Audits code for security vulnerabilities, performance issues, accessibility, complexity metrics, and infrastructure security. Use when reviewing code quality, performing security audits, checking OWASP compliance, analyzing complexity, auditing IaC, or finding dead code.
Comprehensive code auditing for security vulnerabilities, performance issues, accessibility, complexity metrics, and infrastructure security. Use when reviewing code quality, performing security audits, checking OWASP compliance, analyzing complexity, auditing IaC, or finding dead code.
/plugin marketplace add mgd34msu/goodvibes-plugin/plugin install goodvibes@goodvibes-marketThis skill inherits all available tools. When active, it can use any tool Claude has access to.
references/complexity-thresholds.mdreferences/iac-security.mdreferences/performance-patterns.mdreferences/security-patterns.mdreferences/wcag-checklist.mdscripts/security_scan.pyComprehensive code auditing for security, performance, accessibility, complexity, and maintainability.
Security audit:
Perform a security audit on this codebase, checking for OWASP Top 10 vulnerabilities.
Complexity analysis:
Analyze cyclomatic and cognitive complexity across the codebase.
Performance review:
Analyze this code for performance issues like N+1 queries, memory leaks, and blocking calls.
| # | Vulnerability | What to Look For |
|---|---|---|
| A01 | Broken Access Control | Missing auth checks, IDOR, privilege escalation |
| A02 | Cryptographic Failures | Weak algorithms, hardcoded secrets, plain text storage |
| A03 | Injection | SQL, NoSQL, OS command, LDAP injection points |
| A04 | Insecure Design | Missing rate limits, business logic flaws |
| A05 | Security Misconfiguration | Debug enabled, default credentials, verbose errors |
| A06 | Vulnerable Components | Outdated dependencies with CVEs |
| A07 | Auth Failures | Weak passwords, missing MFA, session issues |
| A08 | Data Integrity Failures | Insecure deserialization, unsigned updates |
| A09 | Logging Failures | Missing audit logs, log injection, PII in logs |
| A10 | SSRF | Unvalidated URLs, internal network access |
See references/security-patterns.md for language-specific vulnerability patterns.
Patterns to scan for:
# API Keys
(?i)(api[_-]?key|apikey)['":\s]*[=:]\s*['"]?[a-zA-Z0-9_-]{20,}
# AWS
AKIA[0-9A-Z]{16}
(?i)aws[_-]?secret[_-]?access[_-]?key
# Private Keys
-----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY-----
# Connection Strings
(?i)(mongodb|postgres|mysql|redis):\/\/[^\s'"]+
// VULNERABLE - SQL Injection
const query = `SELECT * FROM users WHERE id = ${userId}`;
// SAFE - Parameterized
const query = 'SELECT * FROM users WHERE id = ?';
db.query(query, [userId]);
Measures independent paths through code:
| Score | Risk Level | Action |
|---|---|---|
| 1-10 | Low | Acceptable |
| 11-20 | Moderate | Consider refactoring |
| 21-50 | High | Refactor recommended |
| 50+ | Very High | Refactor required |
# JavaScript/TypeScript
npx escomplex src/ --format json
# Python
radon cc src/ -a -j
# Multi-language
lizard src/ --CCN 15
Measures mental effort to understand code:
Increment for:
See references/complexity-thresholds.md for language-specific thresholds.
## Complexity Analysis: {module}
### Summary
| Metric | Value | Threshold | Status |
|--------|-------|-----------|--------|
| Avg Cyclomatic | 12.3 | 15 | OK |
| Max Cyclomatic | 45 | 25 | FAIL |
| Avg Cognitive | 8.2 | 15 | OK |
### High-Risk Functions
| Function | File | Cyclomatic | Cognitive |
|----------|------|------------|-----------|
| processOrder | orders.ts:45 | 45 | 52 |
| validateForm | forms.ts:23 | 28 | 31 |
// N+1 PROBLEM
const users = await User.findAll();
for (const user of users) {
const orders = await Order.findAll({ where: { userId: user.id } });
}
// SOLUTION: Eager loading
const users = await User.findAll({
include: [{ model: Order }]
});
| ORM | N+1 Pattern | Fix |
|---|---|---|
| Sequelize | Loop with findAll | include: [] |
| Prisma | Loop with findMany | include: {} |
| Django | Loop with filter | select_related() |
// LEAK: Growing array never cleared
const cache = [];
app.get('/data', (req, res) => {
cache.push(processData(req)); // Never removed!
});
// LEAK: Event listeners not removed
element.addEventListener('click', handler);
// Missing: removeEventListener
# Analyze bundle size
npx webpack-bundle-analyzer stats.json
# Check import costs
npx import-cost src/
# Find large dependencies
npx bundle-phobia-cli lodash
# type-coverage tool
npx type-coverage --detail
# Output:
# 85.23% (1234/1448)
# Uncovered locations:
# src/utils.ts:23:5 - any
# src/api.ts:45:12 - unknown
Coverage targets:
| Project Type | Target | Minimum |
|---|---|---|
| New project | 95%+ | 90% |
| Legacy migration | 80%+ | 70% |
| Strict mode | 100% | 95% |
Common issues:
any usageany in callbacks# Validate OpenAPI spec
npx @redocly/cli lint openapi.yaml
# Generate types from spec
npx openapi-typescript openapi.yaml -o types.ts
# Test API against spec
npx dredd openapi.yaml http://localhost:3000
Contract validation checklist:
# Compare OpenAPI versions
npx oasdiff breaking old-api.yaml new-api.yaml
# Breaking changes detected:
# - Removed endpoint: DELETE /users/{id}
# - Required parameter added: GET /orders
# - Response property removed: User.email
Index usage analysis:
-- PostgreSQL: Find missing indexes
SELECT schemaname, tablename, indexname, idx_scan
FROM pg_stat_user_indexes
WHERE idx_scan = 0;
-- Find slow queries
SELECT query, calls, mean_time
FROM pg_stat_statements
ORDER BY mean_time DESC LIMIT 10;
Normalization issues:
| Issue | Symptom | Fix |
|---|---|---|
| 1NF violation | Multi-value columns | Split to separate table |
| 2NF violation | Partial key dependency | Create junction table |
| 3NF violation | Transitive dependency | Move to related table |
Schema audit checklist:
Audit Infrastructure as Code for security issues.
