Skip to main content
ClaudeWave
Skill215 repo starsupdated 3mo ago

security-health-inline

Inline orchestration workflow for security vulnerability detection and remediation with Beads integration. Provides step-by-step phases for security-scanner detection, priority-based fixing with vulnerability-fixer, and verification cycles.

View sourceRepository: claude-code-orchestrator-kit
Install in Claude Code
Copy
git clone --depth 1 https://github.com/maslennikov-ig/claude-code-orchestrator-kit /tmp/security-health-inline && cp -r /tmp/security-health-inline/.claude/skills/security-health-inline ~/.claude/skills/security-health-inline
Then start a new Claude Code session; the skill loads automatically.
Definition

SKILL.md

# Security Health Check (Inline Orchestration)

You ARE the orchestrator. Execute this workflow directly without spawning a separate orchestrator agent.

## Workflow Overview

```
Beads Init → Detection → Create Issues → Fix by Priority → Close Issues → Verify → Beads Complete
```

**Max iterations**: 3
**Priorities**: critical → high → medium → low
**Beads integration**: Automatic issue tracking

---

## Phase 1: Pre-flight & Beads Init

1. **Setup directories**:
   ```bash
   mkdir -p .tmp/current/{plans,changes,backups}
   ```

2. **Validate environment**:
   - Check `package.json` exists
   - Check `type-check` and `build` scripts exist

3. **Create Beads wisp**:
   ```bash
   bd mol wisp exploration --vars "question=Security vulnerability scan"
   ```

   **IMPORTANT**: Save the wisp ID (e.g., `mc2-xxx`) for later use.

4. **Initialize TodoWrite**:
   ```json
   [
     {"content": "Security scan", "status": "in_progress", "activeForm": "Scanning for vulnerabilities"},
     {"content": "Create Beads issues", "status": "pending", "activeForm": "Creating issues"},
     {"content": "Fix critical vulnerabilities", "status": "pending", "activeForm": "Fixing critical vulnerabilities"},
     {"content": "Fix high priority vulnerabilities", "status": "pending", "activeForm": "Fixing high vulnerabilities"},
     {"content": "Fix medium priority vulnerabilities", "status": "pending", "activeForm": "Fixing medium vulnerabilities"},
     {"content": "Fix low priority vulnerabilities", "status": "pending", "activeForm": "Fixing low vulnerabilities"},
     {"content": "Verification scan", "status": "pending", "activeForm": "Verifying fixes"},
     {"content": "Complete Beads wisp", "status": "pending", "activeForm": "Completing wisp"}
   ]
   ```

---

## Phase 2: Detection

**Invoke security-scanner** via Task tool:

```
subagent_type: "security-scanner"
description: "Detect all vulnerabilities"
prompt: |
  Scan the entire codebase for security vulnerabilities:
  - SQL injection
  - XSS vulnerabilities
  - Authentication/authorization issues
  - RLS policy violations
  - Hardcoded secrets
  - Insecure dependencies
  - Categorize by priority (critical/high/medium/low)

  Generate: security-scan-report.md

  Return summary with vulnerability counts per priority.
```

**After security-scanner returns**:
1. Read `security-scan-report.md`
2. Parse vulnerability counts by priority
3. If zero vulnerabilities → skip to Phase 7 (Final Summary)
4. Update TodoWrite: mark detection complete

---

## Phase 3: Create Beads Issues

**For each vulnerability found**, create a Beads issue:

```bash
# Critical (P0) - Security critical gets highest priority
bd create "SECURITY: {vuln_title}" -t bug -p 0 -d "{description}" \
  --deps discovered-from:{wisp_id}

# High (P1)
bd create "SECURITY: {vuln_title}" -t bug -p 1 -d "{description}" \
  --deps discovered-from:{wisp_id}

# Medium (P2)
bd create "SECURITY: {vuln_title}" -t bug -p 2 -d "{description}" \
  --deps discovered-from:{wisp_id}

# Low (P3)
bd create "SECURITY: {vuln_title}" -t bug -p 3 -d "{description}" \
  --deps discovered-from:{wisp_id}
```

**Add security label**:
```bash
bd update {issue_id} --add-label security
```

**Track issue IDs** in a mapping for later closure.

Update TodoWrite: mark "Create Beads issues" complete.

