← ClaudeAtlas

security-auditlisted

Comprehensive polyglot security audit across 60+ frameworks. Runs a SARIF scanner bundle, fans out 11 parallel deep-dive categories (incl. supply-chain and MCP/agentic), and emits an OWASP-methodology-tagged report. Invoke when the user says 'run security audit', 'security audit', 'audit security', or passes args like 'mode: delta' / 'scope: services/api' / 'categories: crypto,mitm,secrets' / 'output: docs/security-audit-output'. Typical run 15-60 min (full) or 2-5 min (delta). MANDATORY ARTIFACT CONTRACT: every run MUST write (1) .claude-audit/current/ as your FIRST tool action via mkdir -p; (2) per-phase phase-NN-*.json AND a phase-NN.done marker for each completed phase 0-7 (8 if mode=full) BEFORE moving to the next phase; (3) findings.sarif (SARIF 2.1.0) where EVERY results[] row carries properties.security-severity (CVSS-style numeric) AND properties.cwe (e.g. 'CWE-798' — required for downstream tooling, lookup in lib/cwe-map.json) AND optionally properties.category (one of: auth, idor, token_scope, mitm
velimattiv/claude-security-audit · ★ 0 · AI & Automation · score 72
Install: claude install-skill velimattiv/claude-security-audit
# Mandatory contract before you do anything else This skill produces **two kinds of output** on every run. Both are required: 1. **Machine-readable blackboard artifacts** under `.claude-audit/current/`: - `phase-00-profile.json` … `phase-08-baseline.json` (per-phase artifacts) - `phase-NN.done` saga markers (one per completed phase) - `findings.sarif` (SARIF 2.1.0) - `findings.cyclonedx.json` (SBOM skeleton) 2. **A human-readable Markdown report** plus deliverable copies under the resolved **output directory** (default `docs/security-audit-output/`): `security-audit-report.md`, `findings.sarif`, `findings.cyclonedx.json`, and the pruned `security-audit-baseline.json`. The skill asks you where to write these on first run (honors an `output:` arg and a persisted choice; defaults non-interactively). See [lib/output-routing.md](lib/output-routing.md). **Producing only the report is INVALID.** A run that writes the human report but skips the blackboard artifacts breaks downstream value: delta mode fails (no baseline), GitHub Security tab integration fails (no SARIF), CI gating on CRITICAL counts fails (no structured findings). **If you find yourself reasoning "I'll just produce the final report" — STOP. The artifacts come first.** # First action — read workflow.md and run its preflight The blackboard creation + `$SKILL_DIR` resolution + version check are defined as a single multi-line Bash command in [workflow.md](workflow.md) under "First action —