medusa-security

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Medusa Security Skill

Medusa安全扫描Skill

Identity

功能定位

AI-first security scanner integration skill. Leverages Medusa's 76 scanners and 3,000+ detection patterns for comprehensive security analysis including AI/ML-specific vulnerability detection.

AI优先的安全扫描集成Skill。利用Medusa的76款扫描器和3000+检测规则，开展全面的安全分析，包括AI/ML专属漏洞检测。

Capabilities

核心能力

Full Scan — All 76 scanners, comprehensive security analysis
AI-Only Scan — Prompt injection, MCP security, agent security, RAG security
Quick Scan — Git-changed files only for rapid development feedback
Targeted Scan — Specific scanner categories (mcp, secrets, prompt-injection, etc.)
SARIF Output Parsing — Standard SARIF v2.1.0 structured findings
JSON Output Parsing — Medusa-native JSON format
OWASP Mapping — Maps findings to OWASP Agentic AI (ASI01-10) and OWASP Top 10 (A01-10)
Remediation Guidance — Links findings to agent-studio skills and agents
CI/CD Integration — Fail-on thresholds, SARIF upload for GitHub Code Scanning

全量扫描 — 启用全部76款扫描器，进行全面安全分析
仅AI扫描 — 检测提示注入、MCP安全、Agent安全、RAG安全相关漏洞
快速扫描 — 仅扫描Git变更文件，为开发提供快速反馈
定向扫描 — 针对特定扫描器类别（mcp、密钥、提示注入等）进行扫描
SARIF输出解析 — 支持标准SARIF v2.1.0结构化结果
JSON输出解析 — 支持Medusa原生JSON格式
OWASP映射 — 将检测结果映射至OWASP Agentic AI（ASI01-10）和OWASP Top 10（A01-10）
修复指导 — 将检测结果关联至agent-studio的Skill和Agent
CI/CD集成 — 支持失败阈值配置、上传SARIF至GitHub Code Scanning

Prerequisites

前置要求

Python 3.10+
pip install medusa-security

Check installation:

python -m medusa --version

Python 3.10+
pip install medusa-security

验证安装：

python -m medusa --version

Workflow: Full Security Scan

工作流：全量安全扫描

bash

undefined

bash

undefined

Step 1: Verify installation

步骤1：验证安装

python -m medusa --version

Step 2: Run scan

步骤2：执行扫描

medusa scan . --format sarif --fail-on high

Step 3: Parse output (use scripts/main.cjs)

步骤3：解析输出（使用scripts/main.cjs）

node .claude/skills/medusa-security/scripts/main.cjs --mode full --target .

Step 4: Review findings by severity

步骤4：按严重程度查看结果

CRITICAL → immediate fix required

CRITICAL → 立即修复

HIGH → fix before release

HIGH → 发布前修复

MEDIUM → fix in next sprint

MEDIUM → 下一个迭代修复

LOW → track and address

LOW → 跟踪并处理

undefined

undefined

Workflow: AI-Only Scan

工作流：仅AI扫描

bash

medusa scan . --format sarif --ai-only

Scans only: prompt injection (800+ patterns), MCP security (400+ patterns), agent security (500+ patterns), RAG security (300+ patterns).

bash

medusa scan . --format sarif --ai-only

仅扫描以下内容：提示注入（800+规则）、MCP安全（400+规则）、Agent安全（500+规则）、RAG安全（300+规则）。

Workflow: Quick Scan (Development)

工作流：快速扫描（开发阶段）

bash

medusa scan . --format sarif --quick

Only scans git-changed files. Use during development for rapid feedback.

