About
Apply OWASP security patterns including authentication, input validation, cryptography, and security headers across multiple languages.
name: security-ops description: "Security audit orchestrator - parallel dependency scanning, SAST pattern detection, auth/config review. Dispatches 3 audit agents simultaneously, consolidates into OWASP-mapped severity report. Triggers on: security review, security audit, OWASP, XSS, SQL injection, CSRF, authentication, authorization, secrets management, input validation, secure coding, vulnerability scan, dependency audit." license: MIT allowed-tools: "Read Edit Write Bash Glob Grep Agent TaskCreate TaskUpdate" metadata: author: claude-mods related-skills: auth-ops, testing-ops, debug-ops, monitoring-ops
Security Operations
Orchestrator for security auditing. Detects project stack inline, dispatches three parallel audit agents (dependency, SAST, auth/config review), consolidates into a severity-ranked OWASP-mapped report.
Architecture
User requests security audit or mentions security concern
|
+---> T1: Detect (inline, fast)
| +---> Identify languages/frameworks in project
| +---> Check installed audit tools
| +---> Determine scope (changed files vs full codebase)
| +---> Present: detection summary + recommended audit
|
+---> T2: Audit (3 parallel agents, background)
| +---> Agent 1: Dependency Audit
| | +---> Run pip-audit, npm audit, govulncheck, cargo audit, trivy
| | +---> Report: CVE IDs, severity, affected + fix versions
| |
| +---> Agent 2: Code Pattern Scan (SAST)
| | +---> Hardcoded secrets, injection, XSS, eval, shell, weak crypto
| | +---> Report: file:line, pattern, severity, fix suggestion
| |
| +---> Agent 3: Auth & Config Review
| | +---> Session, CSRF, CORS, CSP, JWT, OAuth, rate limiting, env vars
| | +---> Report: finding, severity, OWASP category, remediation
| |
| +---> Consolidate: deduplicate, rank by severity, map to OWASP Top 10
|
+---> T3: Remediate (dispatch to language expert, foreground + confirm)
+---> Expert proposes specific fixes
+---> Preflight: what changes, security impact, risk of breaking
+---> User confirms
+---> Apply fixes
Safety Tiers
| Operation | Tier | Execution | |-----------|------|-----------| | Detect languages/frameworks | T1 | Inline | | Check installed audit tools | T1 | Inline | | Determine scope (changed vs all) | T1 | Inline | | Dependency vulnerability scan | T2 | Agent 1 (bg) | | Code pattern scan (SAST) | T2 | Agent 2 (bg) | | Auth & config review | T2 | Agent 3 (bg) | | Consolidate findings | T2 | Inline (after agents return) | | Fix vulnerability in code | T3 | Expert agent + confirm | | Update vulnerable dependency | T3 | Expert agent + confirm | | Add security headers | T3 | Expert agent + confirm |
T1: Detect - Run Inline
| Check | Command / Method |
|-------|-----------------|
| Python project | Check for requirements.txt, pyproject.toml, Pipfile |
| Node.js project | Check for package.json, package-lock.json |
| Go project | Check for go.mod |
| Rust project | Check for Cargo.toml |
| Docker | Check for Dockerfile, docker-compose.yml |
| pip-audit available | which pip-audit 2>/dev/null |
| npm audit available | which npm 2>/dev/null |
| govulncheck available | which govulncheck 2>/dev/null |
| cargo-audit available | which cargo-audit 2>/dev/null |
| trivy available | which trivy 2>/dev/null |
| Scope: changed files | git diff --name-only HEAD |
| Scope: full codebase | fd -e py -e js -e ts -e go -e rs |
T2: Audit - Dispatch 3 Parallel Agents
All audit agents use model="sonnet", run_in_background=True. All are read-only - instruct them explicitly to never edit files.
Agent 1: Dependency Audit
You are a security dependency auditor. Your job is to find vulnerable dependencies.
## Domain Knowledge
First, read this script for audit commands:
- Read: skills/security-ops/scripts/dependency-audit.sh
## Scope
- Languages detected: {languages from T1}
- Audit tools available: {tools from T1}
## Instructions
1. Run the appropriate audit tool for each detected language:
- Python: `pip-audit` or `safety check`
- Node.js: `npm audit --audit-level=moderate`
- Go: `govulncheck ./...`
- Rust: `cargo audit`
- Docker: `trivy config Dockerfile`
2. For each vulnerability found, report:
- Package name and version
- CVE ID (if available)
- Severity (Critical/High/Medium/Low)
- Fixed version (if available)
- Brief description
3. If an audit tool is not installed, note which tool is missing and what command installs it
IMPORTANT: Do NOT edit any files. This is a read-only audit.
## Output Format
Report findings as a severity-ranked table.
Agent 2: Code Pattern Scan (SAST)
You are a security code scanner. Your job is to find vulnerability patterns in sou
