Skip to main content
ClaudeWave
Skill282 repo starsupdated 3mo ago

audit

The audit skill performs comprehensive security and code quality assessments across multiple technology stacks including JavaScript, Go, Rust, and Python. It identifies OWASP Top 10 vulnerabilities, outdated dependencies with known CVEs, exposed secrets and credentials, code quality issues, and compliance problems through static analysis and pattern matching. Use this skill before deployment, during security reviews, or when verifying compliance requirements like GDPR or SOC2.

View sourceRepository: claude-code
Install in Claude Code
Copy
git clone --depth 1 https://github.com/MadAppGang/claude-code /tmp/audit && cp -r /tmp/audit/plugins/dev/skills/audit ~/.claude/skills/audit
Then start a new Claude Code session; the skill loads automatically.
Definition

SKILL.md

# Audit Skill

## Overview

The audit skill provides comprehensive on-demand security and code quality audits for your codebase. It identifies vulnerabilities, security issues, code smells, outdated dependencies, exposed secrets, and compliance problems across all supported technology stacks.

**When to Use**:
- Security audits and vulnerability scans
- Pre-deployment security checks
- Compliance verification (GDPR, HIPAA, SOC2)
- Code quality assessment
- Dependency vulnerability scanning
- Secret exposure detection
- Third-party license compliance

**Technology Coverage**:
- React/TypeScript/JavaScript projects
- Go applications
- Rust projects
- Python codebases
- Full-stack applications
- Monorepos and microservices

## Audit Categories

### 1. Security Vulnerabilities (OWASP Top 10)

**What Gets Checked**:
- SQL injection vulnerabilities
- Cross-site scripting (XSS)
- Authentication and session management flaws
- Security misconfigurations
- Sensitive data exposure
- XML external entities (XXE)
- Broken access control
- Cross-site request forgery (CSRF)
- Using components with known vulnerabilities
- Insufficient logging and monitoring

**Detection Methods**:
- Static code analysis
- Pattern matching for common vulnerabilities
- Framework-specific security checks
- API endpoint security validation
- Input validation analysis

### 2. Dependency Vulnerabilities

**What Gets Checked**:
- Outdated packages with known CVEs
- Unmaintained dependencies
- License compatibility issues
- Transitive dependency risks
- Version conflicts

**Package Managers Supported**:
- npm/yarn/pnpm (JavaScript/TypeScript)
- go.mod (Go)
- Cargo.toml (Rust)
- requirements.txt/pyproject.toml (Python)
- Gemfile (Ruby)

**Tools Used**:
- `npm audit` / `yarn audit` / `pnpm audit`
- `go mod verify` + vulnerability databases
- `cargo audit`
- `pip-audit` / `safety`

### 3. Exposed Secrets and Credentials

**What Gets Detected**:
- Hardcoded API keys and tokens
- Database credentials
- Private keys and certificates
- OAuth tokens and secrets
- AWS/GCP/Azure credentials
- JWT secrets
- Encryption keys

**Detection Patterns**:
- Regex patterns for common secret formats
- Environment variable misuse
- Configuration file analysis
- Git history scanning (if requested)
- Common secret naming patterns

**False Positive Reduction**:
- Ignore test fixtures and mocks
- Respect `.gitignore` patterns
- Check for proper environment variable usage
- Validate against `.env.example` templates

### 4. Code Quality Issues

**What Gets Analyzed**:
- Code complexity (cyclomatic complexity)
- Code duplication
- Dead code and unused exports
- Large functions and files
- Naming convention violations
- Magic numbers and hardcoded values
- Lack of error handling
- Poor separation of concerns

**Metrics Calculated**:
- Cyclomatic complexity per function
- Duplication percentage
- Lines of code (LOC) per file/function
- Comment-to-code ratio
- Test-to-code ratio

## Running Audits

### Full Audit

Run all audit categories:

```
Please run a full security and quality audit of this codebase
```

The audit will:
1. Scan all source files for vulnerabilities
2. Check dependencies for known CVEs
3. Search for exposed secrets
4. Analyze code quality metrics
5. Generate comprehensive report

