VibeRune
Commands/security

/security:audit

Comprehensive Security Audit

/security:audit

Claude Code

Agent: security-auditor Skills: security-testing

/security:audit - Comprehensive Security Audit

Perform a full security audit covering OWASP Top 10 and compliance.

Usage

/security:audit [path]
/security:audit                      # Full audit of codebase
/security:audit --owasp              # OWASP Top 10 focus
/security:audit --compliance soc2    # Include SOC2 compliance

Execution Steps

1. Pre-Audit Setup

# Check available tools
echo "=== Security Tool Inventory ==="
which semgrep trivy gitleaks npm 2>/dev/null || echo "Some tools missing"

# Count files to scan
find . -type f \( -name "*.js" -o -name "*.ts" -o -name "*.py" \) | wc -l

2. OWASP Top 10 Assessment

A01: Broken Access Control

  • Review auth middleware
  • Check route protection
  • Verify role-based access

A02: Cryptographic Failures

grep -rE "(md5|sha1|DES|RC4|Math\.random)" --include="*.{js,ts,py}"

A03: Injection

# SQL Injection
grep -rE "(execute|query|raw).*(\+|\$\{)" --include="*.{js,ts,py}"

# NoSQL Injection
grep -rE "\$where|\$regex" --include="*.{js,ts}"

# Command Injection
grep -rE "(exec|spawn|system|eval)\s*\(" --include="*.{js,ts,py}"

A04: Insecure Design

  • Review authentication flow
  • Check session management
  • Validate input handling patterns

A05: Security Misconfiguration

# Check for debug mode
grep -rE "DEBUG\s*=\s*[Tt]rue|NODE_ENV.*development" --include="*.{env,json,yaml}"

# Check CORS configuration
grep -rE "cors|Access-Control" --include="*.{js,ts}"

A06: Vulnerable Components

npm audit --json 2>/dev/null
trivy fs --scanners vuln . 2>/dev/null

A07: Auth Failures

  • Review password policies
  • Check MFA implementation
  • Verify session timeout

A08: Data Integrity Failures

  • Review serialization
  • Check for insecure deserialization
  • Validate CI/CD pipeline security

A09: Logging Failures

# Check for sensitive data in logs
grep -rE "console\.(log|info|debug).*password|secret|token" --include="*.{js,ts}"

A10: SSRF

# Check URL handling
grep -rE "(fetch|axios|request|http\.get)\s*\(" --include="*.{js,ts}"

3. Secret Scanning

# Comprehensive secret patterns
gitleaks detect --source . --report-format json 2>/dev/null || \
grep -rE "(AKIA|sk-|ghp_|gho_|github_pat|xox[baprs]-|hooks\.slack\.com)" \
  --include="*.{js,ts,py,json,yaml,env}"

4. Configuration Review

  • Environment variables
  • API configurations
  • Database connection strings
  • Third-party integrations

Agent Configuration

agent: security-auditor
skills:
  - security-testing
confirmation: none  # Audit is read-only

Output Template

## Security Audit Report

### Executive Summary
- **Audit Date**: {timestamp}
- **Scope**: {path}
- **Risk Level**: [Critical|High|Medium|Low]

### Findings Summary
| Severity | Count | Status |
|----------|-------|--------|
| Critical | X | Requires immediate action |
| High | X | Address within 7 days |
| Medium | X | Address within 30 days |
| Low | X | Address in next release |

### OWASP Top 10 Assessment
| Category | Status | Findings |
|----------|--------|----------|
| A01 Broken Access Control | ✓/⚠/✗ | [details] |
| A02 Cryptographic Failures | ✓/⚠/✗ | [details] |
| ... | ... | ... |

### Detailed Findings
[Full finding details with evidence and remediation]

### Remediation Roadmap
1. [Immediate: Critical fixes]
2. [Short-term: High priority]
3. [Medium-term: Improvements]

### Compliance Notes
[SOC2/GDPR relevant findings if applicable]

Timeline Recommendations

SeveritySLA
Critical24-48 hours
High7 days
Medium30 days
LowNext release cycle

/scout

⚡⚡ Scout given directories to respond to the user's requests

/security:scan

Quick Security Scan

On this page

/security:audit/security:audit - Comprehensive Security AuditUsageExecution Steps1. Pre-Audit Setup2. OWASP Top 10 Assessment3. Secret Scanning4. Configuration ReviewAgent ConfigurationOutput TemplateTimeline Recommendations