securitylisted

# /security — SAST/SCA Security Scan **Purpose**: Analyze code files and dependency manifests changed on the feature branch for OWASP Top 10 vulnerabilities and known CVE patterns. Write permanent audit artifacts. Block on CRITICAL/HIGH findings until acknowledged or fixed. **When invoked from /aod.build**: Called as the Security Scan step (Step 7) via the Skill tool. `--no-security` flag in `/aod.build` bypasses this skill entirely. **When invoked standalone**: Run directly as `/security` from any project directory. `security-scan.md` is written to `specs/{NNN}-*/` if inside an AOD project, or to the current working directory otherwise. --- ## Step 0: Parse Arguments If invoked standalone, parse optional flags from arguments: 1. **`--no-security`**: If present (standalone invocation context), output "Security scan skipped (--no-security)" and exit cleanly. This flag is normally handled by `/aod.build` Step 0 before invoking this skill; if present here in standalone mode, honor it. 2. **Feature number extraction**: Detect current feature number from branch name (`git branch --show-current` → extract leading digits) or from `specs/*/` directory listing. Used for output path resolution. 3. **Output path resolution**: - If inside an AOD project (`specs/{NNN}-*/` exists): write `security-scan.md` to `specs/{NNN}-*/security-scan.md` - Otherwise: write `security-scan.md` to current working directory --- ## Step 1: File Detection Detect all files changed on the fea