From sd0x-dev-flow
Conducts OWASP Top 10 security audits and dependency vulnerability checks via Codex MCP. Analyzes git changes and security files like auth/password. Outputs findings report and gates merges.
npx claudepluginhub sd0xdev/sd0x-dev-flow --plugin sd0x-dev-flowThis skill is limited to using the following tools:
- Keywords: security review, OWASP, vulnerability, dep-audit, npm audit, dependency security
Orchestrates parallel agents for security code audits (OWASP/CWE), secrets scanning, and dependency CVE checks on codebases, staged changes, or PRs.
Performs OWASP Top 10 security reviews using Codex MCP, supporting iterative review loops with preserved context for code audits.
Performs OWASP Top 10-aligned security audits on code, checking injection, broken access control, cryptographic failures, misconfigurations, and more.
Share bugs, ideas, or general feedback.
codex-code-review)test-review)| Command | Purpose | When |
|---|---|---|
/codex-security | OWASP Top 10 audit | Security-sensitive code |
/dep-audit | Dependency security audit | Periodic / PR |
/codex-securityDetermine scope → Collect changes → Codex OWASP review → Findings + Gate → Loop if Must fix
Parse --scope from arguments, default to src/.
Priority order:
git diff HEAD -- <scope> | head -1500git diff HEAD~5..HEAD -- <scope> | head -1500Glob("**/*{auth,login,password,token,secret,key,credential}*")First review: mcp__codex__codex with OWASP prompt. See references/codex-prompt-security.md.
Config: sandbox: 'read-only', approval-policy: 'never'
Save the returned threadId.
Loop review: mcp__codex__codex-reply with re-review template. See references/codex-prompt-security.md.
Organize results into findings summary table + detailed findings + gate.
| Code | Category | Check Focus |
|---|---|---|
| A01 | Broken Access Ctrl | IDOR, permission bypass, CORS |
| A02 | Crypto Failures | Sensitive data encryption, weak crypto |
| A03 | Injection | SQL/NoSQL/Cmd Injection |
| A04 | Insecure Design | Rate Limiting, business logic |
| A05 | Misconfiguration | Debug mode, default passwords |
| A06 | Vulnerable Comp | Known vulnerable dependencies |
| A07 | Auth Failures | Brute force, session, weak passwords |
| A08 | Integrity Failures | Deserialization, CI/CD |
| A09 | Logging Failures | Sensitive data in logs, auditing |
| A10 | SSRF | URL validation, internal network access |
⚠️ @CLAUDE.md auto-loop: fix → re-review → ... → ✅ PASS ⚠️
⛔ Must fix → fix P0 issues → /codex-security --continue <threadId> → repeat until ✅ Mergeable.
Max 3 rounds. Still failing → report blocker.
references/codex-prompt-security.mdreferences/examples.mdInput: /codex-security --scope src/controller/
Action: OWASP Top 10 check → output issues + Gate
Input: /dep-audit --level high
Action: npm audit → filter high/critical → output report