dev-owasplisted

# OWASP Security Audit Full OWASP Top 10:2025 scan: scope → 10 parallel scanners → aggregated report → 3 fix strategies → implement. ## Process **Phase tracking** — first action of the skill: call `TaskCreate` with these 5 items (status `pending`), then use `TaskUpdate` to set each phase `in_progress` at start and `completed` at end. On context compaction the task list remains visible — no risk of forgotten phases. 1. PHASE 1: Scope 2. PHASE 2: Parallel Scan 3. PHASE 2b: Supply-chain & SAST tooling 4. PHASE 3: Aggregation & Report 5. PHASE 4: Fix Plans 6. PHASE 5: Selection & Implementation ## PHASE 1: Scope > **Todo**: call `TaskCreate` with the 6 phase items (see above). Mark PHASE 1 → `in_progress` via `TaskUpdate`. ### Step 1: Detect tech stack Scan project for languages, frameworks, and entry points: - Glob for `package.json`, `requirements.txt`, `composer.json`, `go.mod`, `Cargo.toml`, `Gemfile` - Identify framework (Express, Django, Laravel, Rails, Next.js, etc.) - Map source directories (controllers, routes, API handlers, middleware) ### Step 2: Confirm scope AskUserQuestion: - header: "Scan Scope" - question: "Which parts of the codebase do you want to scan?" - options: - "Full codebase (Recommended)" — Scan everything except node_modules/vendor/dist - "Backend/API only" — Focus on server-side code - "Specific directory" — Enter a path - multiSelect: false ### Step 3: Build file list Collect relevant source files (exclude dependencies, build outpu