Back to Details

audit-full

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Full-Codebase Audit

全代码库审计

Single-pass whole-project analysis leveraging Opus 4.6's extended context window. Loads entire codebases (~50K LOC) into context for cross-file vulnerability detection, architecture review, and dependency analysis.
借助Opus 4.6的扩展上下文窗口,实现单次全项目分析。将整个代码库(约50K LOC)加载到上下文中,用于跨文件漏洞检测、架构审查和依赖分析。

Quick Start

快速开始

bash
/audit-full                          # Full audit (all modes)
/audit-full security                 # Security-focused audit
/audit-full architecture             # Architecture review
/audit-full dependencies             # Dependency audit
Opus 4.6: Uses 
complexity: max
for extended thinking across entire codebases. 1M context (beta, Tier 4+) enables cross-file reasoning that chunked approaches miss.
bash
/audit-full                          # 完整审计(所有模式)
/audit-full security                 # 安全聚焦审计
/audit-full architecture             # 架构审查
/audit-full dependencies             # 依赖审计
Opus 4.6:使用
complexity: max
实现跨整个代码库的深度思考。1M上下文(测试版,Tier 4+)支持分块方法无法实现的跨文件推理。

STEP 0: Verify User Intent with AskUserQuestion

步骤0:通过AskUserQuestion确认用户意图

BEFORE creating tasks, clarify audit scope:
python
AskUserQuestion(
  questions=[
    {
      "question": "What type of audit do you want to run?",
      "header": "Audit mode",
      "options": [
        {"label": "Full audit (Recommended)", "description": "Security + architecture + dependencies in one pass"},
        {"label": "Security audit", "description": "Cross-file vulnerability analysis, data flow tracing, OWASP mapping"},
        {"label": "Architecture review", "description": "Pattern consistency, coupling analysis, dependency violations"},
        {"label": "Dependency audit", "description": "License compliance, CVE checking, version currency"}
      ],
      "multiSelect": false
    },
    {
      "question": "What should be audited?",
      "header": "Scope",
      "options": [
        {"label": "Entire codebase", "description": "Load all source files into context"},
        {"label": "Specific directory", "description": "Focus on a subdirectory (e.g., src/api/)"},
        {"label": "Changed files only", "description": "Audit only files changed vs main branch"}
      ],
      "multiSelect": false
    }
  ]
)
Based on answers, adjust workflow:
  • Full audit: All 3 domains, maximum context usage
  • Security only: Focus token budget on source + config files
  • Architecture only: Focus on module boundaries, imports, interfaces
  • Dependency only: Focus on lock files, manifests, import maps
  • Changed files only: Use 
    git diff --name-only main...HEAD
    to scope
在创建任务之前,明确审计范围:
python
AskUserQuestion(
  questions=[
    {
      "question": "你想要运行哪种类型的审计?",
      "header": "审计模式",
      "options": [
        {"label": "完整审计(推荐)", "description": "单次扫描完成安全+架构+依赖分析"},
        {"label": "安全审计", "description": "跨文件漏洞分析、数据流追踪、OWASP映射"},
        {"label": "架构审查", "description": "模式一致性、耦合分析、依赖违规检查"},
        {"label": "依赖审计", "description": "许可证合规性、CVE检查、版本时效性"}
      ],
      "multiSelect": false
    },
    {
      "question": "需要审计哪些内容?",
      "header": "范围",
      "options": [
        {"label": "整个代码库", "description": "将所有源文件加载到上下文中"},
        {"label": "特定目录", "description": "聚焦子目录(如src/api/)"},
        {"label": "仅变更文件", "description": "仅审计与主分支相比有变更的文件"}
      ],
      "multiSelect": false
    }
  ]
)
根据回答调整工作流:
  • 完整审计:覆盖全部3个领域,最大化利用上下文
  • 仅安全审计:将token预算集中在源文件和配置文件上
  • 仅架构审计:聚焦模块边界、导入和接口
  • 仅依赖审计:聚焦锁文件、清单和导入映射
  • 仅变更文件:使用
    git diff --name-only main...HEAD
    确定范围

CRITICAL: Task Management is MANDATORY

重要提示:任务管理是强制性要求

python
TaskCreate(
  subject="Full-codebase audit",
  description="Single-pass audit using extended context",
  activeForm="Running full-codebase audit"
)
python
TaskCreate(
  subject="全代码库审计",
  description="使用扩展上下文的单次审计",
  activeForm="正在运行全代码库审计"
)

