp:latest

IAM validation

IAM validation

/iam-audit --output iam-report.json
echo "✓ All security gates passed"
undefined
/iam-audit --output iam-report.json
echo "✓ All security gates passed"
undefined

Pattern 3: Compliance Evidence Collection

模式3:合规证据收集

bash
#!/bin/bash
bash
#!/bin/bash

collect-compliance-evidence.sh

collect-compliance-evidence.sh

AUDIT_DATE=$(date +%Y%m%d) EVIDENCE_DIR="compliance-evidence-${AUDIT_DATE}"
mkdir -p "${EVIDENCE_DIR}"
AUDIT_DATE=$(date +%Y%m%d) EVIDENCE_DIR="compliance-evidence-${AUDIT_DATE}"
mkdir -p "${EVIDENCE_DIR}"

SOC2 controls

SOC2 controls

/soc2-readiness --output "${EVIDENCE_DIR}/soc2-readiness.md"
/soc2-readiness --output "${EVIDENCE_DIR}/soc2-readiness.md"

GDPR data flows

GDPR data flows

/gdpr-audit --output "${EVIDENCE_DIR}/gdpr-audit.md"
/gdpr-audit --output "${EVIDENCE_DIR}/gdpr-audit.md"

IAM policies

IAM policies

/iam-audit --output "${EVIDENCE_DIR}/iam-audit.json"
/iam-audit --output "${EVIDENCE_DIR}/iam-audit.json"

Security logs

Security logs

cp /var/log/security.log "${EVIDENCE_DIR}/"
cp /var/log/security.log "${EVIDENCE_DIR}/"

Create archive

Create archive

tar czf "${EVIDENCE_DIR}.tar.gz" "${EVIDENCE_DIR}/"
echo "✓ Evidence collected: ${EVIDENCE_DIR}.tar.gz"
undefined
tar czf "${EVIDENCE_DIR}.tar.gz" "${EVIDENCE_DIR}/"
echo "✓ Evidence collected: ${EVIDENCE_DIR}.tar.gz"
undefined

Pattern 4: Automated Incident Detection

模式4:自动化事件检测

python
undefined
python
undefined

incident_detector.py

incident_detector.py

import subprocess import json
def check_security_posture(): """Run security checks and detect incidents"""
findings = {
    'critical': [],
    'high': [],
    'medium': []
}

# Run OWASP scan
import subprocess import json
def check_security_posture(): """Run security checks and detect incidents"""
findings = {
    'critical': [],
    'high': [],
    'medium': []
}

# Run OWASP scan