Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From jaan-to
Generates targeted security fixes with regression tests from detect-dev SARIF findings. Use when remediating vulnerabilities after a security audit.
npx claudepluginhub parhumm/jaan-to --plugin jaan-toHow this skill is triggered — by the user, by Claude, or both
Slash command
/jaan-to:sec-audit-remediate [detect-dev-output] [backend-scaffold | frontend-scaffold][detect-dev-output] [backend-scaffold | frontend-scaffold]This skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
> Generate targeted security fixes from detect-dev SARIF findings with regression tests.
Applies fixes for security findings produced by /security-review. Use after detecting vulnerabilities to remediate them using language-idiomatic safe APIs.
Applies a deterministic remediation patch for a specific security scanner finding via MCP toolchain (synthesize→verify→apply). Handles single-finding and batch fixes with HMAC-verified writes and project test verification.
Reviews security fixes and patches for completeness and correctness. Useful for verifying vulnerability remediations after audits or scans.
Share bugs, ideas, or general feedback.
Generate targeted security fixes from detect-dev SARIF findings with regression tests.
$JAAN_LEARN_DIR/jaan-to-sec-audit-remediate.learn.md - Past lessons (loaded in Pre-Execution)$JAAN_TEMPLATES_DIR/jaan-to-sec-audit-remediate.template.md - Output template$JAAN_CONTEXT_DIR/tech.md - Tech stack (optional, auto-imported if exists)
#current-stack, #frameworks, #constraints, #patterns${CLAUDE_PLUGIN_ROOT}/docs/extending/language-protocol.md - Language resolution protocol${CLAUDE_PLUGIN_ROOT}/docs/research/73-dev-sarif-security-remediation-automation.md - SARIF 2.1.0 parsing, CWE-to-fix mapping, remediation patterns${CLAUDE_PLUGIN_ROOT}/docs/research/72-dev-secure-backend-scaffold-hardening.md - jose JWT, httpOnly cookies, CSRF, rate limiting, OWASP Top 10Output path: $JAAN_OUTPUTS_DIR/sec/remediate/{id}-{slug}/
DAG position: detect-dev + backend-scaffold + frontend-scaffold --> sec-audit-remediate --> devops-infra-scaffold (security in CI)
Arguments: $ARGUMENTS
Parse arguments to identify:
$JAAN_OUTPUTS_DIR/detect/dev/security.md or a .sarif file)backend-scaffold or frontend-scaffold (determines which code to cross-reference for fixes)If no arguments provided, search for detect-dev outputs:
$JAAN_OUTPUTS_DIR/detect/dev/security*.md$JAAN_OUTPUTS_DIR/detect/dev/summary*.mdMANDATORY — Read and execute ALL steps in: ${CLAUDE_PLUGIN_ROOT}/docs/extending/pre-execution-protocol.md
Skill name: sec-audit-remediate
Execute: Step 0 (Init Guard) → A (Load Lessons) → B (Resolve Template) → C (Offer Template Seeding)
Also read tech context if available:
$JAAN_CONTEXT_DIR/tech.md - Know the tech stack for relevant fixesRead and apply language protocol: ${CLAUDE_PLUGIN_ROOT}/docs/extending/language-protocol.md
Override field for this skill: language_sec-audit-remediate
Language exception: Generated code output (fix files, test files, code blocks, schemas) is NOT affected by this setting and remains in the project's programming language.
ultrathink
Use extended reasoning for:
Read the detect-dev output file(s) provided in $ARGUMENTS.
For each finding, extract:
Sort all findings by severity (Critical first, then High, Medium, Low):
FINDINGS PARSED
---------------
Critical: {n} | High: {n} | Medium: {n} | Low: {n}
ID Severity CWE File Description
E-DEV-001 Critical CWE-89 src/api/users.ts:42 SQL injection in query
E-DEV-003 High CWE-79 src/views/profile.tsx:18 XSS in user content
...
