Back to Details

sec-audit-remediate

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

sec-audit-remediate

sec-audit-remediate

Generate targeted security fixes from detect-dev SARIF findings with regression tests.
根据detect-dev的SARIF检测结果生成针对性的安全修复方案及回归测试。

Context Files

上下文文件

  • $JAAN_LEARN_DIR/jaan-to:sec-audit-remediate.learn.md
    - Past lessons (loaded in Pre-Execution)
  • $JAAN_TEMPLATES_DIR/jaan-to:sec-audit-remediate.template.md
    - Output template
  • $JAAN_CONTEXT_DIR/tech.md
    - Tech stack (optional, auto-imported if exists)
    • Uses sections: 
      #current-stack
      , 
      #frameworks
      , 
      #constraints
      , 
      #patterns
  • ${CLAUDE_PLUGIN_ROOT}/docs/extending/language-protocol.md
    - Language resolution protocol
  • ${CLAUDE_PLUGIN_ROOT}/docs/research/73-dev-sarif-security-remediation-automation.md
    - SARIF 2.1.0 parsing, CWE-to-fix mapping, remediation patterns
  • ${CLAUDE_PLUGIN_ROOT}/docs/research/72-dev-secure-backend-scaffold-hardening.md
    - jose JWT, httpOnly cookies, CSRF, rate limiting, OWASP Top 10
Output path: 
$JAAN_OUTPUTS_DIR/sec/remediate/{id}-{slug}/
DAG position: detect-dev + backend-scaffold + frontend-scaffold --> sec-audit-remediate --> devops-infra-scaffold (security in CI)
  • $JAAN_LEARN_DIR/jaan-to:sec-audit-remediate.learn.md
    - 过往经验(预执行阶段加载)
  • $JAAN_TEMPLATES_DIR/jaan-to:sec-audit-remediate.template.md
    - 输出模板
  • $JAAN_CONTEXT_DIR/tech.md
    - 技术栈(可选,若存在则自动导入)
    • 使用章节:
      #current-stack
      #frameworks
      #constraints
      #patterns
  • ${CLAUDE_PLUGIN_ROOT}/docs/extending/language-protocol.md
    - 语言解析协议
  • ${CLAUDE_PLUGIN_ROOT}/docs/research/73-dev-sarif-security-remediation-automation.md
    - SARIF 2.1.0解析、CWE与修复方案映射、修复模式
  • ${CLAUDE_PLUGIN_ROOT}/docs/research/72-dev-secure-backend-scaffold-hardening.md
    - jose JWT、httpOnly Cookie、CSRF、速率限制、OWASP Top 10
输出路径
$JAAN_OUTPUTS_DIR/sec/remediate/{id}-{slug}/
DAG位置:detect-dev + backend-scaffold + frontend-scaffold --> sec-audit-remediate --> devops-infra-scaffold(CI中的安全环节)

Input

输入

Arguments: $ARGUMENTS
Parse arguments to identify:
  1. detect-dev output path -- Path to detect-dev SARIF/findings output (e.g., 
    $JAAN_OUTPUTS_DIR/detect/dev/security.md
    or a 
    .sarif
    file)
  2. scaffold type -- 
    backend-scaffold
    or 
    frontend-scaffold
    (determines which code to cross-reference for fixes)
If no arguments provided, search for detect-dev outputs:
  • Glob: 
    $JAAN_OUTPUTS_DIR/detect/dev/security*.md
  • Glob: 
    $JAAN_OUTPUTS_DIR/detect/dev/summary*.md
  • If not found, ask user for the path.
参数:$ARGUMENTS
解析参数以确定:
  1. detect-dev输出路径 -- detect-dev的SARIF/检测结果输出路径(例如:
    $JAAN_OUTPUTS_DIR/detect/dev/security.md
    .sarif
    文件)
  2. 脚手架类型 -- 
    backend-scaffold
    frontend-scaffold
    (确定要交叉引用以生成修复方案的代码)
若未提供参数,则自动搜索detect-dev输出:
  • 通配符:
    $JAAN_OUTPUTS_DIR/detect/dev/security*.md
  • 通配符:
    $JAAN_OUTPUTS_DIR/detect/dev/summary*.md
  • 若未找到,询问用户提供路径。

