code-security-audit
Installation
SKILL.md
Code Security Audit Capabilities
OWASP 4-source integrated code security audit system for universal codebase analysis.
Knowledge Sources
- OWASP ASVS 5.0.0: 345 verification requirements across 17 security domains (L1/L2/L3)
- OWASP API Security Top 10 2023: 10 API-specific risk categories with code-level indicators
- OWASP CheatSheet Series: 109 practical secure coding cheat sheets for remediation guidance
- OWASP WSTG (Web Security Testing Guide): 12 testing categories with 120+ test scenarios
Source Roles
| Source | Role | Usage |
|---|---|---|
| ASVS 5.0.0 | Verification requirements baseline | Defines what to check — structured requirements per domain |
| API Security Top 10 2023 | Risk taxonomy | Defines what to look for — API-specific threat patterns |
| CheatSheet Series | Implementation guidance | Defines how to fix — secure coding patterns and practices |
| WSTG | Test methodology | Defines how to verify — concrete test scenarios per vulnerability |
Domains
- Input Handling (V1, V2, V5): Encoding, sanitization, injection prevention, validation, file handling
- Authentication & Session (V6, V7, V9, V10): Auth mechanisms, session management, token handling, OAuth/OIDC
- Authorization (V8): Object-level, function-level, property-level access control
- Cryptography (V11, V12): Storage encryption, key management, TLS configuration
- API Security (V4, V17): REST/GraphQL/WebSocket/WebRTC security, rate limiting, resource consumption
- Data Protection (V14): Sensitive data exposure, privacy controls, client-side data
- Configuration (V13, V16): Security headers, CORS, error handling, logging, deployment hardening
- Secure Coding (V3, V15): Web frontend security, architecture patterns, defensive coding, concurrency safety
Input Contract
| Field | Required | Description |
|---|---|---|
| Codebase path | Yes | The current workspace or repository the agent is operating in. Defaults to the active codebase; users may narrow scope to specific directories or files (e.g., src/auth/, api/controllers/) |
| Audit level | No | ASVS verification level (default: L2). See level definitions below |
| Focus areas | No | Security domains to prioritize. See focus area catalog below |
| Tech context | No | Language, framework, or architecture notes for targeted analysis |
Audit Levels (OWASP ASVS 5.0.0)
| Level | Target Application | Requirements | Description |
|---|---|---|---|
| L1 | All applications | ~86 | Essential baseline — covers critical vulnerabilities that are typically exploitable and must be addressed in every application (e.g., SQL injection, OS command injection, basic auth checks) |
| L2 | Applications handling sensitive data (PII, financial, health) | ~230 | Standard security — includes L1 plus defense-in-depth controls such as SSRF protection, template injection prevention, secure session management, and proper cryptographic usage |
| L3 | Mission-critical systems (banking, healthcare, military, infrastructure) | ~345 | Comprehensive defense — includes L1+L2 plus advanced controls such as formula injection prevention, full input canonicalization, and exhaustive cryptographic verification |
Focus Area Catalog
| Focus Area | Domains | Example Checks |
|---|---|---|
| authentication | V6, V7, V9, V10 | Password storage, MFA, OAuth/OIDC flow, credential rotation |
| authorization | V8 | Object-level (BOLA), function-level, property-level access control |
| injection | V1, V2 | SQLi, XSS, command injection, LDAP/XPath injection, template injection, XXE |
| cryptography | V11, V12 | Weak algorithms, key management, TLS configuration, secret storage |
| api-security | V4, V17 | Rate limiting, resource consumption, REST/GraphQL/WebSocket security |
| session | V7, V9, V10 | Token handling, session fixation, cookie attributes, JWT validation, CSRF |
| file-handling | V5 | Path traversal, unrestricted upload, file type validation, storage security |
| data-protection | V14 | Sensitive data exposure, privacy controls, client-side data leakage |
| configuration | V13, V16 | Security headers, CORS, error handling, logging, deployment hardening |
| secure-coding | V3, V15 | Frontend security, concurrency safety, architecture patterns, defensive coding |
Preconditions
- Codebase is accessible and readable
- Agent has file search and read capabilities
- If codebase structure cannot be determined, the agent reports limitations in the audit output
Core Capabilities
- Codebase Reconnaissance: Identifies technology stack, frameworks, entry points, and security-relevant file areas
- Domain-Scoped Analysis: Systematically audits code across all 8 security domains
- ASVS Requirement Verification: Checks code against applicable ASVS 5.0.0 requirements at the specified level
- Vulnerability Pattern Detection: Identifies known vulnerable code patterns from the integrated knowledge base
- Cross-Source Correlation: Maps findings to ASVS requirements, API Top 10 risks, CheatSheet guidance, and WSTG test IDs
- Severity Classification: Rates findings as Critical/High/Medium/Low with evidence and confidence
- Remediation Guidance: Provides concrete fix patterns sourced from CheatSheet Series
- Structured Report Generation: Produces a comprehensive Markdown audit report
Audit Workflow
1. Reconnaissance → Identify stack, structure, entry points
2. Scope Definition → Select applicable ASVS domains and level
3. Domain Analysis → Audit each security domain systematically
4. Finding Synthesis → Deduplicate, correlate across sources, assign severity
5. Remediation Map → Attach fix patterns per finding
6. Report Generation → Produce structured Markdown report
Output Contract
The audit produces a Markdown report containing:
- Executive Summary: Overall risk posture, critical findings count, audit scope
- Findings Table: Each finding with severity, ASVS ID, CWE, evidence, and remediation
- Domain Reports: Per-domain detailed analysis with code references
- Remediation Roadmap: Prioritized fix recommendations
- Audit Metadata: Scope, level, limitations, methodology notes
Severity Levels
| Level | Criteria |
|---|---|
| Critical | Exploitable vulnerability with direct security impact (RCE, SQLi, auth bypass, data breach) |
| High | Significant security weakness requiring prompt remediation (broken access control, weak crypto, SSRF) |
| Medium | Security concern with conditional exploitability (missing headers, verbose errors, weak validation) |
| Low | Defense-in-depth improvement or best practice deviation (logging gaps, minor config issues) |
| Info | Observation or recommendation with no direct security impact |
Technical References
- audit_process.md: Complete step-by-step audit methodology and reconnaissance procedures
- security_domains.md: All 17 ASVS domains with code-audit-relevant requirements and cross-source mappings
- vulnerability_patterns.md: Concrete code-level vulnerability patterns organized by category
- remediation_patterns.md: Secure coding fix patterns from CheatSheet Series
- report_format.md: Detailed Markdown report structure and finding schema
Related skills
More from buyoung/skills
agents-md-generator
Analyze repository structure and generate or update standardized AGENTS.md files that serve as contributor guides for AI agents. Supports both single-repo and monorepo structures. Measures LOC to determine character limits and produces structured documents covering overview, folder structure, patterns, conventions, and working agreements. Update mode refreshes only the standard sections while preserving user-defined custom sections. Use when setting up a new repository, onboarding AI agents to an existing codebase, updating an existing AGENTS.md, or when the user mentions AGENTS.md.
27biz-opportunity-scout
Identify and validate profitable business opportunities by analyzing market size (TAM/SAM/SOM), unit economics, competitive landscape, and PMF indicators. Generates comprehensive HTML reports with opportunity scorecards.
20typst-creator
Generate Typst source code for documents, reports, papers, and presentations, covering markup, math, scripting, and layout syntax.
19skill-maker
Generates AI agent skill packages with SKILL.md, optional bundled resources (scripts/, references/, assets/), and README.md integration.
18jetbrains-vmoptions
>
18kysely-converter
Capable of converting raw SQL queries into type-safe Kysely TypeScript code. Knows how to handle various SQL dialects and complex query structures.
14