### Category-Specific Audits

**Security Only**:
```
Run a security audit focusing on OWASP top 10 vulnerabilities
```

**Dependencies Only**:
```
Audit all dependencies for vulnerabilities and outdated packages
```

**Secrets Only**:
```
Scan for exposed secrets and credentials
```

**Code Quality Only**:
```
Analyze code quality and identify code smells
```

### Targeted Audits

**Specific Directory**:
```
Audit the /src/auth directory for security issues
```

**Specific Files**:
```
Audit UserController.ts and AuthService.ts for vulnerabilities
```

**Pre-Deployment**:
```
Run pre-deployment audit checklist
```

## Audit Report Format

### Severity Levels

Reports classify findings by severity:

- **CRITICAL**: Immediate security risk, exploitable vulnerability
- **HIGH**: Significant security or quality issue
- **MEDIUM**: Moderate issue that should be addressed
- **LOW**: Minor issue or code smell
- **INFO**: Informational finding, best practice suggestion

### Report Structure

```markdown
# Security and Quality Audit Report

**Generated**: 2026-01-28 14:32:00
**Scope**: Full codebase audit
**Files Scanned**: 247
**Duration**: 8.3 seconds

## Executive Summary

- CRITICAL: 2 findings
- HIGH: 5 findings
- MEDIUM: 12 findings
- LOW: 23 findings
- INFO: 8 findings

**Risk Score**: 7.2/10 (HIGH)

## Critical Findings

### [CRITICAL-001] SQL Injection Vulnerability
**File**: src/database/queries.ts:42
**Severity**: CRITICAL
**Category**: Security - SQL Injection

**Issue**: User input concatenated directly into SQL query without sanitization.

**Code**:
```typescript
const query = `SELECT * FROM users WHERE email = '${email}'`;
```

**Impact**: Attacker can execute arbitrary SQL commands.

**Recommendation**: Use parameterized queries or ORM.

**Fix**:
```typescript
const query = db.prepare('SELECT * FROM users WHERE email = ?').bind(email);
```

---

### [CRITICAL-002] Exposed API Key
**File**: src/config/api.ts:15
**Severity**: CRITICAL
**Category**: Security - Exposed Secret

**Issue**: Hardcoded API key found in source code.

**Code**:
```typescript
const STRIPE_SECRET_KEY = "sk_live_abc123xyz789";
```

**Impact**: Unauthorized access to Stripe account.

**Recommendation**: Move to environment variable.

**Fix**:
```typescript
const STRIPE_SECRET_KEY = process.env.STRIPE_SECRET_KEY;
```

## High Priority Findings

### [HIGH-001] Outdated Dependency with Known CVE
**File**: package.json:23
**Severity**: HIGH
**Category**: Dependencies

**Issue**: lodash@4.17.15 has known vulnerability (CVE-2021-23337)

**CVE Details**:
- CVE-2021-23337: Command injection in template
- Published: 2021-02-15
- CVSS Score: 7.2

**Recommendation**: Upgrade to lodash@4.17.21 or hi
More from this repository
model-scraperSubagent

|

update-modelsSlash Command

|

debug-modeSkill

|

patternsSkill

Common agent patterns and templates for Claude Code. Use when implementing agents to follow proven patterns for Tasks integration, quality checks, and external model invocation via claudish CLI.

schemasSkill

YAML frontmatter schemas for Claude Code agents and commands. Use when creating or validating agent/command files.

xml-standardsSkill

XML tag structure patterns for Claude Code agents and commands. Use when designing or implementing agents to ensure proper XML structure following Anthropic best practices.

yaml-agent-formatSkill

YAML format for Claude Code agent definitions as alternative to markdown. Use when creating agents with YAML, converting markdown agents to YAML, or validating YAML agent schemas. Trigger keywords - "YAML agent", "agent YAML", "YAML format", "agent schema", "YAML definition", "convert to YAML".

linear-integrationSkill

Linear API patterns and examples for autopilot. Includes authentication, webhooks, issue CRUD, state transitions, file attachments, and comment handling.