ReddRadar
Agent skill
security-audit
OWASP Top 10 and STRIDE security auditing with supply chain analysis. Triggers on "security audit", "security scan", "cso".
Install this agent skill to your Project
npx add-skill https://github.com/catlog22/Claude-Code-Workflow/tree/main/.claude/skills/security-audit
SKILL.md
Security Audit
4-phase security audit covering supply chain risks, OWASP Top 10 code review, STRIDE threat modeling, and trend-tracked reporting. Produces structured JSON findings in .workflow/.security/.
Architecture Overview
+-------------------------------------------------------------------+
| Phase 1: Supply Chain Scan |
| -> Dependency audit, secrets detection, CI/CD review, LLM risks |
| -> Output: supply-chain-report.json |
+-----------------------------------+-------------------------------+
|
+-----------------------------------v-------------------------------+
| Phase 2: OWASP Review |
| -> OWASP Top 10 2021 code-level analysis via ccw cli |
| -> Output: owasp-findings.json |
+-----------------------------------+-------------------------------+
|
+-----------------------------------v-------------------------------+
| Phase 3: Threat Modeling (STRIDE) |
| -> 6 threat categories mapped to architecture components |
| -> Output: threat-model.json |
+-----------------------------------+-------------------------------+
|
+-----------------------------------v-------------------------------+
| Phase 4: Report & Tracking |
| -> Score calculation, trend comparison, dated report |
| -> Output: .workflow/.security/audit-report-{date}.json |
+-------------------------------------------------------------------+
Key Design Principles
- Infrastructure-first: Phase 1 catches low-hanging fruit (leaked secrets, vulnerable deps) before deeper analysis
- Standards-based: OWASP Top 10 2021 and STRIDE provide systematic coverage
- Scoring gates: Daily quick-scan must score 8/10; comprehensive audit minimum 2/10 for initial baseline
- Trend tracking: Each audit compares against prior results in
.workflow/.security/
Execution Flow
Quick-Scan Mode (daily)
Run Phase 1 only. Must score >= 8/10 to pass.
Comprehensive Mode (full audit)
Run all 4 phases sequentially. Initial baseline minimum 2/10.
Phase Sequence
- Phase 1: Supply Chain Scan -- phases/01-supply-chain-scan.md
- Dependency audit (npm audit / pip-audit / safety check)
- Secrets detection (API keys, tokens, passwords in source)
- CI/CD config review (injection risks in workflow YAML)
- LLM/AI prompt injection check
- Phase 2: OWASP Review -- phases/02-owasp-review.md
- Systematic OWASP Top 10 2021 code review
- Uses
ccw cli --tool gemini --mode analysis --rule analysis-assess-security-risks
- Phase 3: Threat Modeling -- phases/03-threat-modeling.md
- STRIDE threat model mapped to architecture components
- Trust boundary identification and attack surface assessment
- Phase 4: Report & Tracking -- phases/04-report-tracking.md
- Score calculation with severity weights
- Trend comparison with previous audits
- Date-stamped report to
.workflow/.security/
Scoring Overview
See specs/scoring-gates.md for full specification.
| Severity | Weight | Example |
|---|---|---|
| Critical | 10 | RCE, SQL injection, leaked credentials |
| High | 7 | Broken auth, SSRF, privilege escalation |
| Medium | 4 | XSS, CSRF, verbose error messages |
| Low | 1 | Missing headers, informational disclosures |
Gates: Daily quick-scan >= 8/10, Comprehensive initial >= 2/10.
Directory Setup
mkdir -p .workflow/.security
WORK_DIR=".workflow/.security"
Output Structure
.workflow/.security/
audit-report-{YYYY-MM-DD}.json # Dated audit report
supply-chain-report.json # Latest supply chain scan
owasp-findings.json # Latest OWASP findings
threat-model.json # Latest STRIDE threat model
Reference Documents
| Document | Purpose |
|---|---|
| phases/01-supply-chain-scan.md | Dependency, secrets, CI/CD, LLM risk scan |
| phases/02-owasp-review.md | OWASP Top 10 2021 code review |
| phases/03-threat-modeling.md | STRIDE threat modeling |
| phases/04-report-tracking.md | Report generation and trend tracking |
| specs/scoring-gates.md | Scoring system and quality gates |
| specs/owasp-checklist.md | OWASP Top 10 detection patterns |
Completion Status Protocol
This skill follows the Completion Status Protocol defined in _shared/SKILL-DESIGN-SPEC.md sections 13-14.
Possible termination statuses:
- DONE: All phases completed, score calculated, report generated
- DONE_WITH_CONCERNS: Audit completed but findings exceed acceptable thresholds
- BLOCKED: Required tools unavailable (e.g., npm/pip not installed), permission denied
- NEEDS_CONTEXT: Ambiguous project scope, unclear trust boundaries
Escalation follows the Three-Strike Rule (section 14) per step.
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
catlog22/Claude-Code-Workflow
investigate
Chain-loaded investigation. 5-phase Iron Law methodology with root cause gate.
catlog22/Claude-Code-Workflow
workflow-plan
Chain-loaded workflow planning. 6-phase with mode routing and conflict detection.
catlog22/Claude-Code-Workflow
review-cycle
Chain-loaded review cycle. 3-mode routing for session, module, or fix review.
catlog22/Claude-Code-Workflow
workflow-tdd-plan
Chain-loaded TDD planning. 7-phase with Red-Green-Refactor task generation.
catlog22/Claude-Code-Workflow
spec-generator
Chain-loaded spec generation. 8-phase with quality gate loop and auto-fix.
catlog22/Claude-Code-Workflow
brainstorm
Chain-loaded brainstorming. 4-phase dual-mode with auto multi-role and single-role paths.
Didn't find tool you were looking for?