security-audit-codebase
Acerca de
Esta habilidad realiza auditorías de seguridad automatizadas en bases de código para detectar secretos expuestos, dependencias vulnerables y problemas del Top 10 de OWASP como fallos de inyección. Está diseñada para usarse antes del despliegue, durante revisiones periódicas o al prepararse para auditorías de cumplimiento. La herramienta opera con permisos de Lectura, Escritura, Edición, Bash, Grep y Glob para escanear e identificar riesgos de seguridad de manera sistemática.
Instalación rápida
Claude Code
Recomendadonpx skills add pjt222/agent-almanac -a claude-code/plugin add https://github.com/pjt222/agent-almanacgit clone https://github.com/pjt222/agent-almanac.git ~/.claude/skills/security-audit-codebaseCopia y pega este comando en Claude Code para instalar esta habilidad
Documentación
Security Audit Codebase
Run systematic security review of codebase. Find vulnerabilities + exposed secrets.
When Use
- Before publishing or deploying project
- Periodic security review of existing projects
- After adding auth, API integration, user input handling
- Before open-sourcing private repo
- Prepping for security compliance audit
Inputs
- Required: Codebase to audit
- Optional: Specific focus area (secrets, deps, injection, auth)
- Optional: Compliance framework (OWASP, ISO 27001, SOC 2)
- Optional: Previous audit findings for comparison
Steps
Step 1: Scan for Exposed Secrets
Search for patterns that indicate hardcoded secrets.
# API keys and tokens
grep -rn "sk-\|ghp_\|gho_\|github_pat_\|hf_\|AKIA" --include="*.{md,js,ts,py,R,json,yml,yaml}" .
# Generic secret patterns
grep -rn "password\s*=\s*['\"]" --include="*.{js,ts,py,R,json}" .
grep -rn "api[_-]key\s*[=:]\s*['\"]" --include="*.{js,ts,py,R,json}" .
grep -rn "secret\s*[=:]\s*['\"]" --include="*.{js,ts,py,R,json}" .
# Connection strings
grep -rn "postgresql://\|mysql://\|mongodb://" .
# Private keys
grep -rn "BEGIN.*PRIVATE KEY" .
Got: No real secrets found — only placeholders like YOUR_TOKEN_HERE or [email protected].
If fail: Real secrets found? Remove immediately, rotate exposed credential, clean git history with git filter-branch or git-filter-repo. Treat any exposed secret as compromised.
Step 2: Check .gitignore Coverage
Verify sensitive files excluded.
# Check that these are git-ignored
git check-ignore .env .Renviron credentials.json node_modules/
# Look for tracked sensitive files
git ls-files | grep -i "\.env\|\.renviron\|credentials\|secret"
Got: All sensitive files (.env, .Renviron, credentials.json) listed in .gitignore, git ls-files returns no tracked sensitive files.
If fail: Sensitive files tracked? Run git rm --cached <file> to untrack, add to .gitignore, commit. File stays on disk but no longer version-controlled.
Step 3: Audit Dependencies
Node.js.
npm audit
npx audit-ci --moderate
Python.
pip-audit
safety check
R.
# Check for known vulnerabilities in packages
# No built-in tool, but verify package sources
renv::status()
Got: No high or critical vulnerabilities in deps. Moderate + low documented for review.
If fail: Critical vulnerabilities found? Update affected packages immediately with npm audit fix or pip install --upgrade. Updates introduce breaking changes? Document vulnerability, create remediation plan.
Step 4: Check for Injection Vulnerabilities
SQL Injection.
# Look for string concatenation in queries
grep -rn "paste.*SELECT\|paste.*INSERT\|paste.*UPDATE\|paste.*DELETE" --include="*.R" .
grep -rn "query.*\+.*\|query.*\$\{" --include="*.{js,ts}" .
All database queries should use parameterized queries, not string concatenation.
Command Injection.
# Look for shell execution with user input
grep -rn "system\(.*paste\|exec(\|spawn(" --include="*.{R,js,ts,py}" .
XSS (Cross-Site Scripting).
# Look for unescaped user content in HTML
grep -rn "innerHTML\|dangerouslySetInnerHTML\|v-html" --include="*.{js,ts,jsx,tsx,vue}" .
Got: No SQL, command, or XSS injection vectors found. All queries use parameterized statements, shell commands avoid user-controlled input, HTML output properly escaped.
If fail: Injection vulnerabilities found? Replace string concat in queries with parameterized queries, sanitize or escape user input before shell exec, use framework-safe rendering instead of innerHTML or dangerouslySetInnerHTML.
Step 5: Review Authentication and Authorization
Checklist.
- Passwords hashed with bcrypt/argon2 (not MD5/SHA1)
- Session tokens random + sufficiently long
- Auth tokens have expiration
- API endpoints check authorization
- CORS configured restrictively
- CSRF protection enabled for state-changing operations
Got: All checklist items pass: passwords use strong hashing, tokens random with expiration, endpoints enforce authorization, CORS restrictive, CSRF protection active.