Pre-Execution Protocol

预执行协议

MANDATORY — Read and execute ALL steps in: 
${CLAUDE_PLUGIN_ROOT}/docs/extending/pre-execution-protocol.md
Skill name: 
sec-audit-remediate
Execute: Step 0 (Init Guard) → A (Load Lessons) → B (Resolve Template) → C (Offer Template Seeding)
Also read tech context if available:
  • $JAAN_CONTEXT_DIR/tech.md
    - Know the tech stack for relevant fixes
强制要求 — 阅读并执行以下文件中的所有步骤:
${CLAUDE_PLUGIN_ROOT}/docs/extending/pre-execution-protocol.md
技能名称:
sec-audit-remediate
执行顺序:步骤0(初始化防护)→ A(加载过往经验)→ B(解析模板)→ C(提供模板预填充)
若技术上下文可用,同时读取:
  • $JAAN_CONTEXT_DIR/tech.md
    - 了解技术栈以生成相关修复方案

Language Settings

语言设置

Read and apply language protocol: 
${CLAUDE_PLUGIN_ROOT}/docs/extending/language-protocol.md
Override field for this skill: 
language_sec-audit-remediate
Language exception: Generated code output (fix files, test files, code blocks, schemas) is NOT affected by this setting and remains in the project's programming language.
阅读并应用语言协议:
${CLAUDE_PLUGIN_ROOT}/docs/extending/language-protocol.md
本技能的覆盖字段:
language_sec-audit-remediate
语言例外:生成的代码输出(修复文件、测试文件、代码块、Schema)不受此设置影响,将保持项目的编程语言。

PHASE 1: Analysis (Read-Only)

阶段1:分析(只读)

Thinking Mode

思考模式

ultrathink
Use extended reasoning for:
  • Parsing SARIF findings and mapping to CWE categories
  • Determining root cause analysis for each finding
  • Planning fix strategies by vulnerability type
  • Assessing fix complexity and regression risk
深度思考
运用扩展推理完成:
  • 解析SARIF检测结果并映射到CWE类别
  • 为每个检测结果确定根本原因分析
  • 根据漏洞类型规划修复策略
  • 评估修复复杂度与回归风险

Step 1: Parse Detect-Dev Output

步骤1:解析Detect-Dev输出

Read the detect-dev output file(s) provided in $ARGUMENTS.
读取$ARGUMENTS中提供的detect-dev输出文件。

1.1: Extract Findings

1.1:提取检测结果

For each finding, extract:
  • Rule ID / Finding ID (e.g., E-DEV-001)
  • Severity: Critical / High / Medium / Low / Info
  • Confidence: Confirmed / Firm / Tentative / Uncertain
  • CWE ID(s): e.g., CWE-79, CWE-89, CWE-352
  • File path and line range: Where the vulnerability exists
  • Description: What the vulnerability is
  • Evidence block: SARIF evidence or detect-dev evidence
  • OWASP Top 10 mapping: Which OWASP category it falls under
针对每个检测结果,提取:
  • 规则ID / 检测结果ID(例如:E-DEV-001)
  • 严重程度:Critical / High / Medium / Low / Info
  • 置信度:Confirmed / Firm / Tentative / Uncertain
  • CWE ID:例如CWE-79、CWE-89、CWE-352
  • 文件路径行范围:漏洞所在位置
  • 描述:漏洞内容
  • 证据块:SARIF证据或detect-dev证据
  • OWASP Top 10映射:所属的OWASP类别

1.2: Sort by Severity

1.2:按严重程度排序

Sort all findings by severity (Critical first, then High, Medium, Low):
FINDINGS PARSED
---------------
Critical: {n}  |  High: {n}  |  Medium: {n}  |  Low: {n}

ID          Severity    CWE         File                    Description
E-DEV-001   Critical    CWE-89      src/api/users.ts:42     SQL injection in query
E-DEV-003   High        CWE-79      src/views/profile.tsx:18 XSS in user content
...
将所有检测结果按严重程度排序(Critical优先,其次High、Medium、Low):
已解析检测结果
---------------
Critical: {n}  |  High: {n}  |  Medium: {n}  |  Low: {n}

ID          严重程度    CWE         文件路径                    描述
E-DEV-001   Critical    CWE-89      src/api/users.ts:42     SQL注入漏洞
E-DEV-003   High        CWE-79      src/views/profile.tsx:18 用户内容中的XSS漏洞
...