Phase subtasks

阶段子任务

TaskCreate(subject="Estimate token budget and plan loading", activeForm="Estimating token budget") TaskCreate(subject="Load codebase into context", activeForm="Loading codebase") TaskCreate(subject="Run audit analysis", activeForm="Analyzing codebase") TaskCreate(subject="Generate audit report", activeForm="Generating report")

---
TaskCreate(subject="估算token预算并规划加载", activeForm="正在估算token预算") TaskCreate(subject="将代码库加载到上下文", activeForm="正在加载代码库") TaskCreate(subject="运行审计分析", activeForm="正在分析代码库") TaskCreate(subject="生成审计报告", activeForm="正在生成报告")

---

STEP 1: Estimate Token Budget

步骤1:估算Token预算

Before loading files, estimate whether the codebase fits in context.
在加载文件之前,估算代码库是否能容纳在上下文中。

Run Token Estimation

运行Token估算

bash
undefined
bash
undefined

Use the estimation script

使用估算脚本

bash ${CLAUDE_PLUGIN_ROOT}/src/skills/audit-full/scripts/estimate-tokens.sh /path/to/project
undefined
bash ${CLAUDE_PLUGIN_ROOT}/src/skills/audit-full/scripts/estimate-tokens.sh /path/to/project
undefined

Manual Estimation Rules

手动估算规则

File TypeTokens per Line (approx)
TypeScript/JavaScript~8 tokens/line
Python~7 tokens/line
JSON/YAML config~5 tokens/line
Markdown docs~6 tokens/line
CSS/SCSS~6 tokens/line
文件类型每行Token数(约)
TypeScript/JavaScript~8 tokens/line
Python~7 tokens/line
JSON/YAML配置~5 tokens/line
Markdown文档~6 tokens/line
CSS/SCSS~6 tokens/line

Budget Allocation

预算分配

Context SizeAvailable for CodeFits LOC (approx)
200K (standard)~150K tokens~20K LOC
1M (beta)~800K tokens~100K LOC
上下文大小可用于代码的Token可容纳LOC(约)
200K(标准)~150K tokens~20K LOC
1M(测试版)~800K tokens~100K LOC

Auto-Exclusion List

自动排除列表

Always exclude from loading:
  • node_modules/
    , 
    vendor/
    , 
    .venv/
    , 
    __pycache__/
  • dist/
    , 
    build/
    , 
    .next/
    , 
    out/
  • *.min.js
    , 
    *.map
    , 
    *.lock
    (read lock files separately for deps audit)
  • Binary files, images, fonts
  • Test fixtures and snapshots (unless auditing tests)
  • Generated files (protobuf, graphql codegen)
加载时始终排除以下内容:
  • node_modules/
    , 
    vendor/
    , 
    .venv/
    , 
    __pycache__/
  • dist/
    , 
    build/
    , 
    .next/
    , 
    out/
  • *.min.js
    , 
    *.map
    , 
    *.lock
    (依赖审计时单独读取锁文件)
  • 二进制文件、图片、字体
  • 测试夹具和快照(除非审计测试代码)
  • 生成文件(protobuf、graphql代码生成产物)

If Codebase Exceeds Budget

如果代码库超出预算

  1. Priority loading: Entry points first, then imported modules
  2. Directory scoping: Ask user to narrow to specific directories
  3. Fallback: Recommend 
    /ork:verify
    for chunked multi-agent approach
python
undefined
  1. 优先加载:先加载入口点,再加载导入模块
  2. 目录范围限定:请求用户缩小到特定目录
  3. 备选方案:推荐使用
    /ork:verify
    的分块多代理方案
python
undefined

Fallback suggestion

备选方案建议

AskUserQuestion( questions=[{ "question": "Codebase exceeds context window. How to proceed?", "header": "Too large", "options": [ {"label": "Narrow scope", "description": "Audit specific directories only"}, {"label": "Use /ork:verify instead", "description": "Chunked multi-agent approach (works with any context size)"}, {"label": "Priority loading", "description": "Load entry points + critical paths only"} ], "multiSelect": false }] )

---
AskUserQuestion( questions=[{ "question": "代码库超出上下文窗口。如何处理?", "header": "代码库过大", "options": [ {"label": "缩小范围", "description": "仅审计特定目录"}, {"label": "改用/ork:verify", "description": "分块多代理方案(适用于任何上下文大小)"}, {"label": "优先加载", "description": "仅加载入口点+关键路径"} ], "multiSelect": false }] )

