メニュー
Run security scans against the codebase.
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
SOC 職業分類に基づく
Write a structured handoff at session end. Preserves context so the next agent can resume without human briefing. Invoke before ending any feature session longer than 30 minutes.
Multi-perspective code review against project standards with P1/P2/P3 severity classification. Works in Claude Code (Agent + optional GitHub MCP) and Cursor (Task subagents + gh/git). Use when the user invokes /review, asks for a PR or diff review, or wants a standards-aligned review with severity tags.
Multi-perspective code review (P1/P2/P3) for Cursor: inline checklists plus three parallel Task subagents (perf-auditor, security-reviewer, simplicity-reviewer with combined data-integrity prompt). Use when the user invokes /review, asks for a PR review, or wants repo-standard findings with severity.
Create well-formatted git commits following conventional commit standards.
Red→green→refactor discipline for new behavior — forces a failing test before implementation and a passing test before any claim of done.
Create or manage a git worktree for isolated parallel development — lets multiple agents work in the repo simultaneously without branch collisions.
| name | scan |
| description | Run security scans against the codebase. |
Run security scans against the codebase.
/security-scan [target] [--deps] [--code] [--secrets] [--all]
target: Specific file or directory (default: entire project)--deps: Scan dependencies only--code: Scan code only--secrets: Scan for secrets only--all: Run all scans (default)When this skill is invoked:
Autonomy:
Thoroughness:
.claude/rules/security*.md guidelinesRead prd/00_technology.md for security tools
Review .claude/rules/security*.md for security standards
Run dependency scan:
# Tool depends on your stack (see prd/00_technology.md)
{dependency_scan_command}
Run static code analysis:
{security_scan_command} src/
Run secrets and PII detection (gitleaks):
# Full repo scan
scripts/scan-secrets.sh --all
# Or directly:
gitleaks detect --config .gitleaks.toml --verbose
Categorize findings by severity:
Generate report
## Security Scan Report
**Scan Date:** {date}
**Overall Score:** {score}/100
---
### Summary
| Severity | Count |
|----------|-------|
| Critical | 0 |
| High | 1 |
| Medium | 2 |
| Low | 3 |
| Info | 5 |
---
### Dependency Vulnerabilities
#### High Severity
1. **CVE-2024-XXXX** in `package@1.2.3`
- Impact: Remote code execution
- Fix: Upgrade to 1.2.4+
- File: package.json:15
---
### Code Security Issues
#### Medium Severity
1. **SQL Injection Risk** (`src/{project}/db/queries:45`)
query = f"SELECT * FROM users WHERE id = {user_id}"
query = "SELECT * FROM users WHERE id = ?"
---
### Secrets Detected
#### High Severity
1. **Potential API Key** (`src/{project}/config:23`)
- Pattern: `API_KEY = "sk-..."`
- Fix: Move to environment variable
---
### PII Detected
#### High Severity
1. **US Social Security Number** (`src/{project}/utils:78`)
- Pattern: `ssn = "123-45-6789"`
- Fix: Remove hardcoded PII, use encrypted storage
2. **Credit Card Number** (`src/{project}/payments:34`)
- Pattern: `card = "4111-1111-1111-1111"`
- Fix: Use tokenized payment processing
---
### Recommendations
1. **Immediate**: Upgrade {package} to fix CVE-XXXX
2. **High Priority**: Move hardcoded secrets to .env
3. **Medium Priority**: Fix SQL injection in queries
From .claude/rules-available/security-owasp.md:
| Category | Check |
|---|---|
| A01 - Broken Access Control | Auth on all protected routes |
| A02 - Cryptographic Failures | Modern algorithms, no hardcoded secrets |
| A03 - Injection | Parameterized queries, input validation |
| A04 - Insecure Design | Security headers, rate limiting |
| A05 - Security Misconfiguration | No debug in prod, secure defaults |
| A06 - Vulnerable Components | Up-to-date dependencies |
| A07 - Auth Failures | Strong passwords, MFA, session management |
| A08 - Integrity Failures | Safe deserialization, signed packages |
| A09 - Logging Failures | Security event logging |
| A10 - SSRF | URL validation, IP filtering |
$ /scan
🔒 Running security scans...
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📦 Dependency Scan
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Found 2 vulnerabilities:
🔴 High: CVE-2024-1234 in requests@2.25.0
🟡 Medium: CVE-2024-5678 in yaml@5.3.0
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🔍 Code Analysis
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Found 1 issue:
🟡 Medium: Potential SQL injection (src/db/queries:45)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🔑 Secrets & PII Detection (gitleaks)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ No secrets or PII detected
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📊 Security Score: 78/100
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Recommendations:
1. Upgrade requests to 2.28.0+
2. Upgrade yaml to 6.0.0+
3. Fix SQL injection in src/db/queries:45