Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From ai-sdlc-harness
Composes per-repo static security reports combining SAST, dependency CVE scanning, and secret detection. Returns exit code 0 (no findings), 1 (findings present), or 2 (tool missing).
npx claudepluginhub mostashraf/ai-sdlc-harness --plugin ai-sdlc-harnessHow this skill is triggered — by the user, by Claude, or both
Slash command
/ai-sdlc-harness:security-reportThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
<!-- Created by: dev-workflow-plan.md [M-18] [IMPL-18-02]
Guides technical evaluation of code review feedback: read fully, restate for understanding, verify against codebase, respond with reasoning or pushback before implementing.
Share bugs, ideas, or general feedback.
Per-repo composition of static security findings from SAST (bandit / semgrep / gosec / spotbugs / dotnet-analysers), dependency CVE scanners (safety / npm audit / govulncheck / mvn dependency-check), and secret scanners (trufflehog when installed).
commands/security-review.md (P5.5) once per repo lane.language-config.md for the repo declares the language and toolchain.Authoritative references: provider-resolver, summary-render, timestamp, workflow-paths
language-config.md for the repo.severity-map.md (per-tool map; reduces every tool's severity vocabulary to the canonical high | medium | low).static-security-report-<repo>.md with three sections: Findings, Severity Counts, Tools Used.0 (no finding ≥ medium), 1 (≥ 1 medium-or-higher finding), 2 (tool not installed; precondition unmet).| Language | SAST | Dependency / CVE | Secret scan (optional) |
|---|---|---|---|
| python | bandit -r <repo> | safety check --json | trufflehog filesystem <repo> |
| javascript / typescript | semgrep --config=auto <repo> | npm audit --json | trufflehog |
| go | gosec -fmt=json -quiet ./... | govulncheck -json ./... | trufflehog |
| java | spotbugs -textui <repo>/target/*.jar | mvn dependency-check:aggregate | trufflehog |
| csharp | semgrep --config=auto <repo> | dotnet list package --vulnerable --include-transitive | trufflehog |
Languages not in the table fall back to semgrep --config=auto <repo> (language-agnostic) for SAST and emit dependency: not-scanned (no per-language adapter) for CVE.
Per-tool severity map lives in severity-map.md (sibling file). Canonical levels: high | medium | low. Tools that report a richer scale (e.g. CVSS 0-10) collapse via:
highmediumlow| Destination | Content |
|---|---|
<workflow_dir>/static-security-report-<repo>.md | Per-repo report (Findings + Severity Counts + Tools Used) |
| Exit code | 0 / 1 / 2 per CC-01.5 |
.error.md entry in the report's Tools Used section.| Failure | Detection | Response |
|---|---|---|
| Required tool not installed | which <tool> returns nothing | Exit 2 with [CC-09] required tool <name> not installed for <language>; install or override in language-config.md. |
| Tool produces malformed output | JSON parse fails | Record entry in Tools Used as (parse failed: <cause>); continue with other tools; do not block. |
| Subprocess timeout | subprocess.run timeout=600 | Lane fails BLOCKED; surface verbatim. |
commands/security-review.md — orchestrator entry point that invokes this skill per repo.metrics-collector — counts findings into _metrics-log.csv columns security_findings_high|medium|low (M-18 IMPL-18-05 schema bump 1.0.0 → 1.1.0).