1.3: Map Findings to CWE Fix Categories

1.3:将检测结果映射到CWE修复类别

Group findings by CWE category and assign fix strategy:
Reference: See 
${CLAUDE_PLUGIN_ROOT}/docs/extending/sec-audit-remediate-reference.md
section "CWE-to-Fix Category Mapping" for CWE categories, fix strategies, complexity, and auto-fix eligibility.
按CWE类别分组检测结果并分配修复策略:
参考:查看
${CLAUDE_PLUGIN_ROOT}/docs/extending/sec-audit-remediate-reference.md
中的“CWE与修复类别映射”章节,获取CWE类别、修复策略、复杂度及自动修复资格。

Step 2: Cross-Reference with Scaffold Code

步骤2:与脚手架代码交叉引用

If scaffold output is provided (backend-scaffold or frontend-scaffold):
  1. Read scaffold code files that correspond to finding locations
  2. Identify vulnerable code patterns in the scaffold output
  3. Map each finding to the specific scaffold file and code block that needs fixing
  4. Note any findings that are NOT in scaffold code (pre-existing vulnerabilities vs scaffold-introduced)
If no scaffold reference, work directly with finding file paths.
若提供了脚手架输出(backend-scaffold或frontend-scaffold):
  1. 读取与检测结果位置对应的脚手架代码文件
  2. 识别脚手架输出中的易受攻击代码模式
  3. 将每个检测结果映射到需要修复的特定脚手架文件和代码块
  4. 记录不在脚手架代码中的检测结果(既有漏洞 vs 脚手架引入的漏洞)
若无脚手架参考,则直接使用检测结果中的文件路径。

Step 3: Generate Remediation Plan

步骤3:生成修复计划

For each finding, determine:
FieldDescription
Finding IDFrom detect-dev output
Fix TypeCode replacement / New middleware / Config change / Dependency update
Fix FilePath to the fix file to generate
Test FilePath to the regression test to generate
DependenciesNew packages needed (e.g., dompurify, csurf)
Breaking ChangesWhether the fix changes API behavior
ComplexityLow / Medium / High
针对每个检测结果,确定:
字段描述
检测结果ID来自detect-dev输出
修复类型代码替换 / 新增中间件 / 配置变更 / 依赖更新
修复文件要生成的修复文件路径
测试文件要生成的回归测试文件路径
依赖项需要的新包(例如dompurify、csurf)
破坏性变更修复是否会改变API行为
复杂度Low / Medium / High

Triage Matrix

分类矩阵

Apply the severity/confidence triage matrix:
Reference: See 
${CLAUDE_PLUGIN_ROOT}/docs/extending/sec-audit-remediate-reference.md
section "Triage Matrix" for severity/confidence decision grid.
应用严重程度/置信度分类矩阵:
参考:查看
${CLAUDE_PLUGIN_ROOT}/docs/extending/sec-audit-remediate-reference.md
中的“分类矩阵”章节,获取严重程度/置信度决策网格。

Step 4: Ask User Which Findings to Remediate

步骤4:询问用户要修复哪些检测结果

Present the remediation plan and ask:
REMEDIATION PLAN
----------------
Total findings: {n}
  Auto-fix eligible: {n} (Critical/High + Confirmed/Firm confidence)
  Manual review needed: {n} (Medium confidence or complex fixes)
  Skipped: {n} (Low confidence or informational)

FINDINGS TO REMEDIATE:

[x] E-DEV-001  Critical  CWE-89   SQL injection       -> parameterized query    [auto-fix]
[x] E-DEV-003  High      CWE-79   XSS vulnerability   -> DOMPurify sanitize     [auto-fix]
[x] E-DEV-007  High      CWE-352  Missing CSRF         -> csrf middleware        [auto-fix]
[x] E-DEV-012  High      CWE-327  Weak hash (MD5)     -> SHA-256 replacement    [auto-fix]
[ ] E-DEV-015  Medium    CWE-862  Missing auth check   -> RBAC guard            [needs design]
[ ] E-DEV-018  Low       CWE-798  Hardcoded API key   -> env variable           [manual]

New dependencies needed: dompurify, @types/dompurify, csurf
Estimated fix files: {n}
Estimated test files: {n}
"Which findings should I remediate? [all-auto / select / all]"
  • all-auto: Fix only auto-fix eligible findings (default)
  • select: Let user pick specific findings
  • all: Attempt all findings including manual-review ones
展示修复计划并询问:
修复计划
----------------
总检测结果数:{n}
  符合自动修复条件:{n}(Critical/High + Confirmed/Firm置信度)
  需要人工审核:{n}(Medium置信度或复杂修复)
  已跳过:{n}(Low置信度或信息性结果)