---

STEP 2: Load Codebase into Context

步骤2:将代码库加载到上下文

Loading Strategy

加载策略

  1. Glob all source files matching inclusion patterns
  2. Sort by priority: entry points → core modules → utilities → config
  3. Read files in parallel using multiple Read tool calls per message
  4. Track loaded tokens to stay within budget
  1. 匹配包含模式,遍历所有源文件
  2. 按优先级排序:入口点 → 核心模块 → 工具类 → 配置
  3. 并行读取文件:每条消息中调用多个Read工具
  4. 跟踪已加载Token:确保不超出预算

Inclusion Patterns (by language)

各语言的包含模式

bash
undefined
bash
undefined

TypeScript/JavaScript

TypeScript/JavaScript

**/.ts **/.tsx **/.js **/.jsx **/package.json **/tsconfig.json
**/.ts **/.tsx **/.js **/.jsx **/package.json **/tsconfig.json

Python

Python

**/*.py **/pyproject.toml **/setup.cfg */requirements.txt
**/*.py **/pyproject.toml **/setup.cfg */requirements.txt

Config

配置

**/.env.example /docker-compose.yml **/Dockerfile **/.yaml **/*.yml (non-lock)
undefined
**/.env.example /docker-compose.yml **/Dockerfile **/.yaml **/*.yml(非锁文件)
undefined

Reading Pattern

读取模式

Read files in batches of 10-15 per message for efficiency:
python
undefined
为提高效率,按10-15个文件为一批次读取:
python
undefined

Batch 1: Entry points and config

批次1:入口点和配置

Read("src/index.ts") Read("src/app.ts") Read("package.json") Read("tsconfig.json")
Read("src/index.ts") Read("src/app.ts") Read("package.json") Read("tsconfig.json")

... up to 15 files

... 最多15个文件

Batch 2: Core modules

批次2:核心模块

Read("src/api/routes.ts") Read("src/db/connection.ts")
Read("src/api/routes.ts") Read("src/db/connection.ts")

... next batch

... 下一批次


---

---

STEP 3: Audit Analysis

步骤3:审计分析

With codebase loaded, perform the selected audit mode(s).
代码库加载完成后,执行选定的审计模式。

Security Audit

安全审计

See 
references/security-audit-guide.md
for the full checklist.
Key cross-file analysis patterns:
  1. Data flow tracing: Track user input from entry point → processing → storage
  2. Auth boundary verification: Ensure all protected routes check auth
  3. Secret detection: Scan for hardcoded credentials, API keys, tokens
  4. Injection surfaces: SQL, command, template injection across file boundaries
  5. OWASP Top 10 mapping: Classify findings by OWASP category
完整检查清单请参考
references/security-audit-guide.md
关键跨文件分析模式:
  1. 数据流追踪:跟踪用户输入从入口点→处理→存储的全流程
  2. 认证边界验证:确保所有受保护路由都检查认证
  3. 密钥检测:扫描硬编码凭证、API密钥和令牌
  4. 注入面检查:跨文件边界的SQL、命令、模板注入
  5. OWASP Top 10映射:按OWASP类别分类发现的问题

Architecture Review

架构审查

See 
references/architecture-review-guide.md
for the full guide.
Key analysis patterns:
  1. Dependency direction: Verify imports flow inward (clean architecture)
  2. Circular dependencies: Detect import cycles across modules
  3. Layer violations: Business logic in controllers, DB in routes, etc.
  4. Pattern consistency: Same problem solved differently across codebase
  5. Coupling analysis: Count cross-module imports, identify tight coupling
完整指南请参考
references/architecture-review-guide.md
关键分析模式:
  1. 依赖方向:验证导入是否符合向内流动(整洁架构)
  2. 循环依赖:检测跨模块的导入循环
  3. 层级违规:控制器中包含业务逻辑、路由中包含数据库操作等
  4. 模式一致性:代码库中同一问题的解决方式不一致
  5. 耦合分析:统计跨模块导入次数,识别强耦合

Dependency Audit

依赖审计

See 
references/dependency-audit-guide.md
for the full guide.
Key analysis patterns:
  1. Known CVEs: Check versions against known vulnerabilities
  2. License compliance: Identify copyleft licenses in proprietary code
  3. Version currency: Flag significantly outdated dependencies
  4. Transitive risk: Identify deep dependency chains
  5. Unused dependencies: Detect installed but never imported packages
完整指南请参考
references/dependency-audit-guide.md
关键分析模式:
  1. 已知CVE:检查版本是否存在已知漏洞
  2. 许可证合规性:识别专有代码中的 copyleft 许可证
  3. 版本时效性:标记严重过时的依赖
  4. 传递风险:识别深层依赖链
  5. 未使用依赖:检测已安装但从未导入的包