Group findings by CWE category and assign fix strategy:
Reference: See
${CLAUDE_PLUGIN_ROOT}/docs/extending/sec-audit-remediate-reference.mdsection "CWE-to-Fix Category Mapping" for CWE categories, fix strategies, complexity, and auto-fix eligibility.
If scaffold output is provided (backend-scaffold or frontend-scaffold):
If no scaffold reference, work directly with finding file paths.
For each finding, determine:
| Field | Description |
|---|---|
| Finding ID | From detect-dev output |
| Fix Type | Code replacement / New middleware / Config change / Dependency update |
| Fix File | Path to the fix file to generate |
| Test File | Path to the regression test to generate |
| Dependencies | New packages needed (e.g., dompurify, csurf) |
| Breaking Changes | Whether the fix changes API behavior |
| Complexity | Low / Medium / High |
Apply the severity/confidence triage matrix:
Reference: See
${CLAUDE_PLUGIN_ROOT}/docs/extending/sec-audit-remediate-reference.mdsection "Triage Matrix" for severity/confidence decision grid.
Present the remediation plan and ask:
REMEDIATION PLAN
----------------
Total findings: {n}
Auto-fix eligible: {n} (Critical/High + Confirmed/Firm confidence)
Manual review needed: {n} (Medium confidence or complex fixes)
Skipped: {n} (Low confidence or informational)
FINDINGS TO REMEDIATE:
[x] E-DEV-001 Critical CWE-89 SQL injection -> parameterized query [auto-fix]
[x] E-DEV-003 High CWE-79 XSS vulnerability -> DOMPurify sanitize [auto-fix]
[x] E-DEV-007 High CWE-352 Missing CSRF -> csrf middleware [auto-fix]
[x] E-DEV-012 High CWE-327 Weak hash (MD5) -> SHA-256 replacement [auto-fix]
[ ] E-DEV-015 Medium CWE-862 Missing auth check -> RBAC guard [needs design]
[ ] E-DEV-018 Low CWE-798 Hardcoded API key -> env variable [manual]
New dependencies needed: dompurify, @types/dompurify, csurf
Estimated fix files: {n}
Estimated test files: {n}
"Which findings should I remediate? [all-auto / select / all]"
Present complete remediation summary:
REMEDIATION SUMMARY
-------------------
Findings to fix: {n}
Fix files to generate: {n}
Test files to generate: {n}
New dependencies: {list}
Breaking changes: {yes/no, details}
OUTPUT STRUCTURE:
$JAAN_OUTPUTS_DIR/sec/remediate/{id}-{slug}/
{id}-{slug}.md <- Remediation report
{id}-{slug}-readme.md <- Integration instructions
fixes/
auth-middleware.ts <- Fix: missing auth
rate-limiter.ts <- Fix: rate limiting
csrf-protection.ts <- Fix: CSRF
sanitize-input.ts <- Fix: XSS/injection
...
tests/
auth-security.test.ts <- Test: auth fixes
rate-limit.test.ts <- Test: rate limiting
csrf.test.ts <- Test: CSRF
xss-prevention.test.ts <- Test: XSS
...
"Proceed with generating {n} fix files and {n} test files? [y/n]"
Do NOT proceed to Phase 2 without explicit approval.
source "${CLAUDE_PLUGIN_ROOT}/scripts/lib/id-generator.sh"
SUBDOMAIN_DIR="$JAAN_OUTPUTS_DIR/sec/remediate"
mkdir -p "$SUBDOMAIN_DIR"
NEXT_ID=$(generate_next_id "$SUBDOMAIN_DIR")
OUTPUT_FOLDER="${SUBDOMAIN_DIR}/${NEXT_ID}-${slug}"
MAIN_FILE="${OUTPUT_FOLDER}/${NEXT_ID}-${slug}.md"
mkdir -p "$OUTPUT_FOLDER/fixes"
mkdir -p "$OUTPUT_FOLDER/tests"
Output Configuration
- ID: {NEXT_ID}
- Folder: $JAAN_OUTPUTS_DIR/sec/remediate/{NEXT_ID}-{slug}/
- Main file: {NEXT_ID}-{slug}.md
- Fixes dir: fixes/
- Tests dir: tests/
For each finding selected for remediation, generate a targeted fix file in fixes/.
