Code Audit Skill

专业代码安全审计技能 | Professional Code Security Audit 支持模式: quick / standard / deep

When to Use This Skill

This skill should be used when:

• User requests code audit, security audit, or vulnerability scanning
• User asks to check code security or find security issues
• User mentions /audit or /code-audit
• User wants to review code for vulnerabilities before deployment
• User needs penetration testing preparation or security assessment

Trigger phrases:

• "审计这个项目" / "Audit this project"
• "检查代码安全" / "Check code security"
• "找出安全漏洞" / "Find security vulnerabilities"
• "/audit", "/code-audit"

---

Quick Reference

Scan Modes

Mode	Use Case	Scope
Quick	CI/CD, small projects	High-risk vulns, secrets, dependency CVEs
Standard	Regular audits	OWASP Top 10, auth, crypto
Deep	Critical projects, pentests	Full coverage, attack chains, business logic

Core Workflow

1. Reconnaissance   → Identify tech stack, map attack surface
2. Vulnerability Hunt → Search patterns, trace data flow
3. Verification    → Confirm exploitability, filter false positives
4. Docker Verify   → [NEW] Dynamic verification in sandbox (optional)
5. Report          → Document findings with PoC and fixes

Docker部署验证

对于深度审计，可使用Docker沙箱进行动态验证:

# 生成验证环境
code-audit --generate-docker-env

# 启动并验证
docker-compose up -d
docker exec -it sandbox python /workspace/poc/verify_all.py

详见: references/core/docker_verification.md

---

Execution Controller（执行控制器 — 必经路径）

⚠️ 以下步骤是审计执行的必经路径，不是参考建议。 每步有必须产出的输出，后续步骤依赖前序输出。不产出 = 用户可见缺失。

Step 1: 模式判定

根据用户指令确定审计模式：

用户指令关键词	模式
"快速扫描" "quick" "CI检查"	quick
"审计" "扫描" "安全检查"（无特殊说明）	standard
"深度审计" "deep" "渗透测试准备" "全面审计"	deep
无法判定	问用户，不得自行假设

反降级规则: 用户指定的模式不可自行降级。项目规模大不是降级理由，而是启用 Multi-Agent 的理由。降级需用户明确确认。

必须输出:

[MODE] {quick|standard|deep}

Step 2: 文档加载

按模式加载必要文档（用 Read 工具实际读取，不是"知道有这个文件"）：

模式	必须 Read 的文档
quick	当前 SKILL.md 已加载，无需额外文档
standard	+ references/checklists/coverage_matrix.md + 对应语言 checklist
deep	+ agent.md（完整读取，不可跳过） + coverage_matrix.md + 对应语言 checklist

deep 模式下 agent.md 是必读文档 — Step 4 的执行计划模板包含只有 agent.md 中才有的字段（维度权重、Agent 切分模板、门控条件、执行状态机）。

必须输出:

[LOADED] {实际 Read 的文档列表，含行数}

Step 3: 侦察（Reconnaissance）

对目标项目执行攻击面测绘。

必须输出:

[RECON]
项目规模: {X files, Y directories}
技术栈: {language, framework, version}
项目类型: {CMS | 金融 | SaaS | 数据平台 | 身份认证 | IoT | 通用Web}
入口点: {Controller/Router/Handler 数量}
关键模块: {列表}

Step 4: 执行计划 → STOP

基于 Step 1-3 的输出生成执行计划。输出后暂停，等待用户确认才能继续。

quick/standard 模板:

[PLAN]
模式: {mode}
技术栈: {from Step 3}
扫描维度: {计划覆盖的 D1-D10 维度}
已加载文档: {from Step 2}

deep 模板（全部字段必填 — 标注了信息来源文档）:

[PLAN]
模式: deep
项目规模: {from Step 3}
技术栈: {from Step 3}
维度权重: {from agent.md 状态机 → 项目类型维度权重，如 CMS: D5(++), D1(+), D3(+), D6(+)}
Agent 方案: {from agent.md Agent 模板 → 每个 Agent 负责的维度和 max_turns}
Agent 数量: {from agent.md 规模建议 → 小型(<10K) 2-3, 中型(10K-100K) 3-5, 大型(>100K) 5-9}
D9 覆盖策略: {若项目有后台管理/多角色/多租户 → D9 必查，D3 Agent 须同时覆盖 D9a(IDOR+权限一致性+Mass Assignment)}
轮次规划: R1 广度扫描 → R1 评估 → R2 增量补漏(按需)
门控条件: PHASE_1_RECON → ROUND_N_RUNNING → ROUND_N_EVALUATION → REPORT
预估总 turns: {Agent数 × max_turns}
已加载文档: {from Step 2}

⚠️ STOP — 输出执行计划后暂停。等待用户确认后才能开始审计。

Step 5: 执行

用户确认后，按执行计划和已加载文档执行：

• quick: 高危模式匹配扫描，直接输出
• standard: 按 Phase 1→5 顺序执行
• deep: 严格按 agent.md 执行状态机
  • 启动 Multi-Agent 并行（按 Step 4 确认的 Agent 方案）
  • 遵守每个 State 的门控条件
  • 轮次评估使用 agent.md 三问法则

