一键导入
arib-check-security
Check | Application security audit — OWASP Top 10 + supply chain
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Check | Application security audit — OWASP Top 10 + supply chain
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
| name | arib-check-security |
| argument-hint | [<path-or-glob>] |
| description | Check | Application security audit — OWASP Top 10 + supply chain |
Application-security audit. Combines two concerns the proposal originally
split across arib-check-deps (supply chain) and the security-auditor
agent (code patterns):
This is section 1 of /arib-deep-audit. It also runs standalone for
spot checks before merging security-sensitive code.
/arib-deep-audit./arib-check-security # whole codebase
/arib-check-security src/auth/ # subdir
/arib-check-security src/api/users.ts # single file
Call Task(security-auditor) with the target path. The agent reads
compliance/frameworks/owasp.md and applies every code-checkable rule
across A01–A10.
Why dispatch instead of running inline? The security-auditor agent
has scoped context for OWASP patterns and produces a structured report
faster. Per architecture/AGENT_ARCHITECTURE.md, this is parallel-safe
with other read-only agents (e.g., performance, accessibility,
reality-auditor).
Expected agent output: a finding list per OWASP item, with file:line citations and severity (BLOCK / WARN / INFO).
/arib-check-deps
Returns the supply-chain audit: outdated packages with CVEs, license issues, transitive vulnerabilities. Both can run concurrently in a single Task batch.
Look at io/hook-logs/ for any recent BLOCKs from the secret-detection
or OWASP A03 hooks. Recent blocks indicate the model has been trying to
write things that the hook stopped — sometimes a false positive, often
a real attempt-to-skirt that should surface in the security report.
Combine the three sources (security-auditor output + arib-check-deps output + hook-log signals) into a unified report:
# Security Audit — <target> — <date>
## Summary
- OWASP findings: N (BLOCK: x, WARN: y)
- Supply-chain findings: N (BLOCK: x, WARN: y)
- Hook signals (24h): N (informational)
## OWASP Top 10
### A01 — Broken Access Control
(... findings with file:line and severity ...)
### A02 — Cryptographic Failures
(...)
## Supply chain
(... arib-check-deps output ...)
## Hook signals
(... summarized recent BLOCK events ...)
| Severity | Trigger |
|---|---|
| BLOCK | Any OWASP finding marked BLOCK in compliance/frameworks/owasp.md (e.g., string-concat SQL with user input, eval() on user input, hardcoded credential, MD5 for passwords, missing auth on private route, critical CVE in a dependency). |
| WARN | Missing rate limit on login, CORS * on authenticated API, low-severity CVE, dependency more than 2 majors behind, license question. |
| PASS | All clean. |
The skill writes a report at io/ledger/security-<date>-<short-hash>.md
with the format above. When called as section 1 of /arib-deep-audit,
the deep-audit skill folds this report into the unified audit ledger and
contributes the security verdict to the overall PASS/WARN/BLOCK roll-up.
security-auditor agent times out: report partial findings; mark
the section as INCONCLUSIVE; do not return PASS.compliance/frameworks/owasp.md missing: abort with a clear
error. Do not invent OWASP rules..claude/agents/security-auditor.md — does the heavy lifting on
code-pattern detection..claude/skills/arib-check-deps/SKILL.md — supply-chain audit.compliance/frameworks/owasp.md — the rule list this skill enforces.compliance/frameworks/iso27001.md, soc2.md, gdpr.md — overlapping
controls; this skill produces evidence for those frameworks too..claude/skills/arib-deep-audit/SKILL.md — the wave-end gate that
calls this skill as section 1..claude/hooks/pre-tool-use.sh — write-time OWASP A03 enforcement
(eval, new Function, exec template literal)..claude/hooks/pre-commit.sh — commit-time PII-in-log-line
enforcement.Memory | Code-graph subsystem — a native lightweight IMPORT graph (which file imports which, god-node candidates) built with ripgrep/grep, so a large monorepo can be navigated by structure instead of re-grepping every session. build/refresh/query. Honest scope: structural import graph, NOT semantic (no call-graph/type resolution); no Graphify dependency. Loads ON DEMAND only (zero always-on tokens). ADR-034.
Dev | Over-engineering review — reads a diff/module and returns a delete-list of bloat (single-use abstractions, premature generalization, speculative config, dead options) WITHOUT stripping legitimate structure. Advisory: returns recommendations, never auto-deletes. The on-demand companion to the ponytail-lite tripwire hook. Authored natively (no Ponytail dependency). ADR-033.
Wave | Pre-wave requirement lock — Act 1 derives the requirements from the codebase + memory (an honest grill, not guesswork), Act 2 hands the locked plan to an independent model (Codex) to tear apart until sign-off. Produces waves/<id>/PLAN.md + PLAN-REVIEW-LOG.md. Auto-chained idempotently from /arib-wave-start. If Act 2 can't run (no Codex), the wave proceeds but HOLDS MERGE for a human. Absorbs grill-me-codex (ADR-032).
Wave | Start a multi-session delivery wave — branch, plan, parallel architect+planner
Engine | Command the engineering team to deliver a known goal — dispatches the engineer-manager to decompose → dispatch specialists (parallel where safe) → integrate → reconcile (verification-agent) → merge gate. Scales its own reach: runs inline for a bounded goal, escalates to a parallel Workflow for a broad one, and paces under /loop for a multi-turn campaign — only when it needs to. Use when a goal needs a coordinated TEAM, not one specialist. Sibling of /arib-engine: the engine DISCOVERS its own backlog; /arib-build EXECUTES a goal you hand it.
Stack | NestJS architecture & patterns reference — modules/providers/DI, DTO+validation, guards/interceptors/pipes/filters, config, async lifecycle, testing, and the security + performance pitfalls that bite at scale. Use when building or reviewing a NestJS backend. Composes with security-auditor (OWASP), database-guardian (TypeORM/Prisma migrations), and performance (N+1). Authored natively (the ECC graft was unsourceable; this is CCM's own, MIT).