MCP HubMCP Hub
Back to Skills

security-audit-codebase

pjt222
Updated 2 days ago
4 views
17
2
17
View on GitHub
Developmentapi

About

This skill performs automated security audits on codebases to detect exposed secrets, vulnerable dependencies, and OWASP Top 10 issues like injection flaws. It's designed for use before deployment, during periodic reviews, or when preparing for compliance audits. The tool operates with Read, Write, Edit, Bash, Grep, and Glob permissions to systematically scan and identify security risks.

Quick Install

Claude Code

Recommended
Primary
npx skills add pjt222/agent-almanac -a claude-code
Plugin CommandAlternative
/plugin add https://github.com/pjt222/agent-almanac
Git CloneAlternative
git clone https://github.com/pjt222/agent-almanac.git ~/.claude/skills/security-audit-codebase

Copy and paste this command in Claude Code to install this skill

Documentation

Security Audit Codebase

Run systematic security review of codebase. Find vulnerabilities + exposed secrets.

When Use

  • Before publishing or deploying project
  • Periodic security review of existing projects
  • After adding auth, API integration, user input handling
  • Before open-sourcing private repo
  • Prepping for security compliance audit

Inputs

  • Required: Codebase to audit
  • Optional: Specific focus area (secrets, deps, injection, auth)
  • Optional: Compliance framework (OWASP, ISO 27001, SOC 2)
  • Optional: Previous audit findings for comparison

Steps

Step 1: Scan for Exposed Secrets

Search for patterns that indicate hardcoded secrets.

# API keys and tokens
grep -rn "sk-\|ghp_\|gho_\|github_pat_\|hf_\|AKIA" --include="*.{md,js,ts,py,R,json,yml,yaml}" .

# Generic secret patterns
grep -rn "password\s*=\s*['\"]" --include="*.{js,ts,py,R,json}" .
grep -rn "api[_-]key\s*[=:]\s*['\"]" --include="*.{js,ts,py,R,json}" .
grep -rn "secret\s*[=:]\s*['\"]" --include="*.{js,ts,py,R,json}" .

# Connection strings
grep -rn "postgresql://\|mysql://\|mongodb://" .

# Private keys
grep -rn "BEGIN.*PRIVATE KEY" .

Got: No real secrets found — only placeholders like YOUR_TOKEN_HERE or [email protected].

If fail: Real secrets found? Remove immediately, rotate exposed credential, clean git history with git filter-branch or git-filter-repo. Treat any exposed secret as compromised.

Step 2: Check .gitignore Coverage

Verify sensitive files excluded.

# Check that these are git-ignored
git check-ignore .env .Renviron credentials.json node_modules/

# Look for tracked sensitive files
git ls-files | grep -i "\.env\|\.renviron\|credentials\|secret"

Got: All sensitive files (.env, .Renviron, credentials.json) listed in .gitignore, git ls-files returns no tracked sensitive files.

If fail: Sensitive files tracked? Run git rm --cached <file> to untrack, add to .gitignore, commit. File stays on disk but no longer version-controlled.

Step 3: Audit Dependencies

Node.js.

npm audit
npx audit-ci --moderate

Python.

pip-audit
safety check

R.

# Check for known vulnerabilities in packages
# No built-in tool, but verify package sources
renv::status()

Got: No high or critical vulnerabilities in deps. Moderate + low documented for review.

If fail: Critical vulnerabilities found? Update affected packages immediately with npm audit fix or pip install --upgrade. Updates introduce breaking changes? Document vulnerability, create remediation plan.

Step 4: Check for Injection Vulnerabilities

SQL Injection.

# Look for string concatenation in queries
grep -rn "paste.*SELECT\|paste.*INSERT\|paste.*UPDATE\|paste.*DELETE" --include="*.R" .
grep -rn "query.*\+.*\|query.*\$\{" --include="*.{js,ts}" .

All database queries should use parameterized queries, not string concatenation.

Command Injection.

# Look for shell execution with user input
grep -rn "system\(.*paste\|exec(\|spawn(" --include="*.{R,js,ts,py}" .

XSS (Cross-Site Scripting).

# Look for unescaped user content in HTML
grep -rn "innerHTML\|dangerouslySetInnerHTML\|v-html" --include="*.{js,ts,jsx,tsx,vue}" .

Got: No SQL, command, or XSS injection vectors found. All queries use parameterized statements, shell commands avoid user-controlled input, HTML output properly escaped.

If fail: Injection vulnerabilities found? Replace string concat in queries with parameterized queries, sanitize or escape user input before shell exec, use framework-safe rendering instead of innerHTML or dangerouslySetInnerHTML.

Step 5: Review Authentication and Authorization

Checklist.

