vc:security
vc:security performs a structured STRIDE and OWASP Top 10 vulnerability scan on specified code files, categorizing findings by severity and generating a ranked report. When invoked with the --fix flag, it iteratively applies remediation using the vc:autoresearch pattern. Use this skill before releases, after implementing authentication or payment features, during periodic security reviews, or for compliance preparation such as SOC 2 or GDPR readiness.
git clone --depth 1 https://github.com/withkynam/vibecode-pro-max-kit /tmp/vc-security && cp -r /tmp/vc-security/.claude/skills/vc-security ~/.claude/skills/vc-securitySKILL.md
# vc:security — Security Audit Runs a structured STRIDE + OWASP security audit on a given scope. Produces a severity-ranked findings report. With `--fix`, applies fixes iteratively using the vc:autoresearch guard pattern. ## When to Use - Before a release or major deployment - After adding auth, payment, or data-handling features - Periodic security review (monthly/quarterly) - Compliance check (SOC 2, GDPR, PCI-DSS prep) ## When NOT to Use - Purely cosmetic changes (CSS, copy edits) - No user-facing code or data handling involved --- ## Modes | Mode | Invocation | Behavior | |------|-----------|----------| | Audit only | `/vc:security <scope>` | Scan → categorize → report | | Audit + Fix | `/vc:security <scope> --fix` | Scan → categorize → fix iteratively | | Bounded fix | `/vc:security <scope> --fix --iterations N` | Limit fix iterations to N | --- ## Audit Methodology ### 1. Scope Resolution Expand the provided glob or `full` keyword into a file list. Read all in-scope files before analysis. ### 2. STRIDE Analysis Evaluate each threat category systematically: - **S**poofing — identity/authentication weaknesses - **T**ampering — input validation, integrity controls - **R**epudiation — audit logging gaps - **I**nformation Disclosure — data leakage, secret exposure - **D**enial of Service — rate limits, resource exhaustion - **E**levation of Privilege — broken access control, RBAC gaps ### 3. OWASP Top 10 Check Map findings to OWASP categories (A01–A10). See `references/stride-owasp-checklist.md` for per-category checks. ### 4. Dependency Audit Run the appropriate package audit tool for the detected stack: - Node.js: `pnpm audit` - Python: `pip-audit` - Go: `govulncheck` - Ruby: `bundle audit` ### 5. Secret Detection Scan for hardcoded API keys, passwords, tokens, and private keys using regex patterns. See `references/stride-owasp-checklist.md` → Secret Patterns. ### 6. Finding Categorization Assign each finding a severity level (see Severity Definitions below). --- ## Output Format ``` ## Security Audit Report ### Summary - Files scanned: N - Findings: X critical, Y high, Z medium, W low, V info ### Findings | # | Severity | Category | File:Line | Description | Fix Recommendation | |---|----------|----------|-----------|-------------|-------------------| | 1 | Critical | Injection | api/users.ts:45 | SQL string concatenation | Use parameterized queries | | 2 | High | Auth | auth/login.ts:12 | No rate limiting | Add express-rate-limit | ``` --- ## Fix Mode (--fix) When `--fix` is provided, apply fixes iteratively after the audit: 1. Sort all findings by severity (Critical → High → Medium → Low) 2. For each finding: a. Apply one targeted fix b. Run guard (tests or lint) to verify no regression c. Commit: `security(fix-N): <short description>` d. Advance to next finding 3. Stop early if guard fails — report the failure instead of proceeding 4. Uses `vc:autoresearch` guard pattern for regression prevention > Tip: Use `--iterations N` to cap total fix iterations when scope is large. --- ## Severity Definitions | Severity | Description | Fix Priority | |----------|-------------|-------------| | Critical | Exploitable now, data breach or RCE risk | Immediate — block release | | High | Exploitable with moderate effort, significant impact | This sprint | | Medium | Limited exploitability or impact | Next sprint | | Low | Theoretical risk, defense-in-depth improvement | Backlog | | Info | Best practice suggestion, no direct risk | Optional | --- ## Integration with Other Skills - Run after `vc:predict` when the security persona flags concerns - Feed Critical/High findings into `vc:autoresearch --fix` for automated remediation - Use `vc:scenario` with `--focus authorization` for deeper auth flow testing - Pair with `generate-plan` / `plan-agent` to schedule Medium/Low findings as sprint tasks --- ## Example Invocations ```bash # Audit API layer only /vc:security src/api/**/*.ts # Audit entire src/ and auto-fix, max 15 iterations /vc:security src/ --fix --iterations 15 # Full codebase audit (no fix) /vc:security full ``` --- See `references/stride-owasp-checklist.md` for the detailed per-category checklist and secret detection regex patterns.
Comprehensive code review with scout-based edge case detection. Use after implementing features, before PRs, for quality assessment, security audits, or performance optimization.
Simplifies and refines code for clarity, consistency, and maintainability while preserving all functionality. Focuses on recently modified code unless instructed otherwise.
Use this agent when you need to investigate issues, analyze system behavior, diagnose performance problems, examine database structures, collect and analyze logs from servers or CI/CD pipelines, run tests for debugging purposes, or optimize system performance. This includes troubleshooting errors, identifying bottlenecks, analyzing failed deployments, investigating test failures, and creating diagnostic reports. Examples:\n\n<example>\nContext: The user needs to investigate why an API endpoint is returning 500 errors.\nuser: "The /api/users endpoint is throwing 500 errors"\nassistant: "I''ll use the debugger agent to investigate this issue"\n<commentary>\nSince this involves investigating an issue, use the Task tool to launch the debugger agent.\n</commentary>\n</example>\n\n<example>\nContext: The user wants to analyze why the CI/CD pipeline is failing.\nuser: "The GitHub Actions workflow keeps failing on the test step"\nassistant: "Let me use the debugger agent to analyze the CI/CD pipeline logs and identify the issue"\n<commentary>\nThis requires analyzing CI/CD logs and test failures, so use the debugger agent.\n</commentary>\n</example>\n\n<example>\nContext: The user notices performance degradation in the application.\nuser: "The application response times have increased by 300% since yesterday"\nassistant: "I''ll launch the debugger agent to analyze system behavior and identify performance bottlenecks"\n<commentary>\nPerformance analysis and bottleneck identification requires the debugger agent.\n</commentary>\n</example>
EXECUTE MODE - Implementing EXACTLY what was planned. Full tool access. Can only be invoked after explicit user confirmation. Use after plan is approved.
FAST MODE - Execute compressed RIPER-5 workflow (RESEARCH + INNOVATE + PLAN) in one session, then pause for EXECUTE confirmation. Use when you want quick end-to-end solution.
Stage, commit, and push code changes with conventional commits. Use when user says "commit", "push", or finishes a feature/fix.
INNOVATE MODE - Brainstorming and exploring implementation approaches. Discusses possibilities without making decisions. Use after research is complete.
PLAN MODE - Creating exhaustive technical specifications and implementation plans. Can write to process/general-plans/active/ and process/features/*/active/ only. Use after approach is decided.