Step 6: 报告门控

生成报告前验证：

前置条件	quick	standard	deep
高危模式扫描完成	✅	✅	✅
D1-D10 覆盖率标记（✅已覆盖/⚠️浅覆盖/❌未覆盖）	—	✅	✅
所有 Agent 完成或超时标注	—	—	✅
轮次评估三问通过	—	—	✅

不满足前置条件 → 不得生成最终报告。

---

Anti-Hallucination Rules (MUST FOLLOW)

⚠️ Every finding MUST be based on actual code read via tools

✗ Do NOT guess file paths based on "typical project structure"
✗ Do NOT fabricate code snippets from memory
✗ Do NOT report vulnerabilities in files you haven't read

✓ MUST use Read/Glob to verify file exists before reporting
✓ MUST quote actual code from Read tool output
✓ MUST match project's actual tech stack

Core principle: Better to miss a vulnerability than report a false positive.

---

Anti-Confirmation-Bias Rules (MUST FOLLOW)

⚠️ Audit MUST be methodology-driven, NOT case-driven

✗ Do NOT say "基于之前的审计经验，我将重点关注..."
✗ Do NOT prioritize certain vuln types based on "known CVEs"
✗ Do NOT skip checklist items because they seem "less likely"

✓ MUST enumerate ALL sensitive operations, then verify EACH one
✓ MUST complete the full checklist for EACH vulnerability type
✓ MUST treat all potential vulnerabilities with equal rigor

Core principle: Discover ALL potential vulnerabilities, not just familiar patterns.

---

Two-Layer Checklist (两层检查清单)

Layer 1: coverage_matrix.md — Phase 2A后加载，验证10个安全维度覆盖率 Layer 2: 语言语义提示 — 仅对未覆盖维度按需加载对应段落

文件	用途
references/checklists/coverage_matrix.md	覆盖率矩阵 (D1-D10)
references/checklists/universal.md	通用架构/逻辑级语义提示
references/checklists/java.md	Java 语义提示 (10维度)
references/checklists/python.md	Python 语义提示
references/checklists/php.md	PHP 语义提示
references/checklists/javascript.md	JavaScript/Node.js 语义提示
references/checklists/go.md	Go 语义提示
references/checklists/dotnet.md	.NET/C# 语义提示
references/checklists/ruby.md	Ruby 语义提示
references/checklists/c_cpp.md	C/C++ 语义提示
references/checklists/rust.md	Rust 语义提示

核心原则: Checklist 不驱动审计，而是验证覆盖。LLM 先自由审计(Phase 2A)，再用矩阵查漏(Phase 2B)。

---

Module Reference

Core Modules (Load First)

Module	Path	Purpose
Capability Baseline	references/core/capability_baseline.md	防止能力丢失的回归测试框架
Anti-Hallucination	references/core/anti_hallucination.md	Prevent false positives
Audit Methodology	references/core/comprehensive_audit_methodology.md	Systematic framework, coverage tracking
Taint Analysis	references/core/taint_analysis.md	Data flow tracking, LSP-enhanced tracking, Slot type classification
PoC Generation	references/core/poc_generation.md	Verification templates
External Tools	references/core/external_tools_guide.md	Semgrep/Bandit integration

Language Modules (Load by Tech Stack)

Language	Module	Key Vulnerabilities
Java	references/languages/java.md	SQL injection, XXE, deserialization
Python	references/languages/python.md	Pickle, SSTI, command injection
Go	references/languages/go.md	Race conditions, SSRF
PHP	references/languages/php.md	File inclusion, deserialization
JavaScript	references/languages/javascript.md	Prototype pollution, XSS

Security Domain Modules (Load as Needed)

Domain	Module	When to Load
API Security	references/security/api_security.md	REST/GraphQL APIs
LLM Security	references/security/llm_security.md	AI/ML applications
Serverless	references/security/serverless.md	AWS Lambda, Azure Functions
Cryptography	references/security/cryptography.md	Encryption, TLS, JWT
Race Conditions	references/security/race_conditions.md	Concurrent operations

---

Tool Priority Strategy

Priority 1: External Professional Tools (if available)
├─ semgrep scan --config auto          # Multi-language SAST
├─ bandit -r ./src                      # Python security
├─ gosec ./...                          # Go security
└─ gitleaks detect                      # Secret scanning

Priority 2: Built-in Analysis (always available)
├─ LSP semantic analysis                # goToDefinition, findReferences, incomingCalls
├─ Read + Grep pattern matching         # Core analysis
└─ Module knowledge base                # 55+ vuln patterns

Priority 3: Verification
├─ PoC templates from references/core/poc_generation.md
└─ Confidence scoring from references/core/verification_methodology.md

---

Detailed Documentation

For complete audit methodology, vulnerability patterns, and detection rules, see:

• Full Workflow: agent.md - Complete audit process and detection commands
• Vulnerability Details: references/ - Language/framework-specific patterns
• Tool Integration: references/core/external_tools_guide.md
• Report Templates: references/core/taint_analysis.md

---

Version

• Current: 1.0
• Updated: 2026-02-13

v1.0 (Initial Public Release)

• 9语言143项强制检测清单 (references/checklists/)
• 双轨并行审计框架: Sink-driven + Control-driven + Config-driven
• Docker部署验证框架 (references/core/docker_verification.md)
• WooYun 88,636案例库集成
• 安全控制矩阵框架