  • Passwords hashed with bcrypt/argon2 (not MD5/SHA1)
  • Session tokens random + sufficiently long
  • Auth tokens have expiration
  • API endpoints check authorization
  • CORS configured restrictively
  • CSRF protection enabled for state-changing operations

Got: All checklist items pass: passwords use strong hashing, tokens random with expiration, endpoints enforce authorization, CORS restrictive, CSRF protection active.

If fail: Prioritize fixes by severity: weak password hashing + missing authorization = critical, CORS + CSRF = high. Document all findings with severity.

Step 6: Check Configuration Security

# Debug mode in production configs
grep -rn "debug\s*[=:]\s*[Tt]rue\|DEBUG\s*=\s*1" --include="*.{json,yml,yaml,toml,cfg}" .

# Permissive CORS
grep -rn "Access-Control-Allow-Origin.*\*\|cors.*origin.*\*" --include="*.{js,ts}" .

# HTTP instead of HTTPS
grep -rn "http://" --include="*.{js,ts,py,R}" . | grep -v "localhost\|127.0.0.1\|http://"

Got: Debug mode disabled in prod configs, CORS does not use wildcard origins in prod, all external URLs use HTTPS.

If fail: Debug mode enabled in prod configs? Disable immediately. Replace wildcard CORS origins with explicit allowed domains. Update http:// URLs to https:// where endpoint supports.

Step 7: Document Findings

Create audit report.

# Security Audit Report

**Date**: YYYY-MM-DD
**Auditor**: [Name]
**Scope**: [Repository/Project]
**Status**: [PASS/FAIL/CONDITIONAL]

## Findings Summary

| Category | Status | Details |
|----------|--------|---------|
| Exposed secrets | PASS | No secrets found |
| .gitignore | PASS | Sensitive files excluded |
| Dependencies | WARN | 2 moderate vulnerabilities |
| Injection | PASS | Parameterized queries used |
| Auth/AuthZ | N/A | No authentication in scope |
| Configuration | PASS | Debug mode disabled |

## Detailed Findings

### Finding 1: [Title]
- **Severity**: Low / Medium / High / Critical
- **Location**: `path/to/file:line`
- **Description**: What was found
- **Recommendation**: How to fix
- **Status**: Open / Resolved

## Recommendations
1. Update dependencies to fix moderate vulnerabilities
2. [Additional recommendations]

Got: Complete SECURITY_AUDIT_REPORT.md saved in project root with findings categorized by severity, each with specific location, description, recommendation.

If fail: Too many findings to document individually? Group by category, prioritize critical/high findings. Generate report regardless of outcome to establish baseline.

Checks

  • No hardcoded secrets in source
  • .gitignore covers all sensitive files
  • No high/critical dep vulnerabilities
  • No injection vulnerabilities
  • Auth properly implemented (if applicable)
  • Audit report complete, findings addressed

Pitfalls

  • Only check current files: Secrets in git history still exposed. Check with git log -p --all -S 'secret_pattern'.
  • Ignore dev deps: Dev deps can introduce supply chain risks.
  • False sense of security from .gitignore: .gitignore only prevents future tracking. Already-committed files need git rm --cached.
  • Overlook config files: docker-compose.yml, CI configs, deploy scripts often contain secrets.
  • Not rotating compromised credentials: Finding + removing secret not enough. Credential must be revoked + regenerated.

See Also

  • configure-git-repository - proper .gitignore setup
  • write-claude-md - documenting security requirements
  • setup-gxp-r-project - security in regulated environments

GitHub Repository

pjt222/agent-almanac
Path: i18n/caveman/skills/security-audit-codebase
0
agentsagentskillsai-assisted-developmentclaude-codeskillsteams

Related Skills

qmd

Development

qmd is a local search and indexing CLI tool that enables developers to index and search through local files using hybrid search combining BM25, vector embeddings, and reranking. It supports both command-line usage and MCP (Model Context Protocol) mode for integration with Claude. The tool uses Ollama for embeddings and stores indexes locally, making it ideal for searching documentation or codebases directly from the terminal.

View skill

subagent-driven-development

Development

This skill executes implementation plans by dispatching a fresh subagent for each independent task, with code review between tasks. It enables fast iteration while maintaining quality gates through this review process. Use it when working on mostly independent tasks within the same session to ensure continuous progress with built-in quality checks.

View skill

mcporter

Development

The mcporter skill enables developers to manage and call Model Context Protocol (MCP) servers directly from Claude. It provides commands to list available servers, call their tools with arguments, and handle authentication and daemon lifecycle. Use this skill for integrating and testing MCP server functionality in your development workflow.

View skill

adk-deployment-specialist

Development

This skill deploys and orchestrates Vertex AI ADK agents using A2A protocol, managing AgentCard discovery, task submission, and supporting tools like Code Execution Sandbox and Memory Bank. It enables building multi-agent systems with sequential, parallel, or loop orchestration patterns in Python, Java, or Go. Use it when asked to deploy ADK agents or orchestrate agent workflows on Google Cloud.

View skill