bash

medusa scan . --format sarif --quick

仅扫描Git变更文件，适用于开发阶段快速获取反馈。

Workflow: Targeted Scan

工作流：定向扫描

bash

undefined

bash

undefined

MCP security only

仅扫描MCP安全

medusa scan . --format sarif --scanners mcp-server,mcp-config

Secrets only

仅扫描密钥

medusa scan . --format sarif --scanners secrets,gitleaks,env

AI context files only

仅扫描AI上下文文件

medusa scan . --format sarif --scanners ai-context

undefined

medusa scan . --format sarif --scanners ai-context

undefined

Output Processing

输出处理

The skill uses helper scripts located at

.claude/skills/medusa-security/scripts/

Script	Purpose
`sarif-parser.cjs`	Parses SARIF v2.1.0 output
`json-parser.cjs`	Parses Medusa JSON output
`finding-formatter.cjs`	Formats findings with OWASP mapping
`main.cjs`	Orchestrates the full pipeline
`cli-wrapper.cjs`	Wraps Medusa CLI invocation
`security-review.cjs`	Deterministic report writer (no Glob recursion)

本Skill使用位于

.claude/skills/medusa-security/scripts/

的辅助脚本：

脚本名称	用途
`sarif-parser.cjs`	解析SARIF v2.1.0输出格式
`json-parser.cjs`	解析Medusa原生JSON输出格式
`finding-formatter.cjs`	为检测结果添加OWASP映射信息并格式化
`main.cjs`	编排完整的扫描处理流程
`cli-wrapper.cjs`	封装Medusa CLI调用逻辑
`security-review.cjs`	生成确定性报告（避免Glob递归超时）

Using the Pipeline

流程使用示例

bash

undefined

bash

undefined

Full scan with structured output

全量扫描并生成结构化输出

node .claude/skills/medusa-security/scripts/main.cjs --mode full --target .

AI-only scan

仅AI扫描

node .claude/skills/medusa-security/scripts/main.cjs --mode ai-only --target .

Quick scan (git-changed files)

快速扫描（仅Git变更文件）

node .claude/skills/medusa-security/scripts/main.cjs --mode quick --target .

undefined

node .claude/skills/medusa-security/scripts/main.cjs --mode quick --target .

undefined

Deterministic Security Review (Recommended in Claude sessions)

确定性安全评审（推荐在Claude会话中使用）

Use this when you need the final security review report and want to avoid recursive

Glob

timeouts:

bash

node .claude/skills/medusa-security/scripts/security-review.cjs

This writes:

/.claude/context/reports/security-review-medusa-scan-2026-02-17.md

and performs fixed-path checks on:

```
.claude/hooks/
```
```
.claude/lib/
```
```
.claude/skills/medusa-security/scripts/
```
```
.claude/CLAUDE.md
```

当你需要最终安全评审报告并希望避免递归

Glob

超时问题时，使用以下命令：

bash

node .claude/skills/medusa-security/scripts/security-review.cjs

该命令会生成报告文件：

/.claude/context/reports/security-review-medusa-scan-2026-02-17.md

并对以下路径进行固定路径检查：

```
.claude/hooks/
```
```
.claude/lib/
```
```
.claude/skills/medusa-security/scripts/
```
```
.claude/CLAUDE.md
```

Important Runtime Guardrail

重要运行时注意事项

Avoid recursive glob patterns like
```
.claude/skills/medusa-security/**/*
```
in long sessions.
Prefer direct file reads and deterministic script entry points.

在长会话中避免使用类似
```
.claude/skills/medusa-security/**/*
```
的递归glob模式。
优先使用直接文件读取和确定性脚本入口。

OWASP Mapping

OWASP映射

Findings are automatically mapped to:

OWASP Agentic AI Top 10 (ASI01-10): Goal Hijacking, Tool Misuse, Context Poisoning, etc.
OWASP Top 10 (A01-10): Broken Access Control, Injection, Cryptographic Failures, etc.

检测结果会自动映射至：

OWASP Agentic AI Top 10（ASI01-10）：目标劫持、工具滥用、上下文污染等。
OWASP Top 10（A01-10）：访问控制失效、注入攻击、加密机制失败等。

Severity Triage

严重程度分级处理

Severity	Action	Timeline
CRITICAL	Immediate fix	Before any merge
HIGH	Fix before release	Same sprint
MEDIUM	Fix in next sprint	Next cycle
LOW	Track and address	Backlog

严重程度	处理措施	时间要求
CRITICAL	立即修复	合并代码前完成
HIGH	发布前修复	同一迭代内完成
MEDIUM	下一个迭代修复	下一周期内完成
LOW	跟踪并处理	放入待办清单

Agent Integration

Agent集成

Agent	Usage
`security-architect`	Primary consumer. Use for comprehensive security reviews.
`penetration-tester`	Use for targeted vulnerability scanning with authorization.
`code-reviewer`	Use AI-only scan as part of code review workflow.

