| name | security-audit |
| description | On-demand security audit checklist based on OWASP Top 10. Use when: pre-push security review, auditing new features for vulnerabilities, checking authentication/authorization flows, reviewing API security, validating input sanitization, dependency vulnerability scanning. |
Security Audit Skill
When to Use
- Before any git push (mandatory)
- After implementing authentication or authorization features
- When adding new API endpoints
- When handling user input or file uploads
- When adding new dependencies
- When the Manager flags a security review
Audit Process
Phase 1: Static Analysis
Review the code without running it.
A1. Broken Access Control
A2. Cryptographic Failures
A3. Injection
A4. Insecure Design
A5. Security Misconfiguration
A6. Vulnerable Components
A7. Authentication Failures
A8. Data Integrity Failures
A9. Logging & Monitoring
A10. SSRF
Phase 2: Dynamic Checks (if applicable)
Report Template
# Security Audit Report
**Date**: [Date]
**Scope**: [What was audited]
**Auditor**: Security Agent
## Verdict: PASS / FAIL / CONDITIONAL PASS
## Critical (Block Push)
| # | Category | Location | Finding | Impact |
|---|----------|----------|---------|--------|
| 1 | A3-Injection | file:line | [finding] | [impact] |
## High (Fix Before Next Push)
| # | Category | Location | Finding | Impact |
|---|----------|----------|---------|--------|
## Medium (Fix This Sprint)
| # | Category | Location | Finding | Impact |
|---|----------|----------|---------|--------|
## Low (Track & Fix)
| # | Category | Location | Finding | Impact |
|---|----------|----------|---------|--------|
## Passed Checks
- [x] [List all checks that passed]
## Recommendations
- [Any architectural security suggestions]