From web-audit-tools
Comprehensive DevSecOps security audit that launches multiple specialized agents in parallel. Covers secrets, SAST, SCA, container security, and IaC scanning based on OWASP DevSecOps Guideline.
npx claudepluginhub naporin0624/seo-claude-plugins --plugin web-audit-tools# DevSecOps Security Audit You are conducting a comprehensive security audit based on the OWASP DevSecOps Guideline. Deploy specialized security agents in parallel to maximize coverage and efficiency. ## Target Audit path: `$ARGUMENTS` (default: current directory) ## Phase 1: Pre-commit Security (Secrets Detection) Launch the gitleaks-agent to scan for hardcoded secrets: ## Phase 2: Build Security - SAST Launch the semgrep-agent for static application security testing: ## Phase 3: Build Security - SCA & Container Launch trivy-agent for dependency and container scanning: Laun...
/devsecops-auditComprehensive DevSecOps security audit that launches multiple specialized agents in parallel. Covers secrets, SAST, SCA, container security, and IaC scanning based on OWASP DevSecOps Guideline.
You are conducting a comprehensive security audit based on the OWASP DevSecOps Guideline. Deploy specialized security agents in parallel to maximize coverage and efficiency.
Audit path: $ARGUMENTS (default: current directory)
Launch the gitleaks-agent to scan for hardcoded secrets:
Task: gitleaks-agent
Prompt: Scan the codebase at "$ARGUMENTS" for hardcoded secrets, API keys, credentials, and sensitive data. Use the secret-scanner skill and report all findings with severity and remediation guidance.
Launch the semgrep-agent for static application security testing:
Task: semgrep-agent
Prompt: Perform static application security testing (SAST) on the codebase at "$ARGUMENTS". Use the sast-runner skill with security-audit config. Focus on OWASP Top 10 vulnerabilities: injection flaws, XSS, insecure deserialization, and security anti-patterns.
Launch trivy-agent for dependency and container scanning:
Task: trivy-agent
Prompt: Scan dependencies and container images at "$ARGUMENTS" for known vulnerabilities. Use sca-runner for dependency scanning and container-scanner for any Dockerfiles found. Report CVEs with CVSS scores and fix availability.
Launch hadolint-agent for Dockerfile security:
Task: hadolint-agent
Prompt: Lint all Dockerfiles found at "$ARGUMENTS" for security best practices. Use container-scanner lint command. Check for running as root, unpinned versions, and security misconfigurations.
Launch tfsec-agent for infrastructure as code security:
Task: tfsec-agent
Prompt: Scan Infrastructure as Code at "$ARGUMENTS" for security misconfigurations. Use iac-scanner to check Terraform, Kubernetes manifests, and CloudFormation templates. Focus on public resources, missing encryption, and overly permissive IAM.
After all agents complete, create a consolidated report:
# DevSecOps Security Audit Report
**Target**: [path]
**Date**: [timestamp]
**Duration**: [time]
## Executive Summary
| Phase | Tool | Critical | High | Medium | Low |
|-------|------|----------|------|--------|-----|
| Secrets | Gitleaks | X | X | X | X |
| SAST | Semgrep | X | X | X | X |
| SCA | Trivy | X | X | X | X |
| Container | Hadolint | X | X | X | X |
| IaC | tfsec | X | X | X | X |
| **Total** | | **X** | **X** | **X** | **X** |
## Critical Findings (Immediate Action Required)
### 1. [Finding Title]
- **Source**: [Agent/Tool]
- **Severity**: Critical
- **Location**: [file:line]
- **Description**: [details]
- **Remediation**: [fix]
## High Severity Findings
[List high severity findings...]
## Remediation Priority
1. [ ] [Critical finding 1]
2. [ ] [Critical finding 2]
3. [ ] [High finding 1]
...
## Tool Coverage
- [ ] Gitleaks - Secret Detection
- [ ] Semgrep - SAST
- [ ] Trivy - SCA/Container
- [ ] Hadolint - Dockerfile
- [ ] tfsec/Checkov - IaC
## Next Steps
1. Address critical findings immediately
2. Create tickets for high severity issues
3. Schedule remediation for medium/low findings
4. Re-run audit after fixes