一键导入
security-audit
Comprehensive security and PII audit for infrastructure repos. Scan for secrets, credentials, and sensitive data before committing.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Comprehensive security and PII audit for infrastructure repos. Scan for secrets, credentials, and sensitive data before committing.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Research a work item, draft an implementation plan, and begin work after approval.
Guided one-shot install — discover installed plugins (or help install new ones), pick install scope, calibrate risk tolerance into a concrete allowlist + hooks, scaffold or merge CLAUDE.md, and sanity-check the result.
Finalize work — commit via /commit, push, and create PRs on feature branches.
Reviewer-side PR workflow — checks out the branch in a worktree, runs focus-area reviews plus a senior-engineering pass, optionally cross-checks against an autonomous reviewer, and posts inline findings only on explicit approval. Read-only — never edits, commits, or pushes.
Fetch PR review comments, classify by severity and confidence, and fix the selected subset.
Triage CVE and SBOM scanner output (Trivy, Grype, Snyk, Docker Scout, Dependabot) into a ranked, deduplicated action list.
| name | security-audit |
| description | Comprehensive security and PII audit for infrastructure repos. Scan for secrets, credentials, and sensitive data before committing. |
| user-invocable | true |
| allowed-tools | ["Bash","Read","Grep","Glob"] |
Scan tracked and staged files for secrets, credentials, PII, and sensitive data. This skill is designed to catch leaks before they are committed.
Run automatically as part of pre-commit workflows, or manually via /security-audit.
Search for personally identifiable information in all tracked and staged files:
[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}\d{3}-\d{2}-\d{4} patternsExclude: test fixtures with obviously fake data (e.g., test@example.com, Jane Doe).
Search for credentials and API keys:
AKIA[0-9A-Z]{16}, aws_secret_access_key, AWS_SESSION_TOKENGOOGLE_APPLICATION_CREDENTIALSAccountKey=, client_secret, Azure connection stringsghp_, gho_, ghs_, ghr_, github_pat_ prefixed tokensapi[_-]?key, api[_-]?secret, bearer [a-zA-Z0-9._-]+-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----password\s*[:=], passwd\s*[:=], hardcoded credential assignments://user:pass@)eyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+Search for infrastructure details that should not be in code:
127.0.0.1, 0.0.0.0, ::1, and RFC 5737 documentation ranges)Note: Internal IPs and domain names documented in the project's CLAUDE.md are expected findings. Flag these as [OK], not [WARN].
Check that none of the following file types are staged for commit:
| Pattern | Description |
|---|---|
.env | Environment variables |
.env.* | Environment variant files |
*.pem | Certificates |
*.key | Private keys |
*.p12 | PKCS#12 keystores |
*.pfx | PKCS#12 keystores |
*.tfstate | Terraform state |
*.tfstate.* | Terraform state backups |
*.tfvars | Terraform variables (may contain secrets) |
id_rsa* | SSH private keys |
id_ed25519* | SSH private keys |
kubeconfig | Kubernetes credentials |
credentials | Generic credential files |
*.jks | Java keystores |
After the scans complete, dispatch to the appsec-engineer subagent with the raw findings. Ask it to rank them by exploitability and blast radius — which secret or exposure is actually reachable and what an attacker reaches from it — and to flag any false positives among the [WARN]s. Integrate its prioritization into the report below; it does not change the verdict rules (a [BLOCK] is still a [BLOCK]).
Agent({
subagent_type: "appsec-engineer",
description: "Triage audit findings",
prompt: "Here are findings from a secrets/PII/infrastructure scan: <list with path:line and category>. Rank by exploitability and blast radius — for each credential or exposure, what can an attacker actually reach and do with it? Call out any [WARN] findings that are likely false positives (test fixtures, placeholders). Return findings in severity order with a one-line attack-path note for each real one."
})
For each finding, report one of:
## Security Audit Report
### PII Scan
- [WARN] src/config/notifications.ts:42 — Email address found: review if real or example
- [OK] tests/fixtures/users.json:5 — Test fixture with example data
### Secrets Scan
- [BLOCK] scripts/deploy.sh:18 — Hardcoded API key assignment
- [OK] docs/setup.md:33 — Example placeholder key
### Infrastructure Scan
- [OK] ansible/inventory/hosts.yml:4 — Internal IP (documented in CLAUDE.md)
- [WARN] scripts/backup.sh:12 — Hardcoded hostname
### Sensitive Files
- [BLOCK] .env.production — Staged for commit, must be removed
### Verdict: FAIL
- 2 BLOCK findings must be resolved
- 1 WARN finding requires review
git diff --cached --name-only for staged files and git ls-files for tracked files..example files.