skill-security-auditor

# Security Auditor Guide ## Overview This guide covers security auditing workflows for source code, dependencies, and configurations. For detailed vulnerability patterns and detection rules, see references/vulnerability-patterns.md. For secrets detection patterns, see references/secrets-patterns.md. ## Quick Start Run the bundled scan script against a project directory: ```bash python scripts/scan_project.py /path/to/project ``` This performs a lightweight scan for common issues: hardcoded secrets, dangerous function calls, and insecure patterns. For deeper analysis, follow the workflows below. ### Testing the scripts ```bash python scripts/scan_project.py /path/to/some/project --format text python scripts/scan_secrets.py /path/to/some/project --format text ``` ## Audit Workflow ### 1. Reconnaissance Before auditing, understand the project: ```bash # Identify languages, frameworks, and entry points find . -type f -name "*.py" -o -name "*.js" -o -name "*.ts" -o -name "*.go" -o -name "*.java" | head -20 cat package.json pyproject.toml requirements.txt go.mod pom.xml 2>/dev/null ``` Key questions: - What frameworks are used? (Express, Django, Flask, Spring, etc.) - Where are the entry points? (routes, controllers, API handlers) - How is authentication handled? - What external services are called? - Is user input accepted? Where? ### 2. Secrets Detection Scan for hardcoded credentials, API keys, and tokens. See references/secrets-patterns.md for the full pattern li...