zeroize-audit

# zeroize-audit — Claude Skill ## When to Use - Auditing cryptographic implementations (keys, seeds, nonces, secrets) - Reviewing authentication systems (passwords, tokens, session data) - Analyzing code that handles PII or sensitive credentials - Verifying secure cleanup in security-critical codebases - Investigating memory safety of sensitive data handling ## When NOT to Use - General code review without security focus - Performance optimization (unless related to secure wiping) - Refactoring tasks not related to sensitive data - Code without identifiable secrets or sensitive values --- ## Purpose Detect missing zeroization of sensitive data in source code and identify zeroization that is removed or weakened by compiler optimizations (e.g., dead-store elimination), with mandatory LLVM IR/asm evidence. Capabilities include: - Assembly-level analysis for register spills and stack retention - Data-flow tracking for secret copies - Heap allocator security warnings - Semantic IR analysis for loop unrolling and SSA form - Control-flow graph analysis for path coverage verification - Runtime validation test generation ## Scope - Read-only against the target codebase (does not modify audited code; writes analysis artifacts to a temporary working directory). - Produces a structured report (JSON). - Requires valid build context (`compile_commands.json`) and compilable translation units. - "Optimized away" findings only allowed with compiler evidence (IR/asm diff). --- ## Inputs...