Reference: See
${CLAUDE_PLUGIN_ROOT}/docs/extending/sec-audit-remediate-reference.mdsection "Per-CWE Fix Generation Patterns" for CWE-specific fix generation instructions (CWE-79 through CWE-862).
Name fix files descriptively based on the vulnerability type:
{vulnerability-type}.ts (e.g., sql-injection-fix.ts, csrf-protection.ts, xss-sanitizer.ts)Each fix file includes:
For each Critical and High finding that was fixed, generate a regression test in tests/.
For each fix, generate tests covering:
Reference: ${CLAUDE_PLUGIN_ROOT}/docs/research/73-dev-sarif-security-remediation-automation.md section "Regression Test Generation for Security Fixes".
{vulnerability-type}.test.ts (e.g., sql-injection.test.ts, xss-prevention.test.ts)Each test file includes:
Reference: See
${CLAUDE_PLUGIN_ROOT}/docs/extending/sec-audit-remediate-reference.mdsection "CWE-Specific Test Patterns" for per-CWE test payloads and verification patterns.
Write the main report file: {id}-{slug}.md
Use template from: $JAAN_TEMPLATES_DIR/jaan-to-sec-audit-remediate.template.md
Fill template variables:
{{title}} - "Security Remediation Report" + project name{{date}} - Current date (YYYY-MM-DD){{executive_summary}} - BLUF of findings fixed, risk reduction estimate{{findings_table}} - All findings with status (fixed/pending/skipped){{fixes_generated}} - List of fix files with descriptions{{tests_generated}} - List of test files with descriptions{{new_dependencies}} - Dependencies to install{{risk_reduction}} - Estimated risk reduction percentage{{remaining_findings}} - Findings not addressed and whyWrite the readme file: {id}-{slug}-readme.md
Include:
Before writing, verify:
Coverage:
Fix Quality:
Test Quality:
Report Quality:
Output Structure:
If any check fails, revise before preview.
Show file listing with sizes:
OUTPUT FILES
------------
$JAAN_OUTPUTS_DIR/sec/remediate/{id}-{slug}/
{id}-{slug}.md (remediation report)
{id}-{slug}-readme.md (integration instructions)
fixes/
{fix-file-1}.ts (CWE-89: SQL injection fix)
{fix-file-2}.ts (CWE-79: XSS sanitization)
...
tests/
{test-file-1}.test.ts (SQL injection regression)
{test-file-2}.test.ts (XSS prevention regression)
...
Total: {n} files
"Write all {n} files to $JAAN_OUTPUTS_DIR/sec/remediate/{id}-{slug}/? [y/n]"
If approved:
Create output folder and subdirectories
Write all fix files to fixes/
Write all test files to tests/
Write remediation report
Write integration instructions
Update subdomain index:
source "${CLAUDE_PLUGIN_ROOT}/scripts/lib/index-updater.sh"
add_to_index \
"$SUBDOMAIN_DIR/README.md" \
"$NEXT_ID" \
"${NEXT_ID}-${slug}" \
"{Title}" \
"{Executive summary text}"
Output written to: $JAAN_OUTPUTS_DIR/sec/remediate/{NEXT_ID}-{slug}/ Index updated: $JAAN_OUTPUTS_DIR/sec/remediate/README.md Fix files: {n} | Test files: {n} | Report: 1 | Readme: 1
"Any feedback on the security remediation? [y/n]"
If yes:
"[1] Fix now [2] Learn for future [3] Both"
/jaan-to:learn-add sec-audit-remediate "{feedback}"