一键导入
audit-workflow
Full code audit workflow - from adding a repo to reviewing vulnerabilities and filing issues
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Full code audit workflow - from adding a repo to reviewing vulnerabilities and filing issues
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Inspect and analyze codebases using pygount for LOC counting, language breakdown, and code-vs-comment ratios. Use when asked to check lines of code, repo size, language composition, or codebase stats.
Set up GitHub authentication for the agent using git (universally available) or the gh CLI. Covers HTTPS tokens, SSH keys, credential helpers, and gh auth — with a detection flow to pick the right method automatically.
Production-grade PR review with execution-verified suggestions. Reads repository conventions, history, and security surfaces before reviewing. For every suggested fix, attempts to compile and test it in the sandbox — the comment includes proof. Modelled on GitHub Copilot's agentic architecture with one critical advantage: the sandbox is already running.
Create, manage, triage, and close GitHub issues. Search existing issues, add labels, assign people, and link to PRs. Works with gh CLI or falls back to git + GitHub REST API via curl.
Open and manage GitHub pull requests through Kai MCP tools — propose changes, monitor CI, iterate on failures, and merge. No git tokens are shared to the sandbox; every GitHub operation goes through the backend via the workspace's GitHub App installation.
Clone, create, fork, configure, and manage GitHub repositories. Manage remotes, secrets, releases, and workflows. Works with gh CLI or falls back to git + GitHub REST API via curl.
| name | audit-workflow |
| description | Full code audit workflow - from adding a repo to reviewing vulnerabilities and filing issues |
| version | 2.0.0 |
| author | kai-agent |
| metadata | {"kai":{"tags":["kai","security","audit","vulnerabilities"]}} |
End-to-end workflow for running a Kai code audit on a repository.
list_my_workspaces → pick the target workspace
list_repositories → check if the repo is already added
If the repo is not added:
add_github_repository(workspaceId, owner, repo, branch)
If no repos are connected at all, check what the user has on GitHub:
list_github_user_repos → show available repos and help connect one
list_audit_tiers → review available audit depths
Never expose tier IDs to the user. Offer simple choices: quick, standard, or deep. Map to the correct tier internally.
start_code_audit(workspaceId, repoId, tierId)
→ returns executionId
Always confirm with the user before starting.
Poll periodically (every 30-60 seconds for active monitoring):
get_code_audit_details(executionId) → check status
get_audit_progress_logs(executionId) → see agent iterations
Report significant milestones to the team:
list_vulnerabilities(executionId) → get all findings
get_vulnerability_details(executionId, exploitId) → deep dive on each
For each vulnerability, note:
The integrations MCP category owns all GitHub/Jira write tools — call activate_category('integrations') once before any of the steps below.
For every verified vulnerability: file an issue via the scan-derived wrapper, which auto-renders the issue body from exploit data:
create_github_security_issue(workspaceId, executionId, exploitId)
or
create_jira_security_ticket(workspaceId, executionId, exploitId)
For vulnerabilities with a clear, small, high-confidence fix: also ship the fix as a PR.
The issue and the PR are not either/or — the issue is the public finding record, the PR is the remediation. Both link back to the same lifecycle action so the dashboard shows finding → action → issue + PR → merged.
# 1. Propose remediation as a lifecycle action the user approves
lifecycle_actions_create(
workspaceId, type="remediate",
title="Fix CVE-2022-23529 in payment-service",
description="Upgrade jsonwebtoken 8.5.1 → 9.0.0 (see issue #142). One-line dep bump + re-run existing tests.",
priority="critical",
repoId=<repoId>,
linkedItems=[
{"platform": "github", "externalId": "acme/payment-service#142", "url": "...", "title": "CVE-2022-23529"},
],
)
# → wait for status=approved; do NOT re-ask for confirmation
# 2. Compose the fix by reading the current files
read_repository_files(workspaceId, repoId, paths=["package.json", "src/auth/webhook.ts", ...])
# 3. Open the PR — backend creates the branch, commits, opens the PR
create_pull_request(
workspaceId, repoId,
base="main",
branchName="fix/cve-2022-23529",
title="fix: upgrade jsonwebtoken to 9.0.0 (closes CVE-2022-23529)",
body="Closes #142. Verified exploit no longer triggers against the upgraded dep.",
changes=[
{"path": "package.json", "operation": "update", "content": <full new content>},
...
],
labels=["security"],
linkedItems=[
{"platform": "github", "externalId": "acme/payment-service#142", "url": "...", "title": "CVE-2022-23529"},
{"platform": "kai", "externalId": actionId, "url": f"kai://actions/{actionId}"},
],
)
# 4. Monitor CI, iterate if needed
list_pull_request_checks(workspaceId, repoId, number=<pr_number>)
# If a check fails: fetch logs, compose the fix, push via update_pull_request_branch. Max 3 auto-fix attempts.
When NOT to ship a PR (file the issue only and stop):
.github/workflows/* — the GitHub App doesn't hold Workflows: Write (by design). File an issue describing the exact workflow edit needed and link it to the main remediation.Full PR workflow (monitoring, iteration, merge) is in skills/github/github-pr-workflow.
Summarize findings with: