security-audit
Security Audit
4-phase security audit covering supply chain risks, OWASP Top 10 code review, STRIDE threat modeling, and trend-tracked reporting. Produces structured JSON findings in .workflow/.security/.
Architecture Overview
+-------------------------------------------------------------------+
| Phase 1: Supply Chain Scan |
| -> Dependency audit, secrets detection, CI/CD review, LLM risks |
| -> Output: supply-chain-report.json |
+-----------------------------------+-------------------------------+
|
+-----------------------------------v-------------------------------+
| Phase 2: OWASP Review |
| -> OWASP Top 10 2021 code-level analysis via ccw cli |
| -> Output: owasp-findings.json |
+-----------------------------------+-------------------------------+
|
+-----------------------------------v-------------------------------+
| Phase 3: Threat Modeling (STRIDE) |
| -> 6 threat categories mapped to architecture components |
| -> Output: threat-model.json |
+-----------------------------------+-------------------------------+
|
+-----------------------------------v-------------------------------+
| Phase 4: Report & Tracking |
| -> Score calculation, trend comparison, dated report |
| -> Output: .workflow/.security/audit-report-{date}.json |
+-------------------------------------------------------------------+
Key Design Principles
- Infrastructure-first: Phase 1 catches low-hanging fruit (leaked secrets, vulnerable deps) before deeper analysis
- Standards-based: OWASP Top 10 2021 and STRIDE provide systematic coverage
- Scoring gates: Daily quick-scan must score 8/10; comprehensive audit minimum 2/10 for initial baseline
- Trend tracking: Each audit compares against prior results in
.workflow/.security/
Execution Flow
Quick-Scan Mode (daily)
Run Phase 1 only. Must score >= 8/10 to pass.
Comprehensive Mode (full audit)
Run all 4 phases sequentially. Initial baseline minimum 2/10.
Phase Sequence
- Phase 1: Supply Chain Scan -- phases/01-supply-chain-scan.md
- Dependency audit (npm audit / pip-audit / safety check)
- Secrets detection (API keys, tokens, passwords in source)
- CI/CD config review (injection risks in workflow YAML)
- LLM/AI prompt injection check
- Phase 2: OWASP Review -- phases/02-owasp-review.md
- Systematic OWASP Top 10 2021 code review
- Uses
ccw cli --tool gemini --mode analysis --rule analysis-assess-security-risks
- Phase 3: Threat Modeling -- phases/03-threat-modeling.md
- STRIDE threat model mapped to architecture components
- Trust boundary identification and attack surface assessment
- Phase 4: Report & Tracking -- phases/04-report-tracking.md
- Score calculation with severity weights
- Trend comparison with previous audits
- Date-stamped report to
.workflow/.security/
Scoring Overview
See specs/scoring-gates.md for full specification.
| Severity | Weight | Example |
|---|---|---|
| Critical | 10 | RCE, SQL injection, leaked credentials |
| High | 7 | Broken auth, SSRF, privilege escalation |
| Medium | 4 | XSS, CSRF, verbose error messages |
| Low | 1 | Missing headers, informational disclosures |
Gates: Daily quick-scan >= 8/10, Comprehensive initial >= 2/10.
Directory Setup
mkdir -p .workflow/.security
WORK_DIR=".workflow/.security"
Output Structure
.workflow/.security/
audit-report-{YYYY-MM-DD}.json # Dated audit report
supply-chain-report.json # Latest supply chain scan
owasp-findings.json # Latest OWASP findings
threat-model.json # Latest STRIDE threat model
Reference Documents
| Document | Purpose |
|---|---|
| phases/01-supply-chain-scan.md | Dependency, secrets, CI/CD, LLM risk scan |
| phases/02-owasp-review.md | OWASP Top 10 2021 code review |
| phases/03-threat-modeling.md | STRIDE threat modeling |
| phases/04-report-tracking.md | Report generation and trend tracking |
| specs/scoring-gates.md | Scoring system and quality gates |
| specs/owasp-checklist.md | OWASP Top 10 detection patterns |
Completion Status Protocol
This skill follows the Completion Status Protocol defined in _shared/SKILL-DESIGN-SPEC.md sections 13-14.
Possible termination statuses:
- DONE: All phases completed, score calculated, report generated
- DONE_WITH_CONCERNS: Audit completed but findings exceed acceptable thresholds
- BLOCKED: Required tools unavailable (e.g., npm/pip not installed), permission denied
- NEEDS_CONTEXT: Ambiguous project scope, unclear trust boundaries
Escalation follows the Three-Strike Rule (section 14) per step.
More from catlog22/claude-code-workflow
skill-generator
Meta-skill for creating new Claude Code skills with configurable execution modes. Supports sequential (fixed order) and autonomous (stateless) phase patterns. Use for skill scaffolding, skill creation, or building new workflows. Triggers on "create skill", "new skill", "skill generator".
127review-code
Multi-dimensional code review with structured reports. Analyzes correctness, readability, performance, security, testing, and architecture. Triggers on "review code", "code review", "审查代码", "代码审查".
102skill-tuning
Universal skill diagnosis and optimization tool. Detect and fix skill execution issues including context explosion, long-tail forgetting, data flow disruption, and agent coordination failures. Supports Gemini CLI for deep analysis. Triggers on "skill tuning", "tune skill", "skill diagnosis", "optimize skill", "skill debug".
71compact
Compact current session memory into structured text for session recovery. Supports custom descriptions and tagging.
71issue-manage
Interactive issue management with menu-driven CRUD operations. Use when managing issues, viewing issue status, editing issue fields, performing bulk operations, or viewing issue history. Triggers on "manage issue", "list issues", "edit issue", "delete issue", "bulk update", "issue dashboard", "issue history", "completed issues".
71ccw-help
CCW command help system. Search, browse, recommend commands, skills, teams. Triggers "ccw-help", "ccw-issue".
70