| name | sc-orchestrator |
| description | Master orchestration skill that coordinates the entire 4-phase security scanning pipeline |
| license | MIT |
| metadata | {"author":"ersinkoc","category":"security","version":"1.0.0"} |
SC: Security Check Orchestrator
Purpose
The orchestrator is the central coordination skill for the security-check pipeline. It manages the execution of all scanning phases, dispatches vulnerability detection skills, tracks progress, aggregates results, and ensures the pipeline runs to completion even when individual skills encounter errors.
Activation
This skill activates when the user issues any of the following commands:
- "run security check"
- "scan for vulnerabilities"
- "security audit"
- "full security scan"
For diff/incremental mode, see sc-diff-report.
Pre-Check (Phase 0)
Before starting a scan:
- Check if
security-report/ directory exists
- If it exists, prompt the user:
- Rescan all: Delete existing reports and run full scan
- Scan changed files only: Use diff mode (delegates to
sc-diff-report)
- If it does not exist, create
security-report/ directory
- Log scan start time
Phase 1: Reconnaissance
Execute these skills sequentially:
1a. Architecture Mapping (sc-recon)
- Invoke the
sc-recon skill
- Output:
security-report/architecture.md
- Extract from output:
detected_languages: list of programming languages found
detected_frameworks: list of frameworks found
application_type: web app, API, CLI, library, etc.
entry_points: HTTP routes, CLI commands, etc.
1b. Dependency Audit (sc-dependency-audit)
- Invoke the
sc-dependency-audit skill
- Output:
security-report/dependency-audit.md
- Extract: known CVEs, risky dependencies, supply chain concerns
Phase 2: Vulnerability Hunting
Based on detected_languages from Phase 1, activate the appropriate skills.
Language-Specific Skills (activate based on detection)
| Detected Language | Skill to Activate |
|---|
| Go | sc-lang-go |
| TypeScript, JavaScript | sc-lang-typescript |
| Python | sc-lang-python |
| PHP | sc-lang-php |
| Rust | sc-lang-rust |
| Java, Kotlin | sc-lang-java |
| C#, F#, VB.NET | sc-lang-csharp |
Universal Vulnerability Skills (always activate)
Launch ALL of the following skills as parallel subagents. Each skill runs independently and writes its results to security-report/{skill-name}-results.md.
Injection Attacks:
- sc-sqli — SQL Injection
- sc-nosqli — NoSQL Injection
- sc-graphql — GraphQL Injection & Abuse
- sc-xss — Cross-Site Scripting
- sc-ssti — Server-Side Template Injection
- sc-xxe — XML External Entity
- sc-ldap — LDAP Injection
- sc-cmdi — Command Injection
- sc-header-injection — HTTP Header Injection
Code Execution:
- sc-rce — Remote Code Execution
- sc-deserialization — Insecure Deserialization
Access Control:
- sc-auth — Authentication Flaws
- sc-authz — Authorization Flaws (IDOR)
- sc-privilege-escalation — Privilege Escalation
- sc-session — Session Management Flaws
Data Exposure:
- sc-secrets — Hardcoded Secrets & Credentials
- sc-data-exposure — Sensitive Data Exposure
- sc-crypto — Cryptography Misuse
Server-Side:
- sc-ssrf — Server-Side Request Forgery
- sc-path-traversal — Path Traversal & LFI/RFI
- sc-file-upload — Insecure File Upload
- sc-open-redirect — Open Redirect
Client-Side:
- sc-csrf — Cross-Site Request Forgery
- sc-cors — CORS Misconfiguration
- sc-clickjacking — Clickjacking
- sc-websocket — WebSocket Security
Logic & Design:
- sc-business-logic — Business Logic Flaws
- sc-race-condition — Race Conditions / TOCTOU
- sc-mass-assignment — Mass Assignment
API Security:
- sc-api-security — REST/GraphQL/gRPC Security
- sc-rate-limiting — Rate Limiting & DoS Vectors
- sc-jwt — JWT Implementation Flaws
Infrastructure (activate if relevant files detected):
- sc-iac — IaC Security (if Terraform/K8s manifests found)
- sc-docker — Docker Security (if Dockerfile/docker-compose found)
- sc-ci-cd — CI/CD Security (if .github/workflows or .gitlab-ci.yml found)
Subagent Execution Rules
- Each subagent runs two internal phases: Discovery then Verification
- Each subagent writes results to
security-report/{skill-name}-results.md
- If a skill finds no issues, it writes a short file:
"No issues found by {skill-name}."
- If a skill encounters an error, log the error and continue with remaining skills
- Maximum parallel subagents: limited by the host AI assistant's capability
- Track completion: mark each skill as done when its result file is written
Phase 3: Verification
After all Phase 2 skills complete:
- Invoke the
sc-verifier skill
- Input: all
security-report/*-results.md files
- The verifier performs:
- Reachability analysis
- Sanitization verification
- Framework protection check
- Context analysis (test code, dead code, examples)
- Duplicate detection and merging
- Confidence scoring (0-100 per finding)
- Output:
security-report/verified-findings.md
Phase 4: Reporting
After verification completes:
- Invoke the
sc-report skill
- Input:
security-report/verified-findings.md
- The report generator produces:
- Executive summary with risk score
- Scan statistics
- Findings grouped by severity (Critical → High → Medium → Low → Info)
- CVSS v3.1-style severity for each finding
- Remediation roadmap (4 phases)
- Output:
security-report/SECURITY-REPORT.md
Error Handling
- If
sc-recon fails: abort scan, report error to user
- If
sc-dependency-audit fails: continue without dependency data, note in report
- If any Phase 2 skill fails: log error, continue with remaining skills
- If
sc-verifier fails: skip verification, use raw findings in report (note: unverified)
- If
sc-report fails: output raw verified-findings.md as the report
Progress Reporting
During execution, report progress to the user at these milestones:
- "Phase 1: Reconnaissance started..."
- "Phase 1: Complete. Detected {N} languages, {M} entry points."
- "Phase 2: Launching {N} vulnerability skills..."
- "Phase 2: {completed}/{total} skills finished. {findings} potential findings so far."
- "Phase 3: Verifying {N} findings..."
- "Phase 3: Complete. {N} verified findings ({M} false positives eliminated)."
- "Phase 4: Generating final report..."
- "Scan complete. Report: security-report/SECURITY-REPORT.md"
Output Structure
security-report/
├── architecture.md # Phase 1: Codebase architecture map
├── dependency-audit.md # Phase 1: Dependency analysis
├── sc-sqli-results.md # Phase 2: Per-skill results
├── sc-xss-results.md # ...
├── sc-rce-results.md # ...
├── ... # (one file per skill)
├── verified-findings.md # Phase 3: Verified findings
└── SECURITY-REPORT.md # Phase 4: Final report