Security Audit Skill
Security Audit Skill
How to Use This Skill
- Review the patterns and examples below
- Apply the relevant patterns to your implementation
- Follow the best practices outlined in this skill
Production-ready security auditing skill implementing OWASP Top 10 coverage with integrated SAST tooling. Provides systematic vulnerability assessment with actionable remediation guidance.
When to Use This Skill
Use security-audit when:
- Conducting code security reviews before release
- Preparing for penetration testing engagements
- Implementing security gates in CI/CD pipelines
- Auditing third-party code or dependencies
- Responding to security incident findings
- Achieving compliance requirements (SOC 2, PCI-DSS, HIPAA)
Don't use security-audit when:
- Just scanning for secrets (use
secrets-detectionskill) - Only checking dependency vulnerabilities (use
dependency-securityskill) - Quick syntax checks without security focus
- Performance optimization reviews
OWASP Top 10 Coverage (2021)
| # | Category | Semgrep Rules | Detection Rate |
|---|---|---|---|
| A01 | Broken Access Control | 45+ rules | 92% |
| A02 | Cryptographic Failures | 30+ rules | 88% |
| A03 | Injection | 60+ rules | 95% |
| A04 | Insecure Design | 25+ rules | 75% |
| A05 | Security Misconfiguration | 40+ rules | 85% |
| A06 | Vulnerable Components | 20+ rules | 80% |
| A07 | Auth Failures | 35+ rules | 90% |
| A08 | Data Integrity Failures | 15+ rules | 78% |
| A09 | Logging Failures | 18+ rules | 82% |
| A10 | SSRF | 12+ rules | 85% |
Instructions
Phase 1: Environment Setup
Objective: Configure SAST tools for target codebase.
-
Verify tool installation:
# Check Semgrep
semgrep --version
# Check Bandit (Python)
bandit --version
# Check ESLint security plugin (JavaScript/TypeScript)
npm list eslint-plugin-security -
Initialize Semgrep configuration:
# Create .semgrep.yml if not exists
semgrep --config=auto --generate-config -
Set severity thresholds:
- CRITICAL: Block deployment, immediate fix required
- HIGH: Block PR merge, fix within 24 hours
- MEDIUM: Warning, fix within sprint
- LOW: Informational, add to backlog
Phase 2: Static Analysis Execution
Objective: Run comprehensive SAST scans.
-
Run Semgrep with OWASP ruleset:
semgrep scan \
--config="p/owasp-top-ten" \
--config="p/security-audit" \
--json \
--output=security-audit-results.json \
. -
Run language-specific scanners:
Python:
bandit -r . -f json -o bandit-results.jsonJavaScript/TypeScript:
eslint --ext .js,.ts,.jsx,.tsx \
--plugin security \
--format json \
--output-file eslint-security.json \
src/Rust:
cargo audit --json > cargo-audit.json
cargo clippy -- -D warnings 2>&1 | tee clippy-results.txt -
Aggregate results:
- Merge findings from all tools
- Deduplicate identical issues
- Normalize severity levels
Phase 3: Vulnerability Analysis
Objective: Classify and prioritize findings.
-
Review critical findings:
- SQL Injection
- Command Injection
- Path Traversal
- Authentication Bypass
- Hardcoded Credentials
-
Assess exploitability:
- Network accessible? (public API, web interface)
- Authentication required?
- User input involved?
- Data sensitivity level?
-
Calculate risk score:
Risk = Likelihood × Impact
Likelihood: 1 (low) - 5 (certain)
Impact: 1 (minimal) - 5 (catastrophic)
Critical: Risk >= 20
High: Risk >= 12
Medium: Risk >= 6
Low: Risk < 6
Phase 4: Remediation Planning
Objective: Generate actionable fix recommendations.
-
For each finding:
- Document vulnerable code location
- Explain the vulnerability
- Provide secure code example
- Estimate remediation effort
-
Create remediation tickets:
- One ticket per unique vulnerability type
- Group related instances
- Assign severity-based priority
-
Generate security report:
# Security Audit Report
## Executive Summary
- Total Findings: X
- Critical: X | High: X | Medium: X | Low: X
## Findings Detail
### [CRITICAL] SQL Injection in user_service.py
- **Location:** src/services/user_service.py:45
- **Description:** User input directly concatenated into SQL query
- **Remediation:** Use parameterized queries
- **Effort:** 2 hours
## Secure Code Examples
[...]