待修复检测结果:

[x] E-DEV-001  Critical  CWE-89   SQL注入       -> 参数化查询    [自动修复]
[x] E-DEV-003  High      CWE-79   XSS漏洞       -> DOMPurify清理     [自动修复]
[x] E-DEV-007  High      CWE-352  缺失CSRF防护         -> csrf中间件        [自动修复]
[x] E-DEV-012  High      CWE-327  弱哈希(MD5)     -> SHA-256替换    [自动修复]
[ ] E-DEV-015  Medium    CWE-862  缺失权限检查   -> RBAC防护            [需设计]
[ ] E-DEV-018  Low       CWE-798  硬编码API密钥   -> 环境变量           [手动修复]

需要新增依赖:dompurify, @types/dompurify, csurf
预计生成修复文件数:{n}
预计生成测试文件数:{n}
"需要修复哪些检测结果?[all-auto / select / all]"
  • all-auto:仅修复符合自动修复条件的结果(默认)
  • select:让用户选择特定结果
  • all:尝试修复所有结果,包括需要人工审核的结果

HARD STOP - Human Review Gate

强制暂停 - 人工审核环节

Present complete remediation summary:
REMEDIATION SUMMARY
-------------------
Findings to fix: {n}
Fix files to generate: {n}
Test files to generate: {n}
New dependencies: {list}
Breaking changes: {yes/no, details}

OUTPUT STRUCTURE:
  $JAAN_OUTPUTS_DIR/sec/remediate/{id}-{slug}/
    {id}-{slug}.md                        <- Remediation report
    {id}-{slug}-readme.md                 <- Integration instructions
    fixes/
      auth-middleware.ts                   <- Fix: missing auth
      rate-limiter.ts                     <- Fix: rate limiting
      csrf-protection.ts                  <- Fix: CSRF
      sanitize-input.ts                   <- Fix: XSS/injection
      ...
    tests/
      auth-security.test.ts              <- Test: auth fixes
      rate-limit.test.ts                 <- Test: rate limiting
      csrf.test.ts                       <- Test: CSRF
      xss-prevention.test.ts             <- Test: XSS
      ...
"Proceed with generating {n} fix files and {n} test files? [y/n]"
Do NOT proceed to Phase 2 without explicit approval.
展示完整的修复摘要:
修复摘要
-------------------
待修复结果数:{n}
待生成修复文件数:{n}
待生成测试文件数:{n}
新增依赖:{列表}
破坏性变更:{是/否,详情}

输出结构:
  $JAAN_OUTPUTS_DIR/sec/remediate/{id}-{slug}/
    {id}-{slug}.md                        <- 修复报告
    {id}-{slug}-readme.md                 <- 集成说明
    fixes/
      auth-middleware.ts                   <- 修复:缺失权限验证
      rate-limiter.ts                     <- 修复:速率限制
      csrf-protection.ts                  <- 修复:CSRF防护
      sanitize-input.ts                   <- 修复:XSS/注入防护
      ...
    tests/
      auth-security.test.ts              <- 测试:权限修复验证
      rate-limit.test.ts                 <- 测试:速率限制验证
      csrf.test.ts                       <- 测试:CSRF防护验证
      xss-prevention.test.ts             <- 测试:XSS防护验证
      ...
"是否继续生成{n}个修复文件和{n}个测试文件?[y/n]"
未获得明确批准前,不得进入阶段2。

PHASE 2: Generation (Write Phase)

阶段2:生成(写入阶段)

Step 5: Generate ID and Folder Structure

步骤5:生成ID和文件夹结构

  1. Source ID generator utility:
bash
source "${CLAUDE_PLUGIN_ROOT}/scripts/lib/id-generator.sh"
  1. Generate next ID and output paths:
bash
SUBDOMAIN_DIR="$JAAN_OUTPUTS_DIR/sec/remediate"
mkdir -p "$SUBDOMAIN_DIR"

