security-auditorlisted

Runs available security scanners, parses results, and writes a consolidated security findings report. Use when you need to check a project for vulnerabilities, exposed secrets, insecure dependencies, or other security issues. Triggers: "security audit", "run security scan", "find vulnerabilities", "check for secrets", "scan dependencies", "run security-auditor".
ivuorinen/skills · ★ 0 · Data & Documents · score 68

Install: claude install-skill ivuorinen/skills

# Security Auditor ## Overview Automated, tool-driven security audit. Detects which security scanning tools are installed on the current machine, runs each one against the project, normalizes the output, and writes a consolidated findings report. No tool is assumed to be present — every tool is probed before use. All findings are graded Critical → Advisory and written to `docs/audit/security-findings.md`. ## When to Use - Before a release to verify the project has no known vulnerabilities - After adding new dependencies - When asked to "run a security scan", "find vulnerabilities", "check for secrets", or "audit security" - As part of a CI gate or pre-push check **When NOT to use:** For general code quality issues, use `nitpicker`. For architecture boundary violations, use `arch-auditor`. For hostile code review, use `adversarial-reviewer`. ## Tool Detection Before running any scan, probe for each tool with `which <tool>` or equivalent. Only run tools that are found. Skip missing tools without attempting to execute them, and list them in the report header under Tool Coverage as "Not available". | Tool | Command | What it finds | |------|---------|---------------| | semgrep | `which semgrep` | SAST: code-level security bugs | | opengrep | `which opengrep` | SAST: code-level security bugs (semgrep fork) | | grype | `which grype` | Dependency vulnerabilities (CVEs) | | trivy | `which trivy` | Dependencies, misconfigurations, secrets | | gitleaks | `which gitleaks` | Secr