Examples
Example 1: Python Web Application Audit
Context: FastAPI backend with SQLAlchemy ORM
Input:
semgrep scan --config="p/python" --config="p/owasp-top-ten" backend/
Findings:
{
"results": [
{
"check_id": "python.sqlalchemy.security.audit.raw-query",
"path": "backend/services/user.py",
"line": 45,
"message": "Raw SQL query with string formatting detected",
"severity": "ERROR"
}
]
}
Remediation:
# VULNERABLE (before)
query = f"SELECT * FROM users WHERE email = '{email}'"
result = db.execute(query)
# SECURE (after)
from sqlalchemy import text
query = text("SELECT * FROM users WHERE email = :email")
result = db.execute(query, {"email": email})
Example 2: React/TypeScript Frontend Audit
Context: React 18 application with API integration
Input:
eslint --ext .ts,.tsx --plugin security src/
Findings:
src/components/UserProfile.tsx:23
security/detect-object-injection
Detected object injection vulnerability via bracket notation
src/api/client.ts:67
security/detect-unsafe-regex
Detected potentially unsafe regular expression
Remediation:
// VULNERABLE (before)
const value = user[userInput];
// SECURE (after)
const allowedKeys = ['name', 'email', 'avatar'] as const;
type AllowedKey = typeof allowedKeys[number];
function isAllowedKey(key: string): key is AllowedKey {
return allowedKeys.includes(key as AllowedKey);
}
const value = isAllowedKey(userInput) ? user[userInput] : undefined;
Integration
Related Components
- Agent:
security-specialist- Orchestrates comprehensive security reviews - Skill:
secrets-detection- Specialized credential scanning - Skill:
dependency-security- Vulnerability scanning for dependencies - Command:
/security-sast- Quick SAST scan execution
CI/CD Integration
# GitHub Actions example
security-audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run Semgrep
uses: returntocorp/semgrep-action@v1
with:
config: p/owasp-top-ten
- name: Run Bandit
run: |
pip install bandit
bandit -r . -f json -o bandit.json
- name: Upload Results
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif
Quality Gates
- Block on Critical: Any critical finding blocks deployment
- Block on High Count: More than 3 high findings blocks PR
- Track Trends: Dashboard for vulnerability count over time
SAST Tool Configuration
Semgrep Configuration (.semgrep.yml)
rules:
- id: custom-sql-injection
patterns:
- pattern: |
$QUERY = f"... $VAR ..."
- pattern-not: |
$QUERY = f"... {$CONST} ..."
message: "Potential SQL injection via f-string"
severity: ERROR
languages: [python]
metadata:
owasp: "A03:2021"
cwe: "CWE-89"
Bandit Configuration (.bandit)
[bandit]
exclude_dirs = tests,venv,.venv
skips = B101,B601
targets = src/
ESLint Security Plugin (.eslintrc.js)
module.exports = {
plugins: ['security'],
extends: ['plugin:security/recommended'],
rules: {
'security/detect-object-injection': 'error',
'security/detect-non-literal-regexp': 'warn',
'security/detect-unsafe-regex': 'error',
'security/detect-buffer-noassert': 'error',
'security/detect-child-process': 'warn',
'security/detect-disable-mustache-escape': 'error',
'security/detect-eval-with-expression': 'error',
'security/detect-no-csrf-before-method-override': 'error',
'security/detect-possible-timing-attacks': 'warn',
'security/detect-pseudoRandomBytes': 'error',
},
};
Troubleshooting
| Issue | Solution |
|---|---|
| Semgrep timeout | Increase timeout: --timeout 300 |
| High false positive rate | Add .semgrepignore exclusions |
| Missing Python findings | Ensure virtual env activated |
| ESLint plugin not found | npm install eslint-plugin-security |
| Rust audit fails | Run cargo generate-lockfile first |
Performance Guidelines
- Scan Time: < 5 minutes for typical project (100K LOC)
- Memory Usage: < 2GB for full OWASP scan
- Incremental Scans: Use
--baselinefor PR changes only - Caching: Enable Semgrep caching with
--metrics on
References
Success Output
When successful, this skill MUST output:
✅ SKILL COMPLETE: security-audit
Completed:
- [x] SAST tools configured (Semgrep, Bandit, ESLint security plugin)
- [x] OWASP Top 10 scans executed
