원클릭으로
security
Run security audits, vulnerability scans, and license checks for the VAK project.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Run security audits, vulnerability scans, and license checks for the VAK project.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Instructions for building the VAK project including Rust, WASM skills, and Python bindings.
WASM skill providing basic arithmetic operations for VAK agents.
WASM skill providing cryptographic hashing operations for VAK agents.
WASM skill providing JSON validation and manipulation for VAK agents.
WASM skill providing pattern matching operations for VAK agents.
Instructions for releasing and publishing the VAK project to crates.io and PyPI.
| name | security |
| description | Run security audits, vulnerability scans, and license checks for the VAK project. |
This skill provides instructions for performing security audits on the VAK codebase.
| ID | Feature | Status | Implementation |
|---|---|---|---|
| SEC-001 | Supply Chain Hardening | ✅ Complete | .github/workflows/security.yml |
| SEC-002 | License Compliance | ✅ Complete | deny.toml, CI workflow |
| SEC-003 | Unsafe Rust Audit | ✅ Complete | #![deny(unsafe_code)] + docs |
| SEC-004 | Prompt Injection Protection | ✅ Complete | src/reasoner/prompt_injection.rs |
| SEC-005 | Rate Limiting | ✅ Complete | src/kernel/rate_limiter.rs |
cargo-audit (cargo install cargo-audit --locked)cargo-deny (cargo install cargo-deny --locked)cargo-geiger (cargo install cargo-geiger --locked)cargo-sbom (cargo install cargo-sbom)clippy (rustup component add clippy)Security checks run automatically via .github/workflows/security.yml:
To scan dependencies for known vulnerabilities:
cargo audit
With strict mode (deny warnings):
cargo audit --deny warnings
Generate JSON report:
cargo audit --json > security-audit-report.json
To check license compliance and banned crates:
cargo deny check
The project uses deny.toml with the following allowed licenses:
The project uses #![deny(unsafe_code)] by default. To audit for unsafe usage in dependencies:
cargo geiger --all-features --all-targets
Current Status:
// SAFETY: commentsTo run security-focused Clippy lints:
cargo clippy --all-targets --all-features -- \
-D clippy::unwrap_used \
-D clippy::expect_used \
-D clippy::panic \
-W clippy::cognitive_complexity \
-W clippy::too_many_arguments
To generate a Software Bill of Materials:
cargo sbom > sbom.json
The project includes built-in prompt injection detection:
use vak::reasoner::PromptInjectionDetector;
let detector = PromptInjectionDetector::new(DetectorConfig::default());
let result = detector.analyze(input_text);
match result.action {
RecommendedAction::Allow => { /* proceed */ }
RecommendedAction::Block => { /* reject input */ }
_ => { /* log and review */ }
}
Detection categories:
Per-resource rate limiting is implemented in src/kernel/rate_limiter.rs:
cargo audit --deny RUSTSEC-2023-0001
cargo deny check licenses
cargo deny check bans
#!/bin/bash
set -e
echo "Running vulnerability scan..."
cargo audit --deny warnings
echo "Running license check..."
cargo deny check
echo "Running unsafe audit..."
cargo geiger --all-features || true
echo "Running security lints..."
cargo clippy --all-targets --all-features -- -D warnings
echo "All security checks passed!"
unsafe blocks must have a // SAFETY: comment explaining why it is safe.unwrap(), expect(), or panic!(). Use Result instead..github/workflows/security.yml - CI security workflowdeny.toml - cargo-deny configurationsrc/reasoner/prompt_injection.rs - Prompt injection detectorsrc/kernel/rate_limiter.rs - Rate limiting implementationsrc/policy/enforcer.rs - Policy enforcement with fail-closed