npx claudepluginhub yi-john-huang/sdd-mcpThis skill uses the workspace's default tool permissions.
Perform comprehensive security audits aligned with OWASP Top 10 and security best practices. Identify vulnerabilities before they reach production.
Audits codebases for OWASP Top 10 vulnerabilities including broken access control, cryptographic failures, injections, insecure design, and misconfigurations using targeted grep and bash checks.
Audits codebases for vulnerabilities, OWASP Top 10 issues, and security anti-patterns. Checks Claude Code file denial settings first and invokes security subagent.
Scans codebases for OWASP Top 10 vulnerabilities via static analysis: secret exposure, injection flaws, auth/authz gaps, supply-chain risks, misconfigurations, logging failures. Use before deployments, PR merges, auth/payment changes.
Share bugs, ideas, or general feedback.
Perform comprehensive security audits aligned with OWASP Top 10 and security best practices. Identify vulnerabilities before they reach production.
Security is not a feature—it's a requirement. Every code change should be reviewed through a security lens.
Check for:
Pattern: Ensure every endpoint has explicit authorization checks.
Check for:
Pattern: Use strong algorithms (bcrypt for passwords, AES-256 for data).
Check for:
Pattern: Never interpolate user input into queries or commands.
Check for:
Check for:
Required Headers: CSP, X-Frame-Options, X-Content-Type-Options, HSTS
npm auditCheck for:
Session Config: secure=true, httpOnly=true, sameSite='strict'
Check for:
Check for:
Required Events: Auth attempts, auth failures, admin actions, data access anomalies
Check for:
Pattern: Use URL allowlists for server-side requests.
/sdd-security-check src/api/ # Check API layer
/sdd-security-check src/auth/ # Focus on authentication
/sdd-security-check HEAD~5..HEAD # Check recent changes
Run these checks:
# Dependency vulnerabilities
npm audit
# Secret detection
npx gitleaks detect
# SAST scan if configured
npx semgrep --config=p/security-audit
For each file, check:
# Security Audit Report: {scope}
## Summary
- 🔴 Critical: {count}
- 🟠 High: {count}
- 🟡 Medium: {count}
- 🟢 Low: {count}
## Critical Findings
### SEC-001: {Finding Title}
**Location**: {file:line}
**Risk**: Critical
**OWASP**: {category}
**Issue**: {description}
**Recommendation**: {fix}
## Remediation Priority
1. Critical findings - Fix immediately
2. High findings - Fix before deployment
3. Medium findings - Fix this sprint
4. Low findings - Track and schedule
Before any deployment:
When checking implementation against spec: