一键导入
security-audit
Comprehensive security and PII audit for public repo. Must be run before every commit.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Comprehensive security and PII audit for public repo. Must be run before every commit.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
| name | security-audit |
| description | Comprehensive security and PII audit for public repo. Must be run before every commit. |
| allowed-tools | Bash, Read, Grep, Glob |
Run a comprehensive security and PII scan across all tracked and staged files in this repository. This is a public repo — nothing sensitive should ever be committed.
Search all tracked files for:
/Users/, /home/)@ pattern in non-URL context)XXX-XX-XXXX and 9-digit variants)Search all tracked files for:
AWS_SECRET, AWS_ACCESS_KEY, aws_secret_access_key)GOOGLE_APPLICATION_CREDENTIALS, service account keys)AZURE_, client secrets)GH_TOKEN, GITHUB_TOKEN, ghp_, gho_)BEGIN.*PRIVATE KEY, BEGIN.*RSA, ssh-rsa, ssh-ed25519 key content)password\s*=, secret\s*=, token\s*=)Search all tracked files for:
127.0.0.1 and 0.0.0.0)Verify no sensitive file types are staged:
.env, .env.* files*.pem, *.key, *.p12, *.pfx filescredentials.json, service-account*.json*.tfstate, *.tfvars (Terraform state/variables with secrets)id_rsa, id_ed25519, id_dsa (SSH private keys)*.kube/config or kubeconfig filesFor each finding, report:
[LEVEL] file:line — description
Levels:
[BLOCK] — commit must not proceed (secrets, credentials, private keys)[WARN] — review required (PII, IPs, hostnames — may be intentional)[OK] — expected finding (127.0.0.1, public URLs, etc.)End with one of:
[WARN] findings, list them for review[BLOCK] findings detected, commit must not proceed until resolvedRun these scans using grep across all git-tracked files (git ls-files). Also check git diff --cached --name-only for any staged files not yet tracked.
$ARGUMENTS