NEXT_ID=$(generate_next_id "$SUBDOMAIN_DIR")
OUTPUT_FOLDER="${SUBDOMAIN_DIR}/${NEXT_ID}-${slug}"
MAIN_FILE="${OUTPUT_FOLDER}/${NEXT_ID}-${slug}.md"
  1. Create subdirectories:
bash
mkdir -p "$OUTPUT_FOLDER/fixes"
mkdir -p "$OUTPUT_FOLDER/tests"
  1. Preview for user:
Output Configuration
  • ID: {NEXT_ID}
  • Folder: $JAAN_OUTPUTS_DIR/sec/remediate/{NEXT_ID}-{slug}/
  • Main file: {NEXT_ID}-{slug}.md
  • Fixes dir: fixes/
  • Tests dir: tests/
  1. 引入ID生成工具:
bash
source "${CLAUDE_PLUGIN_ROOT}/scripts/lib/id-generator.sh"
  1. 生成下一个ID和输出路径:
bash
SUBDOMAIN_DIR="$JAAN_OUTPUTS_DIR/sec/remediate"
mkdir -p "$SUBDOMAIN_DIR"

NEXT_ID=$(generate_next_id "$SUBDOMAIN_DIR")
OUTPUT_FOLDER="${SUBDOMAIN_DIR}/${NEXT_ID}-${slug}"
MAIN_FILE="${OUTPUT_FOLDER}/${NEXT_ID}-${slug}.md"
  1. 创建子目录:
bash
mkdir -p "$OUTPUT_FOLDER/fixes"
mkdir -p "$OUTPUT_FOLDER/tests"
  1. 向用户预览:
输出配置
  • ID:{NEXT_ID}
  • 文件夹:$JAAN_OUTPUTS_DIR/sec/remediate/{NEXT_ID}-{slug}/
  • 主文件:{NEXT_ID}-{slug}.md
  • 修复文件目录:fixes/
  • 测试文件目录:tests/

Step 6: Generate Fix Files

步骤6:生成修复文件

For each finding selected for remediation, generate a targeted fix file in 
fixes/
.
针对每个选中的待修复检测结果,在
fixes/
目录中生成针对性的修复文件。

Fix Generation by CWE Category

按CWE类别生成修复方案

Reference: See 
${CLAUDE_PLUGIN_ROOT}/docs/extending/sec-audit-remediate-reference.md
section "Per-CWE Fix Generation Patterns" for CWE-specific fix generation instructions (CWE-79 through CWE-862).
参考:查看
${CLAUDE_PLUGIN_ROOT}/docs/extending/sec-audit-remediate-reference.md
中的“按CWE生成修复模式”章节,获取CWE特定的修复生成说明(CWE-79至CWE-862)。

Fix File Naming Convention

修复文件命名规范

Name fix files descriptively based on the vulnerability type:
  • {vulnerability-type}.ts
    (e.g., 
    sql-injection-fix.ts
    , 
    csrf-protection.ts
    , 
    xss-sanitizer.ts
    )
  • If multiple findings share the same CWE, generate one consolidated fix file
根据漏洞类型为修复文件命名:
  • {vulnerability-type}.ts
    (例如:
    sql-injection-fix.ts
    csrf-protection.ts
    xss-sanitizer.ts
  • 若多个检测结果属于同一CWE,生成一个合并的修复文件

Fix File Structure

修复文件结构

Each fix file includes:
  1. File header comment with finding ID(s) and CWE reference
  2. Imports (including any new dependencies)
  3. The fix code (replacement function, middleware, utility)
  4. Usage example as JSDoc comment
  5. Integration notes as comments
每个修复文件包含:
  1. 文件头部注释,包含检测结果ID和CWE参考
  2. 导入语句(包括任何新依赖)
  3. 修复代码(替换函数、中间件、工具类)
  4. 作为JSDoc注释的使用示例
  5. 作为注释的集成说明

Step 7: Generate Regression Tests

步骤7:生成回归测试

For each Critical and High finding that was fixed, generate a regression test in 
tests/
.
针对每个已修复的Critical和High级检测结果,在
tests/
目录中生成回归测试。

