audit-security
Audit Security
Overview
Perform a structured security audit against the OWASP Top 10, scanning the codebase for injection vulnerabilities, broken authentication, sensitive data exposure, security misconfiguration, and broken access control. Combine automated pattern scanning with manual review of business logic and architecture decisions.
Workflow
-
Read project context — Check
.chalk/docs/engineering/for:- Architecture docs (to understand auth patterns, data flow, trust boundaries)
- Previous security audits (to track remediation progress)
- API documentation (to identify endpoints requiring auth)
- Infrastructure docs (to understand deployment security)
-
Determine audit scope — From
$ARGUMENTSand conversation:- If a specific component or concern is named, focus there
- If no scope is given, audit the entire codebase
- Identify the tech stack to tailor the scan patterns (Node.js, Python, Go, etc.)
- Note the application type: web API, SPA, mobile backend, CLI tool
More from generaljerel/chalk-skills
python-clean-architecture
Clean architecture patterns for Python services — service layer, repository pattern, domain models, dependency injection, error hierarchy, and testing strategy
24create-handoff
Generate a handoff document after implementation work is complete — summarizes changes, risks, and review focus areas for the review pipeline. Use when done coding and ready to hand off for review.
16create-review
Bootstrap a local AI review pipeline and generate a paste-ready review prompt for any reviewer agent. Use after creating a handoff or when ready to get an AI code review.
15fix-findings
Fix findings from the active review session — reads reviewer findings files, applies fixes by priority, and updates the resolution log. Use after pasting reviewer output into findings files.
15fix-review
When the user asks to fix, address, or work on PR review comments — fetch review comments from a GitHub pull request and apply fixes to the local codebase. Requires gh CLI.
15review-changes
End-to-end review pipeline — creates a handoff, generates a review (self-review or paste-ready for another provider), then offers to fix findings. Use when you want to review your changes before pushing.
13