一键导入
security
Run security audits, vulnerability scans, and license checks for the VAK project.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Run security audits, vulnerability scans, and license checks for the VAK project.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Instructions for building the VAK project including Rust, WASM skills, and Python bindings.
WASM skill providing basic arithmetic operations for VAK agents.
WASM skill providing cryptographic hashing operations for VAK agents.
WASM skill providing JSON validation and manipulation for VAK agents.
WASM skill providing pattern matching operations for VAK agents.
Instructions for releasing and publishing the VAK project to crates.io and PyPI.
| name | security |
| description | Run security audits, vulnerability scans, and license checks for the VAK project. |
This skill provides instructions for performing security audits on the VAK codebase.
| ID | Feature | Status | Implementation |
|---|---|---|---|
| SEC-001 | Supply Chain Hardening | ✅ Complete | .github/workflows/security.yml |
| SEC-002 | License Compliance | ✅ Complete | deny.toml, CI workflow |
| SEC-003 | Unsafe Rust Audit | ✅ Complete | #![deny(unsafe_code)] + docs |
| SEC-004 | Prompt Injection Protection | ✅ Complete | src/reasoner/prompt_injection.rs |
| SEC-005 | Rate Limiting | ✅ Complete | src/kernel/rate_limiter.rs |
cargo-audit (cargo install cargo-audit --locked)cargo-deny (cargo install cargo-deny --locked)cargo-geiger (cargo install cargo-geiger --locked)cargo-sbom (cargo install cargo-sbom)clippy (rustup component add clippy)Security checks run automatically via .github/workflows/security.yml:
To scan dependencies for known vulnerabilities:
cargo audit
With strict mode (deny warnings):
cargo audit --deny warnings
Generate JSON report:
cargo audit --json > security-audit-report.json
To check license compliance and banned crates:
cargo deny check
The project uses deny.toml with the following allowed licenses:
The project uses #![deny(unsafe_code)] by default. To audit for unsafe usage in dependencies:
cargo geiger --all-features --all-targets
Current Status:
// SAFETY: commentsTo run security-focused Clippy lints:
cargo clippy --all-targets --all-features -- \
-D clippy::unwrap_used \
-D clippy::expect_used \
-D clippy::panic \
-W clippy::cognitive_complexity \
-W clippy::too_many_arguments
To generate a Software Bill of Materials:
cargo sbom > sbom.json
The project includes built-in prompt injection detection:
use vak::reasoner::PromptInjectionDetector;
let detector = PromptInjectionDetector::new(DetectorConfig::default());
let result = detector.analyze(input_text);
match result.action {
RecommendedAction::Allow => { /* proceed */ }
RecommendedAction::Block => { /* reject input */ }
_ => { /* log and review */ }
}
Detection categories:
Per-resource rate limiting is implemented in src/kernel/rate_limiter.rs:
cargo audit --deny RUSTSEC-2023-0001
cargo deny check licenses
cargo deny check bans
#!/bin/bash
set -e
echo "Running vulnerability scan..."
cargo audit --deny warnings
echo "Running license check..."
cargo deny check
echo "Running unsafe audit..."
cargo geiger --all-features || true
echo "Running security lints..."
cargo clippy --all-targets --all-features -- -D warnings
echo "All security checks passed!"
unsafe blocks must have a // SAFETY: comment explaining why it is safe.unwrap(), expect(), or panic!(). Use Result instead..github/workflows/security.yml - CI security workflowdeny.toml - cargo-deny configurationsrc/reasoner/prompt_injection.rs - Prompt injection detectorsrc/kernel/rate_limiter.rs - Rate limiting implementationsrc/policy/enforcer.rs - Policy enforcement with fail-closed