Test Generation Strategy

测试生成策略

For each fix, generate tests covering:
  1. Attack-replay tests -- Reproduce the original attack vector and verify it is blocked
  2. Negative tests -- Verify malicious input is rejected or sanitized
  3. Positive tests -- Verify legitimate input still works after the fix
  4. Boundary tests -- Edge cases around input limits and encoding
Reference: 
${CLAUDE_PLUGIN_ROOT}/docs/research/73-dev-sarif-security-remediation-automation.md
section "Regression Test Generation for Security Fixes".
针对每个修复,生成覆盖以下场景的测试:
  1. 攻击重放测试 — 复现原始攻击向量并验证已被拦截
  2. 负面测试 — 验证恶意输入被拒绝或清理
  3. 正面测试 — 验证修复后合法输入仍可正常工作
  4. 边界测试 — 输入限制和编码的边缘情况
参考:
${CLAUDE_PLUGIN_ROOT}/docs/research/73-dev-sarif-security-remediation-automation.md
中的“安全修复的回归测试生成”章节。

Test File Naming Convention

测试文件命名规范

  • {vulnerability-type}.test.ts
    (e.g., 
    sql-injection.test.ts
    , 
    xss-prevention.test.ts
    )
  • Match test file name to corresponding fix file name
  • {vulnerability-type}.test.ts
    (例如:
    sql-injection.test.ts
    xss-prevention.test.ts
  • 测试文件名与对应的修复文件名匹配

Test File Structure

测试文件结构

Each test file includes:
  1. Import from the fix file
  2. Describe block referencing finding ID and CWE
  3. Attack payload arrays (XSS payloads, SQL injection strings, SSRF URLs, etc.)
  4. "should block malicious input" tests with payload iteration
  5. "should allow legitimate input" tests with safe data
  6. Comment linking back to finding ID for traceability
每个测试文件包含:
  1. 从修复文件导入的内容
  2. 引用检测结果ID和CWE的Describe块
  3. 攻击载荷数组(XSS载荷、SQL注入字符串、SSRF URL等)
  4. “应拦截恶意输入”测试,遍历载荷
  5. “应允许合法输入”测试,使用安全数据
  6. 链接回检测结果ID的注释,用于可追溯性

CWE-Specific Test Patterns

特定CWE的测试模式

Reference: See 
${CLAUDE_PLUGIN_ROOT}/docs/extending/sec-audit-remediate-reference.md
section "CWE-Specific Test Patterns" for per-CWE test payloads and verification patterns.
参考:查看
${CLAUDE_PLUGIN_ROOT}/docs/extending/sec-audit-remediate-reference.md
中的“特定CWE的测试模式”章节,获取每个CWE的测试载荷和验证模式。

Step 8: Generate Remediation Report

步骤8:生成修复报告

Write the main report file: 
{id}-{slug}.md
Use template from: 
$JAAN_TEMPLATES_DIR/jaan-to:sec-audit-remediate.template.md
Fill template variables:
  • {{title}}
    - "Security Remediation Report" + project name
  • {{date}}
    - Current date (YYYY-MM-DD)
  • {{executive_summary}}
    - BLUF of findings fixed, risk reduction estimate
  • {{findings_table}}
    - All findings with status (fixed/pending/skipped)
  • {{fixes_generated}}
    - List of fix files with descriptions
  • {{tests_generated}}
    - List of test files with descriptions
  • {{new_dependencies}}
    - Dependencies to install
  • {{risk_reduction}}
    - Estimated risk reduction percentage
  • {{remaining_findings}}
    - Findings not addressed and why
写入主报告文件:
{id}-{slug}.md
使用模板:
$JAAN_TEMPLATES_DIR/jaan-to:sec-audit-remediate.template.md
填充模板变量:
  • {{title}}
    - “安全修复报告” + 项目名称
  • {{date}}
    - 当前日期(YYYY-MM-DD)
  • {{executive_summary}}
    - 已修复结果的BLUF(Bottom Line Up Front)、风险降低估算
  • {{findings_table}}
    - 所有检测结果及状态(已修复/待处理/已跳过)
  • {{fixes_generated}}
    - 修复文件列表及描述
  • {{tests_generated}}
    - 测试文件列表及描述
  • {{new_dependencies}}
    - 需安装的依赖
  • {{risk_reduction}}
    - 估算的风险降低百分比
  • {{remaining_findings}}
    - 未处理的检测结果及原因