STEP 4: Generate Report

步骤4:生成报告

Use the report template from 
assets/audit-report-template.md
.
使用
assets/audit-report-template.md
中的报告模板。

Report Structure

报告结构

markdown
undefined
markdown
undefined

Audit Report: {project-name}

审计报告:{项目名称}

Date: {date} | Mode: {mode} | Files loaded: {count} | LOC: {loc}
日期: {日期} | 模式: {模式} | 已加载文件数: {数量} | LOC: {行数}

Executive Summary

执行摘要

{1-3 sentences: overall health, critical findings count}
{1-3句话:整体健康状况、关键问题数量}

Findings

发现的问题

#SeverityCategoryFile(s)FindingRemediation
1CRITICALSecuritysrc/auth.ts:42......
#严重程度类别文件问题描述修复建议
1关键安全src/auth.ts:42......

Severity Breakdown

严重程度分布

  • CRITICAL: {n} (must fix before deploy)
  • HIGH: {n} (fix within sprint)
  • MEDIUM: {n} (fix within quarter)
  • LOW: {n} (track and address)
  • 关键:{n}(部署前必须修复)
  • 高:{n}(迭代内修复)
  • 中:{n}(季度内修复)
  • 低:{n}(跟踪并处理)

Architecture Diagram

架构图

{ASCII diagram of module dependencies}
{模块依赖的ASCII图}

Recommendations

建议

{Prioritized action items}
undefined
{按优先级排序的行动项}
undefined

Severity Classification

严重程度分类

See 
assets/severity-matrix.md
for classification criteria.
分类标准请参考
assets/severity-matrix.md

Completion Checklist

完成检查清单

Before finalizing the report, verify with 
checklists/audit-completion.md
.
最终确定报告前,请使用
checklists/audit-completion.md
进行验证。

When NOT to Use

不适用场景

SituationUse Instead
Small targeted check (1-5 files)Direct Read + analysis
CI/CD automated scanning
security-scanning
skill
Multi-agent graded verification
/ork:verify
Exploring unfamiliar codebase
/ork:explore
Context window < 200K tokens
/ork:verify
(chunked approach)
场景替代方案
小型针对性检查(1-5个文件)直接读取+分析
CI/CD自动化扫描
security-scanning
技能
多代理分级验证
/ork:verify
探索不熟悉的代码库
/ork:explore
上下文窗口<200K tokens
/ork:verify
(分块方案)

Related Skills

相关技能

  • security-scanning
    — Automated scanner integration (npm audit, Semgrep, etc.)
  • defense-in-depth
    — 8-layer security architecture patterns
  • owasp-top-10
    — OWASP vulnerability classification
  • clean-architecture
    — Architectural pattern reference
  • quality-gates
    — Quality assessment criteria
  • verify
    — Chunked multi-agent verification (fallback for large codebases)
  • security-scanning
    — 自动化扫描器集成(npm audit、Semgrep等)
  • defense-in-depth
    — 8层安全架构模式
  • owasp-top-10
    — OWASP漏洞分类
  • clean-architecture
    — 架构模式参考
  • quality-gates
    — 质量评估标准
  • verify
    — 分块多代理验证(大型代码库的备选方案)

References

参考资料

  • Security Audit Guide — Cross-file vulnerability patterns
  • Architecture Review Guide — Pattern and coupling analysis
  • Dependency Audit Guide — CVE, license, currency checks
  • Token Estimation — File type ratios and budget planning
  • Audit Report Template — Structured output format
  • Severity Matrix — Finding classification criteria
  • Audit Completion Checklist — Pre-report verification
  • Token Estimation Script — Automated LOC → token estimation
  • 安全审计指南 — 跨文件漏洞模式
  • 架构审查指南 — 模式和耦合分析
  • 依赖审计指南 — CVE、许可证、时效性检查
  • Token估算 — 文件类型比例和预算规划
  • 审计报告模板 — 结构化输出格式
  • 严重程度矩阵 — 问题分类标准
  • 审计完成检查清单 — 报告前验证
  • Token估算脚本 — 自动化LOC→Token估算