ワンクリックで
arc-security
Local SAST/SCA/secrets/DAST automation with data-value re-ranking and Arc handoffs.
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
メニュー
Local SAST/SCA/secrets/DAST automation with data-value re-ranking and Arc handoffs.
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
SOC 職業分類に基づく
| name | arc:security |
| description | Local SAST/SCA/secrets/DAST automation with data-value re-ranking and Arc handoffs. |
arc:security runs local-first security automation for application repositories. It installs and orchestrates CLI scanners, produces human-readable reports, re-ranks findings by obtainable data impact, and routes remediation or durable project records through existing Arc skills.
Read:
references/security-tooling.md for tool choice and scanner limitsreferences/data-value-ranking.md for re-ranking beyond CVSS../arc:audit/references/appsec-playbook.md for recon-first methodology shared with arc:auditdocs/arc-routing-matrix.md.arc:clarify first if target environment, scan scope, authorization, or destructive-test boundaries are unclear.arc:audit with mode appsec when the user wants methodology-first read-only security review (asset table, data map, finding cards) without running active scanners—or before scanning when inventory is missing.arc:task-doc-progress-conventions as R-task after multi-finding scan results: merge re-ranked list into the Handoff Package (项目定位/口径/角色/findings) so subtasks stay detailed; do not jump from raw SARIF to code.arc:build when the task is to add security tooling, scripts, checks, or project configuration—or when implementing a planned security subtask.arc:fix when a concrete vulnerability, failing scanner result, or exploit path must be repaired under an existing subtask or as a single small fix.arc:frontend for frontend-specific XSS, CSP, auth UI, route guard, token handling, or browser verification work.arc:docs only when Lark is active for security reports, risk rows, remediation tasks, approval gates, artifacts, or .lark.json.lifecycle[]..ai-code-index/search.sh first for broad repository context when available..ai-code-index/struct-search.sh for risky code shapes such as raw SQL, shell execution, file upload, SSRF fetches, JWT parsing, or auth bypasses..lark.json exists, MUST read it before security handoff and route durable reports through arc:docs.Begin by stating clearly:
"I am using arc:security to run local-first security automation and produce readable evidence-backed reports."
NO SECURITY CLAIM WITHOUT EVIDENCE.
NO MULTI-FINDING REMEDIATION PLAN WITHOUT CURRENT LOCAL TASK DOCS.
NO ACTIVE DAST AGAINST A TARGET WITHOUT AUTHORIZATION.
NO CLOUD SCAN OR PAID SERVICE WITHOUT USER CONFIRMATION.
NO LARK SECURITY UPDATE OUTSIDE arc:docs.
NO FINAL SEVERITY FROM SCANNER SCORE ALONE—RE-RANK BY DATA YIELD AND REACHABILITY.
references/data-value-ranking.md before remediation planning.arc:task-doc-progress-conventions before generating multi-finding remediation plans or code-changing security work; task docs must be generated from the latest project state and updated immediately when findings, reachability, affected files, scope, assumptions, or status change.arc:docs..lark.json is absent and the user did not explicitly trigger or confirm Lark.go.mod, package.json, lockfiles, Dockerfile, and OpenAPI files.arc:audit mode appsec Phase 1–2, then return.scripts/install-security-tools.sh when requested or necessary.scripts/security-scan.py with the project path and optional --target-url / --openapi arguments. Prefer quick before full on large trees.security-report.md, security-report.html, security-summary.json, and raw tool outputs under .arc/security/<timestamp>/.references/security-tooling.md (AuthZ, payment, upload, SSRF, ops secrets).R-scan, attach re-ranked output to the Handoff Package (or create a minimal package with 定位/口径 stubs marked 待确认), then run arc:task-doc-progress-conventions as R-task before code changes. Follow ../arc:task-doc-progress-conventions/references/security-audit-task-pipeline.md.arc:fix or arc:build; route methodology-only expansion to arc:audit; optional post-fix re-scan stays in this skill with narrow path scope; route active Lark project records to arc:docs.arc:task-doc-progress-conventions..lark.json is active or the user explicitly asks for remote publication.SAST for source scanning, SCA for dependency and container risk, DAST for running services, and OpenAPI Fuzz for API robustness.SBOM, SARIF, CWE, CVSS, and OWASP Top 10 metadata when tools provide it.OWASP ASVS thinking for authn, AuthZ, session, API, file upload, and business-logic checks.Install local CLI tools:
Arc/arc:security/scripts/install-security-tools.sh --core
Run a local repository scan:
Arc/arc:security/scripts/security-scan.py /path/to/project --install-missing
Run full app scanning against an authorized local target:
Arc/arc:security/scripts/security-scan.py /path/to/project \
--target-url http://localhost:8080 \
--openapi /path/to/project/openapi.yaml \
--mode full \
--install-missing
The scan script writes reports to .arc/security/<timestamp>/ by default:
security-report.mdsecurity-report.htmlsecurity-summary.jsonraw/ scanner outputslogs/ command stdout/stderrtask_base or risk records are stale.arc:audit (mode appsec) for read-only methodology and data-map first review; use arc:fix for confirmed vulnerabilities; use arc:docs only when Lark is active.| parameter | type | required | description |
|---|---|---|---|
project_path | string | yes | Target repository root |
target_url | string | no | Authorized running app URL for DAST tools |
openapi | string | no | OpenAPI file or URL for API fuzzing |
mode | enum | no | quick for local repository checks, full for local checks plus API/DAST |
install_missing | boolean | no | Whether to install missing local CLI tools before scanning |
output_dir | string | no | Directory for reports and raw artifacts |
prior_assets | string | no | Optional path to appsec asset/data-map notes from arc:audit |
Security Handoff
- Report paths
- Tool coverage and skipped checks
- Severity summary (tool) + re-ranked priority (data yield)
- Confirmed findings and evidence
- Manual authz/business-logic gaps
- Recommended next role: R-task (task docs) / R-fix / R-verify / arc:audit expansion
- Handoff Package fields for task skill when multi-finding: 项目定位, 项目口径, 功能角色, re-ranked findings
- Lark / .lark.json / task_base handoff, if applicable
Use .ai-code-index for local search, symbols, profiles, files, stats, refresh, and diagnostics.
Read-only project/AppSec audit: assets, data map, vuln review; Lark risks via arc:docs.
Current-state task docs; security/audit handoff to detailed subtasks with roles and caliber.
Apply backend architecture, DIP, usecase result boundaries, zap logging, Go constants, and helper limits.
Add low-cost fmt/time or log.Printf timing probes to Go Gin SSR request paths.
Apply Chinese comment conventions; avoid noisy parameter/return boilerplate on obvious usecase contracts.