If fail: Prioritize fixes by severity: weak password hashing + missing authorization = critical, CORS + CSRF = high. Document all findings with severity.
Step 6: Check Configuration Security
# Debug mode in production configs
grep -rn "debug\s*[=:]\s*[Tt]rue\|DEBUG\s*=\s*1" --include="*.{json,yml,yaml,toml,cfg}" .
# Permissive CORS
grep -rn "Access-Control-Allow-Origin.*\*\|cors.*origin.*\*" --include="*.{js,ts}" .
# HTTP instead of HTTPS
grep -rn "http://" --include="*.{js,ts,py,R}" . | grep -v "localhost\|127.0.0.1\|http://"
Got: Debug mode disabled in prod configs, CORS does not use wildcard origins in prod, all external URLs use HTTPS.
If fail: Debug mode enabled in prod configs? Disable immediately. Replace wildcard CORS origins with explicit allowed domains. Update http:// URLs to https:// where endpoint supports.
Step 7: Document Findings
Create audit report.
# Security Audit Report
**Date**: YYYY-MM-DD
**Auditor**: [Name]
**Scope**: [Repository/Project]
**Status**: [PASS/FAIL/CONDITIONAL]
## Findings Summary
| Category | Status | Details |
|----------|--------|---------|
| Exposed secrets | PASS | No secrets found |
| .gitignore | PASS | Sensitive files excluded |
| Dependencies | WARN | 2 moderate vulnerabilities |
| Injection | PASS | Parameterized queries used |
| Auth/AuthZ | N/A | No authentication in scope |
| Configuration | PASS | Debug mode disabled |
## Detailed Findings
### Finding 1: [Title]
- **Severity**: Low / Medium / High / Critical
- **Location**: `path/to/file:line`
- **Description**: What was found
- **Recommendation**: How to fix
- **Status**: Open / Resolved
## Recommendations
1. Update dependencies to fix moderate vulnerabilities
2. [Additional recommendations]
Got: Complete SECURITY_AUDIT_REPORT.md saved in project root with findings categorized by severity, each with specific location, description, recommendation.
If fail: Too many findings to document individually? Group by category, prioritize critical/high findings. Generate report regardless of outcome to establish baseline.
Checks
- No hardcoded secrets in source
- .gitignore covers all sensitive files
- No high/critical dep vulnerabilities
- No injection vulnerabilities
- Auth properly implemented (if applicable)
- Audit report complete, findings addressed
Pitfalls
- Only check current files: Secrets in git history still exposed. Check with
git log -p --all -S 'secret_pattern'. - Ignore dev deps: Dev deps can introduce supply chain risks.
- False sense of security from
.gitignore:.gitignoreonly prevents future tracking. Already-committed files needgit rm --cached. - Overlook config files:
docker-compose.yml, CI configs, deploy scripts often contain secrets. - Not rotating compromised credentials: Finding + removing secret not enough. Credential must be revoked + regenerated.
See Also
configure-git-repository- proper .gitignore setupwrite-claude-md- documenting security requirementssetup-gxp-r-project- security in regulated environments
Repositorio GitHub
Habilidades relacionadas
qmd
Desarrolloqmd es una herramienta CLI de búsqueda e indexación local que permite a los desarrolladores indexar y buscar en archivos locales mediante búsqueda híbrida que combina BM25, embeddings vectoriales y reranking. Es compatible tanto con uso desde la línea de comandos como con modo MCP (Model Context Protocol) para integración con Claude. La herramienta utiliza Ollama para los embeddings y almacena los índices localmente, lo que la hace ideal para buscar documentación o bases de código directamente desde la terminal.
subagent-driven-development
DesarrolloEsta habilidad ejecuta planes de implementación asignando un nuevo subagente para cada tarea independiente, con revisión de código entre tareas. Permite una iteración rápida mientras mantiene controles de calidad a través de este proceso de revisión. Úsala cuando trabajes en tareas mayormente independientes dentro de la misma sesión para garantizar un progreso continuo con verificaciones de calidad integradas.
mcporter
DesarrolloLa habilidad mcporter permite a los desarrolladores gestionar y llamar servidores del Protocolo de Contexto de Modelo (MCP) directamente desde Claude. Proporciona comandos para listar servidores disponibles, llamar a sus herramientas con argumentos, y manejar la autenticación y el ciclo de vida del daemon. Utiliza esta habilidad para integrar y probar la funcionalidad de servidores MCP en tu flujo de trabajo de desarrollo.
adk-deployment-specialist
DesarrolloEsta habilidad despliega y orquesta agentes Vertex AI ADK utilizando el protocolo A2A, gestionando el descubrimiento de AgentCard, el envío de tareas y soportando herramientas como el Sandbox de Ejecución de Código y el Banco de Memoria. Permite construir sistemas multiagente con patrones de orquestación secuencial, paralela o en bucle en Python, Java o Go. Úsela cuando se le solicite desplegar agentes ADK u orquestar flujos de trabajo de agentes en Google Cloud.