# tfsec - security scanner
tfsec .
# checkov - policy-as-code
checkov -d .
# terrascan
terrascan scan -i terraform
Common Terraform issues:
| Issue | Example | Fix |
|---|---|---|
| Public S3 buckets | acl = "public-read" | acl = "private" |
| Open security groups | cidr_blocks = ["0.0.0.0/0"] | Restrict to needed IPs |
| Unencrypted resources | Missing encryption config | Enable encryption |
| Hardcoded secrets | password = "secret" | Use variables/secrets manager |
# cfn-lint
cfn-lint template.yaml
# cfn_nag
cfn_nag_scan --input-path template.yaml
See references/iac-security.md for comprehensive IaC patterns.
Perceivable:
Operable:
Understandable:
# axe-core
npx @axe-core/cli https://localhost:3000
# pa11y
npx pa11y https://localhost:3000
# Lighthouse
npx lighthouse https://localhost:3000 --only-categories=accessibility
# JavaScript/TypeScript
npx ts-prune
npx unimported
# Python
vulture src/
# Unused dependencies
npx depcheck
Detect API breaking changes:
# TypeScript API changes
npx api-extractor run --local
# OpenAPI changes
npx oasdiff breaking old.yaml new.yaml
# Package exports
npx publint
Breaking change types:
| Type | Severity | Example |
|---|---|---|
| Removed export | High | Deleted public function |
| Changed signature | High | Added required parameter |
| Type narrowing | Medium | String to enum |
| Behavior change | Medium | Different return value |
# Code Quality Audit Report
**Project:** {name}
**Date:** {date}
## Executive Summary
- Critical Issues: {count}
- High Severity: {count}
- Medium Severity: {count}
## Security Findings
### CRITICAL: SQL Injection in UserController
**File:** src/controllers/user.js:45
**Impact:** Full database compromise
**Fix:** Use parameterized queries
## Complexity Findings
...
## Performance Findings
...
Before commits, validate code quality:
{
"hooks": {
"PreToolUse": [{
"matcher": "Bash",
"command": "check-quality-gates.sh",
"condition": "contains(input, 'git commit')"
}]
}
}
Gate script example:
#!/bin/bash
# check-quality-gates.sh
# Check complexity
complexity=$(npx escomplex src/ --format json | jq '.aggregate.cyclomatic')
if [ "$complexity" -gt 25 ]; then
echo "BLOCK: Cyclomatic complexity too high: $complexity"
exit 1
fi
# Check for secrets
if grep -rE "(api[_-]?key|password)\s*=\s*['\"][^'\"]+['\"]" src/; then
echo "BLOCK: Potential secrets detected"
exit 1
fi
# Check TypeScript errors
if ! npx tsc --noEmit; then
echo "BLOCK: TypeScript errors found"
exit 1
fi
echo "Quality gates passed"
exit 0
Hook response pattern:
interface QualityGateResponse {
passed: boolean;
blockers: Array<{
type: 'security' | 'complexity' | 'type-error';
message: string;
file?: string;
line?: number;
}>;
warnings: string[];
}
After code changes, trigger relevant audits:
name: Code Quality
on: [push, pull_request]
jobs:
quality:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Security Scan
run: |
npm audit --audit-level=high
npx eslint src/ --ext .ts,.js
- name: Complexity Check
run: |
npx escomplex src/ --format json > complexity.json
node -e "
const c = require('./complexity.json');
if (c.aggregate.cyclomatic > 20) {
console.error('Complexity too high');
process.exit(1);
}
"
- name: Type Coverage
run: |
npx type-coverage --at-least 85
- name: IaC Security
if: hashFiles('terraform/**') != ''
run: |
tfsec terraform/
#!/bin/bash
# .git/hooks/pre-commit
# Run linting
npm run lint || exit 1
# Check for secrets
git diff --cached --name-only | xargs grep -l -E "(password|api_key|secret)" && {
echo "Warning: Possible secrets in staged files"
exit 1
}
# Type check
npm run type-check || exit 1
This skill should be used when the user asks to "create an agent", "add an agent", "write a subagent", "agent frontmatter", "when to use description", "agent examples", "agent tools", "agent colors", "autonomous agent", or needs guidance on agent structure, system prompts, triggering conditions, or agent development best practices for Claude Code plugins.
This skill should be used when the user asks to "create a slash command", "add a command", "write a custom command", "define command arguments", "use command frontmatter", "organize commands", "create command with file references", "interactive command", "use AskUserQuestion in command", or needs guidance on slash command structure, YAML frontmatter fields, dynamic arguments, bash execution in commands, user interaction patterns, or command development best practices for Claude Code.
This skill should be used when the user asks to "create a hook", "add a PreToolUse/PostToolUse/Stop hook", "validate tool use", "implement prompt-based hooks", "use ${CLAUDE_PLUGIN_ROOT}", "set up event-driven automation", "block dangerous commands", or mentions hook events (PreToolUse, PostToolUse, Stop, SubagentStop, SessionStart, SessionEnd, UserPromptSubmit, PreCompact, Notification). Provides comprehensive guidance for creating and implementing Claude Code plugin hooks with focus on advanced prompt-based hooks API.