ワンクリックで
security
Run security audits, vulnerability scans, and license checks for the VAK project.
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
メニュー
Run security audits, vulnerability scans, and license checks for the VAK project.
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
SOC 職業分類に基づく
Instructions for building the VAK project including Rust, WASM skills, and Python bindings.
WASM skill providing basic arithmetic operations for VAK agents.
WASM skill providing cryptographic hashing operations for VAK agents.
WASM skill providing JSON validation and manipulation for VAK agents.
WASM skill providing pattern matching operations for VAK agents.
Instructions for releasing and publishing the VAK project to crates.io and PyPI.
| name | security |
| description | Run security audits, vulnerability scans, and license checks for the VAK project. |
This skill provides instructions for performing security audits on the VAK codebase.
| ID | Feature | Status | Implementation |
|---|---|---|---|
| SEC-001 | Supply Chain Hardening | ✅ Complete | .github/workflows/security.yml |
| SEC-002 | License Compliance | ✅ Complete | deny.toml, CI workflow |
| SEC-003 | Unsafe Rust Audit | ✅ Complete | #![deny(unsafe_code)] + docs |
| SEC-004 | Prompt Injection Protection | ✅ Complete | src/reasoner/prompt_injection.rs |
| SEC-005 | Rate Limiting | ✅ Complete | src/kernel/rate_limiter.rs |
cargo-audit (cargo install cargo-audit --locked)cargo-deny (cargo install cargo-deny --locked)cargo-geiger (cargo install cargo-geiger --locked)cargo-sbom (cargo install cargo-sbom)clippy (rustup component add clippy)Security checks run automatically via .github/workflows/security.yml:
To scan dependencies for known vulnerabilities:
cargo audit
With strict mode (deny warnings):
cargo audit --deny warnings
Generate JSON report:
cargo audit --json > security-audit-report.json
To check license compliance and banned crates:
cargo deny check
The project uses deny.toml with the following allowed licenses:
The project uses #![deny(unsafe_code)] by default. To audit for unsafe usage in dependencies:
cargo geiger --all-features --all-targets
Current Status:
// SAFETY: commentsTo run security-focused Clippy lints:
cargo clippy --all-targets --all-features -- \
-D clippy::unwrap_used \
-D clippy::expect_used \
-D clippy::panic \
-W clippy::cognitive_complexity \
-W clippy::too_many_arguments
To generate a Software Bill of Materials:
cargo sbom > sbom.json
The project includes built-in prompt injection detection:
use vak::reasoner::PromptInjectionDetector;
let detector = PromptInjectionDetector::new(DetectorConfig::default());
let result = detector.analyze(input_text);
match result.action {
RecommendedAction::Allow => { /* proceed */ }
RecommendedAction::Block => { /* reject input */ }
_ => { /* log and review */ }
}
Detection categories:
Per-resource rate limiting is implemented in src/kernel/rate_limiter.rs:
cargo audit --deny RUSTSEC-2023-0001
cargo deny check licenses
cargo deny check bans
#!/bin/bash
set -e
echo "Running vulnerability scan..."
cargo audit --deny warnings
echo "Running license check..."
cargo deny check
echo "Running unsafe audit..."
cargo geiger --all-features || true
echo "Running security lints..."
cargo clippy --all-targets --all-features -- -D warnings
echo "All security checks passed!"
unsafe blocks must have a // SAFETY: comment explaining why it is safe.unwrap(), expect(), or panic!(). Use Result instead..github/workflows/security.yml - CI security workflowdeny.toml - cargo-deny configurationsrc/reasoner/prompt_injection.rs - Prompt injection detectorsrc/kernel/rate_limiter.rs - Rate limiting implementationsrc/policy/enforcer.rs - Policy enforcement with fail-closed