Step 9: Generate Integration Instructions

步骤9:生成集成说明

Write the readme file: 
{id}-{slug}-readme.md
Include:
  1. Prerequisites -- Dependencies to install
  2. Fix Application Order -- Which fixes to apply first (auth before route-level)
  3. Per-Fix Instructions -- For each fix file:
    • What it does
    • Where to integrate it (which file/module)
    • Code snippet showing integration point
    • Before/after comparison
  4. Test Execution -- How to run the regression tests
  5. CI Integration -- How to add security tests to CI pipeline
  6. Verification Checklist -- Steps to verify each fix is working
  7. Rollback Plan -- How to revert each fix if issues arise
写入Readme文件:
{id}-{slug}-readme.md
包含:
  1. 前置条件 — 需安装的依赖
  2. 修复应用顺序 — 先应用哪些修复(权限修复优先于路由级修复)
  3. 每个修复的说明 — 针对每个修复文件:
    • 功能说明
    • 集成位置(哪个文件/模块)
    • 展示集成点的代码片段
    • 修复前后对比
  4. 测试执行 — 如何运行回归测试
  5. CI集成 — 如何将安全测试添加到CI流水线
  6. 验证清单 — 验证每个修复是否生效的步骤
  7. 回滚计划 — 若出现问题,如何回滚每个修复

Step 10: Quality Check

步骤10:质量检查

Before writing, verify:
Coverage:
  • Every Critical finding has a fix file AND a test file
  • Every High finding has a fix file AND a test file
  • Medium findings have fix files (tests optional)
  • No finding is left without a status (fixed/pending/skipped with reason)
Fix Quality:
  • Fix files compile (valid TypeScript/JavaScript syntax)
  • No hardcoded credentials or secrets in fix files
  • Fixes use the project's tech stack (from tech.md if available)
  • Fixes follow the project's coding patterns (from scaffold if available)
  • Fix files include proper imports
Test Quality:
  • Tests include both positive (safe input) and negative (attack payload) cases
  • Test file names match fix file names
  • Tests reference finding IDs for traceability
  • Attack payloads cover OWASP test vectors
Report Quality:
  • Executive Summary present
  • All findings listed with status
  • Risk reduction estimate provided
  • Integration instructions are actionable
Output Structure:
  • ID generated using scripts/lib/id-generator.sh
  • Folder created: sec/remediate/{id}-{slug}/
  • Main file named: {id}-{slug}.md
  • Subdirectories: fixes/, tests/
  • Index updated
If any check fails, revise before preview.
写入前,验证:
覆盖范围
  • 每个Critical级结果都有修复文件和测试文件
  • 每个High级结果都有修复文件和测试文件
  • Medium级结果有修复文件(测试可选)
  • 所有结果都有状态(已修复/待处理/已跳过及原因)
修复质量
  • 修复文件可编译(有效的TypeScript/JavaScript语法)
  • 修复文件中无硬编码凭证或密钥
  • 修复使用项目的技术栈(若tech.md可用)
  • 修复遵循项目的编码模式(若脚手架可用)
  • 修复文件包含正确的导入语句
测试质量
  • 测试包含正面(安全输入)和负面(攻击载荷)场景
  • 测试文件名与修复文件名匹配
  • 测试引用检测结果ID以确保可追溯性
  • 攻击载荷覆盖OWASP测试向量
报告质量
  • 包含执行摘要
  • 列出所有检测结果及状态
  • 提供风险降低估算
  • 集成说明可操作
输出结构
  • 使用scripts/lib/id-generator.sh生成ID
  • 已创建文件夹:sec/remediate/{id}-{slug}/
  • 主文件命名:{id}-{slug}.md
  • 子目录:fixes/、tests/
  • 索引已更新
若任何检查未通过,在预览前修改。

Step 11: Preview and Write

步骤11:预览并写入

Show file listing with sizes:
OUTPUT FILES
------------
$JAAN_OUTPUTS_DIR/sec/remediate/{id}-{slug}/
  {id}-{slug}.md                    (remediation report)
  {id}-{slug}-readme.md             (integration instructions)
  fixes/
    {fix-file-1}.ts                 (CWE-89: SQL injection fix)
    {fix-file-2}.ts                 (CWE-79: XSS sanitization)
    ...
  tests/
    {test-file-1}.test.ts           (SQL injection regression)
    {test-file-2}.test.ts           (XSS prevention regression)
    ...

