Commands/security
/security:fix
Apply Security Fixes
/security:fix
Claude Code
Agent: security-auditor Skills: security-testing
/security:fix - Apply Security Fixes
Apply recommended security fixes with user approval.
Usage
/security:fix [finding-id]
/security:fix # Interactive fix selection
/security:fix SEC-001 # Fix specific finding
/security:fix --dry-run # Preview fixes without applying⚠️ CRITICAL SAFETY REQUIREMENTS
NEVER auto-fix without explicit user confirmation.
Before applying ANY fix:
- Display the vulnerability details
- Show the proposed fix
- Explain potential side effects
- ASK USER: "Apply this security fix? (yes/no)"
- Only proceed if user confirms
Execution Steps
1. Load Findings
# Read from most recent security scan/audit report
# Parse findings with severity and remediation2. Present Fix Options
## Security Fix: SEC-001
**Severity**: Critical
**Category**: Hardcoded Secret
**Location**: src/config/api.ts:15
**Current Code**:
```typescript
const API_KEY = "sk-live-abc123..."; // REDACTEDProposed Fix:
const API_KEY = process.env.API_KEY;Side Effects:
- Requires API_KEY in environment variables
- May break local development without .env file
Apply this fix? (yes/no):
### 3. Apply Fix (After Confirmation)
```bash
# Use Edit tool to apply the change
# Verify syntax after edit
# Run tests if available4. Verify Fix
# Re-scan the fixed file
# Confirm vulnerability no longer detectedAgent Configuration
agent: security-auditor
skills:
- security-testing
confirmation: required # ALWAYS require confirmationFix Categories
Secret Removal
// Before
const SECRET = "hardcoded-value";
// After
const SECRET = process.env.SECRET;Additional Steps:
- Add to
.env.example - Update deployment documentation
- Rotate the exposed secret
SQL Injection Fix
// Before
db.query(`SELECT * FROM users WHERE id = ${userId}`);
// After
db.query('SELECT * FROM users WHERE id = $1', [userId]);XSS Fix
// Before
element.innerHTML = userInput;
// After
element.textContent = userInput;
// Or use DOMPurify for HTML content
element.innerHTML = DOMPurify.sanitize(userInput);Dependency Update
# Preview
npm audit fix --dry-run
# Apply (with user confirmation)
npm audit fix
# Force major updates (requires explicit approval)
npm audit fix --forceOutput Template
## Security Fix Applied
### Fix Details
- **Finding ID**: SEC-001
- **Severity**: Critical
- **File**: src/config/api.ts
- **Line**: 15
### Changes Made
- Removed hardcoded API key
- Added environment variable reference
### Verification
- [x] Fix applied successfully
- [x] Syntax valid
- [x] Re-scan confirms fix
### Follow-up Required
1. Add API_KEY to .env.example
2. Update deployment docs
3. **IMPORTANT: Rotate the exposed secret immediately**
### Next Steps
- Run `/security:scan` to verify no new issues
- Update any affected documentationSeverity-Based Workflow
| Severity | User Interaction |
|---|---|
| Critical | Must confirm each fix individually |
| High | Must confirm each fix individually |
| Medium | Can batch confirm after review |
| Low | Can batch confirm after review |
Rollback
If fix causes issues:
# Git rollback
git checkout -- <file>
# Or restore from stash
git stash pop