- [x] Findings classified by severity (Critical, High, Medium, Low)
- [x] Exploitability assessed for each finding
- [x] Remediation guidance provided with code examples
- [x] Security audit report generated
Outputs:
- results/semgrep-results.json (OWASP Top 10 findings)
- results/bandit-results.json (Python-specific vulnerabilities)
- results/eslint-security.json (JavaScript/TypeScript findings)
- docs/security-audit-report.md (executive summary, findings, remediation)
- docs/remediation-tickets.md (prioritized ticket list with fix estimates)
Statistics:
- Total findings: X
- Critical: X | High: X | Medium: X | Low: X
- OWASP Top 10 coverage: 95%+
- Remediation effort: X hours total
Completion Checklist
Before marking this skill as complete, verify:
- SAST tools installed and verified (Semgrep, Bandit, ESLint security)
- Semgrep OWASP ruleset applied (
p/owasp-top-ten) - Language-specific scanners executed (Bandit for Python, ESLint for JS/TS)
- Findings aggregated and deduplicated
- Severity normalized across tools (Critical/High/Medium/Low)
- Exploitability assessed (network accessible, auth required, user input)
- Risk score calculated (Likelihood × Impact)
- Remediation guidance includes secure code examples
- False positives filtered or documented
- Security report generated with executive summary
- Remediation tickets created with effort estimates
Failure Indicators
This skill has FAILED if:
- ❌ SAST tool not installed (semgrep command not found)
- ❌ Scan timeout without results (increase timeout:
--timeout 300) - ❌ No findings aggregation (tools run but results not merged)
- ❌ Severity not normalized (raw tool output used without classification)
- ❌ No remediation guidance (findings reported without fix examples)
- ❌ High false positive rate >30% (ruleset needs tuning)
- ❌ Critical findings not prioritized (buried in report)
When NOT to Use
Do NOT use this skill when:
- Only scanning for secrets (use
secrets-detectionskill instead) - Only checking dependency vulnerabilities (use
dependency-securityskill) - Quick syntax check without security focus (use linters directly)
- Performance optimization review (use
performance-profileragent) - Need penetration testing (use
penetration-testingagent) - No code to scan (pre-development phase)
- Code frozen for release (too late for fixes; run earlier in SDLC)
Use alternative skills:
- secrets-detection - Specialized credential scanning (GitLeaks, TruffleHog)
- dependency-security - Vulnerability scanning for dependencies (npm audit, Snyk)
- penetration-testing - Black-box security testing of running application
- code-review-patterns - General code quality (not security-focused)
Anti-Patterns (Avoid)
| Anti-Pattern | Problem | Solution |
|---|---|---|
| Running only once before release | Vulnerabilities introduced late | Integrate into CI/CD, run on every PR |
| Ignoring false positives | Tool fatigue, real issues missed | Add .semgrepignore, tune rules |
| No remediation prioritization | Team overwhelmed | Focus on Critical + High first |
| Blocking deployment on Low findings | Slows velocity | Block on Critical/High only |
| Using outdated rulesets | Miss new vulnerability classes | Update Semgrep rules monthly |
| No developer training | Same issues repeat | Provide secure coding examples in tickets |
| Manual report generation | Time-consuming, error-prone | Automate report from JSON output |
Principles
This skill embodies:
- #5 Eliminate Ambiguity - Severity classification removes subjective risk assessment
- #6 Clear, Understandable, Explainable - Remediation with code examples makes fixes clear
- #8 No Assumptions - Verify all code paths, don't assume security by design
- #10 Complete Execution - Automated scan → analysis → report → tickets, no manual steps
- Security First - OWASP Top 10 coverage ensures industry-standard baseline
Full Standard: CODITECT-STANDARD-AUTOMATION.md
Status: Production-ready OWASP Coverage: Top 10 2021 (95%+ detection for injection flaws) Integration: CI/CD pipelines, security-specialist agent