Agent名称	用途说明
`security-architect`	主要使用者，用于全面安全评审。
`penetration-tester`	用于授权后的定向漏洞扫描。
`code-reviewer`	将仅AI扫描作为代码评审流程的一部分。

CI/CD Integration

CI/CD集成

yaml

undefined

yaml

undefined

GitHub Actions example

GitHub Actions示例

name: Security Scan run: | pip install medusa-security medusa scan . --format sarif --fail-on high -o reports/
name: Upload SARIF uses: github/codeql-action/upload-sarif@v3 with: sarif_file: reports/medusa-results.sarif

undefined

name: Security Scan run: | pip install medusa-security medusa scan . --format sarif --fail-on high -o reports/
name: Upload SARIF uses: github/codeql-action/upload-sarif@v3 with: sarif_file: reports/medusa-results.sarif

undefined

Memory Protocol

记忆协议

After scanning:

Record new vulnerability patterns in
```
patterns.json
```
Log significant findings in
```
issues.md
```
Track scan history for trend analysis
Use
```
recordGotcha()
```
for recurring false positives

javascript

const manager = require('.claude/lib/memory/memory-manager.cjs');

manager.recordGotcha({
  text: 'False positive: medusa flags X pattern in Y context',
  area: 'security-scanning',
});

manager.recordPattern({
  text: 'Prompt injection found in CLAUDE.md context files',
  area: 'ai-security',
});

扫描完成后：

在
```
patterns.json
```
中记录新的漏洞规则
在
```
issues.md
```
中记录重要检测结果
跟踪扫描历史以进行趋势分析
使用
```
recordGotcha()
```
记录重复出现的误报

javascript

const manager = require('.claude/lib/memory/memory-manager.cjs');

manager.recordGotcha({
  text: 'False positive: medusa flags X pattern in Y context',
  area: 'security-scanning',
});

manager.recordPattern({
  text: 'Prompt injection found in CLAUDE.md context files',
  area: 'ai-security',
});

medusa-security

Original

Translation

Medusa Security Skill

Medusa安全扫描Skill

Identity

功能定位

Capabilities

核心能力

Prerequisites

前置要求

Workflow: Full Security Scan

工作流：全量安全扫描

Step 1: Verify installation

步骤1：验证安装

Step 2: Run scan

步骤2：执行扫描

Step 3: Parse output (use scripts/main.cjs)

步骤3：解析输出（使用scripts/main.cjs）

Step 4: Review findings by severity

步骤4：按严重程度查看结果

CRITICAL → immediate fix required

CRITICAL → 立即修复

HIGH → fix before release

HIGH → 发布前修复

MEDIUM → fix in next sprint

MEDIUM → 下一个迭代修复

LOW → track and address

LOW → 跟踪并处理

Workflow: AI-Only Scan

工作流：仅AI扫描

Workflow: Quick Scan (Development)

工作流：快速扫描（开发阶段）

Workflow: Targeted Scan

工作流：定向扫描

MCP security only

仅扫描MCP安全

Secrets only

仅扫描密钥

AI context files only

仅扫描AI上下文文件

Output Processing

输出处理

Using the Pipeline

流程使用示例

Full scan with structured output

全量扫描并生成结构化输出

AI-only scan

仅AI扫描

Quick scan (git-changed files)

快速扫描（仅Git变更文件）

Deterministic Security Review (Recommended in Claude sessions)

确定性安全评审（推荐在Claude会话中使用）

Important Runtime Guardrail

重要运行时注意事项

OWASP Mapping

OWASP映射

Severity Triage

严重程度分级处理

Agent Integration

Agent集成

CI/CD Integration

CI/CD集成

GitHub Actions example

GitHub Actions示例

Memory Protocol

记忆协议

Related Skills

相关Skill