Menu
OWASP Top 10 and STRIDE security auditing with supply chain analysis. Triggers on "security audit", "security scan", "cso".
CCW command help system. Search, browse, recommend commands, skills, teams. Triggers "ccw-help", "ccw-issue".
Lightweight execution engine - multi-mode input, task grouping, batch execution, chain to workflow-lite-test-review
Lightweight planning skill - task analysis, multi-angle exploration, clarification, adaptive planning, confirmation, and execution handoff
Multi-CLI collaborative planning with codebase context gathering, iterative cross-verification, and execution handoff.
Interactive collaborative analysis with documented discussions, inline exploration, and evolving understanding.
Requirement planning to wave-based CSV execution pipeline. Decomposes requirement into dependency-sorted CSV tasks, computes execution waves, runs wave-by-wave via spawn_agents_on_csv with cross-wave context propagation.
| name | security-audit |
| description | OWASP Top 10 and STRIDE security auditing with supply chain analysis. Triggers on "security audit", "security scan", "cso". |
| allowed-tools | Read, Write, Bash, Glob, Grep |
4-phase security audit covering supply chain risks, OWASP Top 10 code review, STRIDE threat modeling, and trend-tracked reporting. Produces structured JSON findings in .workflow/.security/.
+-------------------------------------------------------------------+
| Phase 1: Supply Chain Scan |
| -> Dependency audit, secrets detection, CI/CD review, LLM risks |
| -> Output: supply-chain-report.json |
+-----------------------------------+-------------------------------+
|
+-----------------------------------v-------------------------------+
| Phase 2: OWASP Review |
| -> OWASP Top 10 2021 code-level analysis via ccw cli |
| -> Output: owasp-findings.json |
+-----------------------------------+-------------------------------+
|
+-----------------------------------v-------------------------------+
| Phase 3: Threat Modeling (STRIDE) |
| -> 6 threat categories mapped to architecture components |
| -> Output: threat-model.json |
+-----------------------------------+-------------------------------+
|
+-----------------------------------v-------------------------------+
| Phase 4: Report & Tracking |
| -> Score calculation, trend comparison, dated report |
| -> Output: .workflow/.security/audit-report-{date}.json |
+-------------------------------------------------------------------+
.workflow/.security/Run Phase 1 only. Must score >= 8/10 to pass.
Run all 4 phases sequentially. Initial baseline minimum 2/10.
ccw cli --tool gemini --mode analysis --rule analysis-assess-security-risks.workflow/.security/See specs/scoring-gates.md for full specification.
| Severity | Weight | Example |
|---|---|---|
| Critical | 10 | RCE, SQL injection, leaked credentials |
| High | 7 | Broken auth, SSRF, privilege escalation |
| Medium | 4 | XSS, CSRF, verbose error messages |
| Low | 1 | Missing headers, informational disclosures |
Gates: Daily quick-scan >= 8/10, Comprehensive initial >= 2/10.
mkdir -p .workflow/.security
WORK_DIR=".workflow/.security"
.workflow/.security/
audit-report-{YYYY-MM-DD}.json # Dated audit report
supply-chain-report.json # Latest supply chain scan
owasp-findings.json # Latest OWASP findings
threat-model.json # Latest STRIDE threat model
| Document | Purpose |
|---|---|
| phases/01-supply-chain-scan.md | Dependency, secrets, CI/CD, LLM risk scan |
| phases/02-owasp-review.md | OWASP Top 10 2021 code review |
| phases/03-threat-modeling.md | STRIDE threat modeling |
| phases/04-report-tracking.md | Report generation and trend tracking |
| specs/scoring-gates.md | Scoring system and quality gates |
| specs/owasp-checklist.md | OWASP Top 10 detection patterns |
This skill follows the Completion Status Protocol defined in _shared/SKILL-DESIGN-SPEC.md sections 13-14.
Possible termination statuses:
Escalation follows the Three-Strike Rule (section 14) per step.