Total: {n} files
"Write all {n} files to $JAAN_OUTPUTS_DIR/sec/remediate/{id}-{slug}/? [y/n]"
If approved:
  1. Create output folder and subdirectories
  2. Write all fix files to 
    fixes/
  3. Write all test files to 
    tests/
  4. Write remediation report
  5. Write integration instructions
  6. Update subdomain index:
bash
source "${CLAUDE_PLUGIN_ROOT}/scripts/lib/index-updater.sh"
add_to_index \
  "$SUBDOMAIN_DIR/README.md" \
  "$NEXT_ID" \
  "${NEXT_ID}-${slug}" \
  "{Title}" \
  "{Executive summary text}"
  1. Confirm:
Output written to: $JAAN_OUTPUTS_DIR/sec/remediate/{NEXT_ID}-{slug}/ Index updated: $JAAN_OUTPUTS_DIR/sec/remediate/README.md Fix files: {n} | Test files: {n} | Report: 1 | Readme: 1
展示文件列表及大小:
输出文件
------------
$JAAN_OUTPUTS_DIR/sec/remediate/{id}-{slug}/
  {id}-{slug}.md                    (修复报告)
  {id}-{slug}-readme.md             (集成说明)
  fixes/
    {fix-file-1}.ts                 (CWE-89: SQL注入修复)
    {fix-file-2}.ts                 (CWE-79: XSS清理)
    ...
  tests/
    {test-file-1}.test.ts           (SQL注入回归测试)
    {test-file-2}.test.ts           (XSS防护回归测试)
    ...

总计:{n}个文件
"是否将所有{n}个文件写入$JAAN_OUTPUTS_DIR/sec/remediate/{id}-{slug}/?[y/n]"
若获得批准:
  1. 创建输出文件夹和子目录
  2. 将所有修复文件写入
    fixes/
  3. 将所有测试文件写入
    tests/
  4. 写入修复报告
  5. 写入集成说明
  6. 更新子域索引:
bash
source "${CLAUDE_PLUGIN_ROOT}/scripts/lib/index-updater.sh"
add_to_index \
  "$SUBDOMAIN_DIR/README.md" \
  "$NEXT_ID" \
  "${NEXT_ID}-${slug}" \
  "{标题}" \
  "{执行摘要文本}"
  1. 确认:
输出已写入:$JAAN_OUTPUTS_DIR/sec/remediate/{NEXT_ID}-{slug}/ 索引已更新:$JAAN_OUTPUTS_DIR/sec/remediate/README.md 修复文件:{n} | 测试文件:{n} | 报告:1 | Readme:1

Step 12: Capture Feedback

步骤12:收集反馈

"Any feedback on the security remediation? [y/n]"
If yes:
"[1] Fix now [2] Learn for future [3] Both"
  • Option 1: Update output, re-preview, re-write
  • Option 2: Run 
    /jaan-to:learn-add sec-audit-remediate "{feedback}"
  • Option 3: Do both
"对本次安全修复有任何反馈吗?[y/n]"
若有:
"[1] 立即修复 [2] 为未来学习 [3] 两者皆选"
  • 选项1:更新输出,重新预览,重新写入
  • 选项2:运行
    /jaan-to:learn-add sec-audit-remediate "{反馈}"
  • 选项3:同时执行两者

Skill Alignment

技能对齐

  • Two-phase workflow with HARD STOP for human approval
  • Single source of truth (no duplication)
  • Plugin-internal automation
  • Maintains human control over changes
  • 带强制人工批准环节的两阶段工作流
  • 单一事实来源(无重复)
  • 插件内部自动化
  • 保持人类对变更的控制

Definition of Done

完成标准

  • Detect-dev output parsed and findings extracted
  • Findings sorted by severity with CWE mapping
  • Remediation plan generated and user approved scope
  • Fix files generated for all selected findings
  • Regression tests generated for all Critical and High findings
  • Every Critical finding has both fix AND test
  • Remediation report written with executive summary
  • Integration instructions written with per-fix guidance
  • Output written to correct path with ID-based folder structure
  • Index updated
  • User approved final result
  • 已解析detect-dev输出并提取检测结果
  • 已按严重程度排序检测结果并完成CWE映射
  • 已生成修复计划并获得用户批准范围
  • 已为所有选中的检测结果生成修复文件
  • 已为所有Critical和High级结果生成回归测试
  • 每个Critical级结果都有修复文件和测试文件
  • 已写入包含执行摘要的修复报告
  • 已写入带每个修复指导的集成说明
  • 已将输出写入正确路径,采用基于ID的文件夹结构
  • 已更新索引
  • 用户已批准最终结果