drive-securitylisted

# drive-security - security audit on touched files drive-security looks at the PR's diff and asks: did this change open a door that was closed? Did it leave a secret in the repo? Did it ship a dependency with a known CVE? Did it skip an authorization check on a route that needs one? It runs the project's vulnerability tooling, walks each touched file through a focused checklist, and produces a severity-ranked report. Mechanical fixes get a recommendation, not an auto-fix. ## Phase 0 - Scope Scope from `gh pr diff --name-only`, `git diff --name-only HEAD`, or an explicit user list. Dependency scans always cover the whole project. ## Phase 1 - Detect the toolchain | Tool | When to use it | | --- | --- | | **npm/yarn/pnpm audit** | `package-lock.json` / `yarn.lock` / `pnpm-lock.yaml` present | | **pip-audit** | `requirements*.txt`, `pyproject.toml`, `Pipfile` present | | **safety check** | Same as pip-audit; complementary database | | **cargo audit** | `Cargo.lock` present | | **govulncheck** | `go.mod` present | | **gitleaks** | Available globally; scans the entire repo for secrets | | **trufflehog** | Available globally; alternative secret scanner | | **semgrep** | Available globally; runs rule packs over the touched files | | **bundler-audit** | `Gemfile.lock` present | Check which are installed: ```bash for tool in npm pip-audit safety cargo govulncheck gitleaks trufflehog semgrep; do command -v "$tool" >/dev/null 2>&1 && echo "available: $tool" done ``` Use whate