---

## Phase 4: Quality Gate (Pre-fix)

Run inline validation:

```bash
pnpm type-check
pnpm build
```

- If both pass → proceed to fixing
- If fail → report to user, exit

---

## Phase 5: Fixing Loop

**For each priority** (critical → high → medium → low):

1. **Check if vulnerabilities exist** for this priority
   - If zero → skip to next priority

2. **Update TodoWrite**: mark current priority in_progress

3. **Claim issues in Beads**:
   ```bash
   bd update {issue_id} --status in_progress
   ```

4. **Invoke vulnerability-fixer** via Task tool:
   ```
   subagent_type: "vulnerability-fixer"
   description: "Fix {priority} vulnerabilities"
   prompt: |
     Read security-scan-report.md and fix all {priority} priority vulnerabilities.

     For each vulnerability:
     1. Backup file before editing
     2. Implement fix
     3. Log change to .tmp/current/changes/security-changes.json

     Generate/update: security-fixes-implemented.md

     Return: count of fixed vulnerabilities, count of failed fixes, list of fixed vuln IDs.
   ```

5. **Quality Gate** (inline):
   ```bash
   pnpm type-check
   pnpm build
   ```

   - If FAIL → report error, suggest rollback, exit
   - If PASS → continue

6. **Close fixed issues in Beads**:
   ```bash
   bd close {issue_id_1} {issue_id_2} ... --reason "Security fix applied"
   ```

7. **Update TodoWrite**: mark priority complete

8. **Repeat** for next priority

---

## Phase 6: Verification

After all priorities fixed:

1. **Update TodoWrite**: mark verification in_progress

2. **Invoke security-scanner** (verification mode):
   ```
   subagent_type: "security-scanner"
   description: "Verification scan"
   prompt: |
     Re-scan codebase after fixes.
     Compare with previous security-scan-report.md.

     Report:
     - Vulnerabilities fixed (count)
     - Vulnerabilities remaining (count)
     - New vulnerabilities introduced (count)
   ```

3. **Decision**:
   - If vulnerabilities_remaining == 0 → Phase 7
   - If iteration < 3 AND vulnerabilities_remaining > 0 → Go to Phase 2
   - If iteration >= 3 → Phase 7 with remaining vulnerabilities

---

## Phase 7: Final Summary & Beads Complete

1. **Complete Beads wisp**:
   ```bash
   # If all fixed
   bd mol squash {wisp_id}

   # If nothing found
   bd mol burn {wisp_id}
   ```

2. **Create issues for remaining vulnerabilities** (if any):
   ```bash
   bd create "SECURITY REMAINING: {vuln_title}" -t bug -p {priority} \
More from this repository
beads-initSlash Command

Initialize Beads issue tracking in your project with interactive configuration setup.

health-bugsSkill

Inline orchestration workflow for automated bug detection and fixing with Beads integration. Provides step-by-step phases for bug-hunter detection, history enrichment for priority bugs, priority-based fixing with bug-fixer, and verification cycles.

health-cleanupSlash Command

Dead code detection and cleanup workflow (inline orchestration)

health-depsSlash Command

Dependency audit and update workflow (inline orchestration)

health-reuseSlash Command

Code duplication detection and consolidation workflow (inline orchestration)

health-securitySlash Command

Security vulnerability detection and remediation workflow (inline orchestration)

onboardSlash Command

Connect any project to Gastown multi-agent orchestration

process-logsSkill

Process error logs from admin panel - fetch new errors, analyze, create tasks, fix, and mark resolved