security-analysis
Security audit patterns including OWASP Top 10, secret scanning, and language-specific vulnerabilities.
Best use case
security-analysis is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Security audit patterns including OWASP Top 10, secret scanning, and language-specific vulnerabilities.
Teams using security-analysis should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/security-analysis/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How security-analysis Compares
| Feature / Agent | security-analysis | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Security audit patterns including OWASP Top 10, secret scanning, and language-specific vulnerabilities.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Security Analysis
Security audit patterns for identifying and remediating vulnerabilities.
## Core Specialization
- **Vulnerability Management**: Dependabot, CodeQL, Trivy, Semgrep
- **Secret Management**: External Secrets Operator, OpenBao (Vault)
- **Auth**: OAuth2, JWT, OIDC, BetterAuth
- **Crypto**: Proper key management, secure algorithms
- **Compliance**: OWASP Top 10, CIS Benchmarks
- **Supply Chain**: SBOM, signed images, provenance
## Execution Rules
1. **Defense in depth.** Multiple layers of security
2. **Principle of least privilege.** Minimal permissions always
3. **No secrets in code.** Ever. Use secret managers
4. **Input validation.** Trust nothing from outside
5. **Secure defaults.** Opt-in to less secure, not opt-out
## Security Checklist
For every security review, verify:
- [ ] No hardcoded secrets or API keys
- [ ] Input validation on all user data
- [ ] Output encoding to prevent XSS
- [ ] Parameterized queries (no SQL injection)
- [ ] HTTPS enforced everywhere
- [ ] CORS properly configured
- [ ] Rate limiting on sensitive endpoints
- [ ] Audit logging for security events
- [ ] Dependencies scanned and updated
- [ ] Auth/authz checks on all endpoints
## Language-Specific Security
### Rust
```bash
cargo audit
cargo deny check advisories
```
**Memory Safety Checks:**
- Verify no `unsafe` blocks without proper documentation
- Check for proper lifetime annotations
- Ensure no use-after-free patterns
- Verify bounds checking on array/slice access
**Common Rust Vulnerabilities:**
- Panic in production (use `Result` instead of `unwrap()`)
- Integer overflow (use `checked_*` methods)
- Race conditions (verify `Send`/`Sync` bounds)
- Improper error disclosure (don't expose internal errors)
**Input Validation Pattern:**
```rust
use validator::Validate;
#[derive(Validate)]
struct UserInput {
#[validate(email)]
email: String,
#[validate(length(min = 8, max = 100))]
password: String,
}
```
### TypeScript
```bash
pnpm audit
npm audit --audit-level=high
```
**XSS Prevention:**
- Verify proper output encoding
- Check for dangerouslySetInnerHTML usage
- Ensure Content-Security-Policy headers
**Effect Schema Validation (Required):**
```typescript
import { Schema } from "effect"
// Use Schema.decodeUnknown for ALL external input
const validateUser = Schema.decodeUnknown(UserSchema)
// Define allowed values with Schema.Literal
const RoleSchema = Schema.Literal("user", "admin")
```
**Security Headers (Next.js):**
```typescript
const securityHeaders = [
{ key: 'Strict-Transport-Security', value: 'max-age=63072000' },
{ key: 'X-Content-Type-Options', value: 'nosniff' },
{ key: 'X-Frame-Options', value: 'DENY' },
];
```
### Go
```bash
govulncheck ./...
go list -m all | nancy sleuth
```
**Common Go Vulnerabilities:**
- Goroutine leaks (verify context cancellation)
- Race conditions (run `go test -race`)
- SQL injection (use parameterized queries)
- Path traversal (validate file paths)
**Input Validation:**
```go
func validateEmail(email string) error {
if !emailRegex.MatchString(email) {
return errors.New("invalid email format")
}
return nil
}
```
**Secure Defaults:**
- Set timeouts on HTTP clients/servers
- Validate TLS certificates
- Use secure random number generation
## General Security Scans
```bash
# Scan for secrets
trufflehog git file://. --since-commit HEAD~10
# Run Semgrep
semgrep scan --config auto
```
## OWASP Top 10 Mitigations
| Vulnerability | Mitigation |
|---------------|------------|
| Injection | Parameterized queries, input validation |
| Broken Auth | Strong passwords, MFA, session management |
| Sensitive Data | Encryption at rest and transit |
| XXE | Disable external entities |
| Broken Access | Role-based access control |
| Security Misconfig | Secure defaults, minimal exposure |
| XSS | Output encoding, CSP |
| Insecure Deserial | Input validation, type checking |
| Known Vulns | Dependency scanning, updates |
| Logging | Audit logs, monitoring |
## Guidelines
- Follow OWASP Top 10 mitigations
- Use parameterized queries (no raw SQL)
- Validate and sanitize all inputs
- Use secure defaults
- Minimize attack surface
- Log security events (without sensitive data)Related Skills
security-scanning-security-hardening
Coordinate multi-layer security scanning and hardening across application, infrastructure, and compliance controls.
security-scanning-security-dependencies
You are a security expert specializing in dependency vulnerability analysis, SBOM generation, and supply chain security. Scan project dependencies across ecosystems to identify vulnerabilities, ass...
security-scan
Comprehensive security scanning for CVE vulnerabilities, OWASP Top 10 code patterns, and dependency audits. Use when the user wants to check code security, find vulnerabilities, or audit dependencies.
security-reviewer
Use when conducting security audits, reviewing code for vulnerabilities, or analyzing infrastructure security. Invoke for SAST scans, penetration testing, DevSecOps practices, cloud security reviews.
security-review
Run a targeted security audit on specified files or modules. Uses OWASP-informed checks, dependency vulnerability scanning, and auth/input validation review. Use for security audits, vulnerability checks, or before deploying sensitive code. Keywords: security, audit, vulnerability, OWASP, CVE, secrets, injection, XSS, auth, authentication, authorization
security-review-pr
PR/branch security review focused on HIGH-CONFIDENCE vulnerabilities with minimal false positives. Uses git diff analysis and sub-task parallelization.
security-review-audit
Full codebase security audit with OWASP Top 10 guidance, language-specific patterns, checklists, and fix examples. Use for comprehensive audits split by module/area.
security-requirement-extraction
Derive security requirements from threat models and business context. Use when translating threats into actionable requirements, creating security user stories, or building security test cases.
security
Information security expertise for cybersecurity frameworks (NIST, ISO 27001), security architecture, incident response, vulnerability management, identity management, and cloud security. Use when designing security programs, responding to incidents, or assessing vulnerabilities.
security-hardening
World-class application security - OWASP Top 10, secure coding patterns, and the battle scars from security incidents that could have been preventedUse when "security, secure, vulnerability, injection, xss, csrf, authentication, authorization, owasp, encryption, secret, password, token, sanitize, validate, escape, encode, harden, security, owasp, injection, xss, csrf, authentication, authorization, encryption, secrets, hardening" mentioned.
Security Engineer
Implement security best practices across the application stack. Use when securing APIs, implementing authentication, preventing vulnerabilities, or conducting security reviews. Covers OWASP Top 10, auth patterns, input validation, encryption, and security monitoring.
security-core
Comprehensive application security expertise covering authentication, authorization, OWASP Top 10, and security best practices. Use when (1) Implementing authentication (JWT, OAuth2, sessions, OAuth for CLI/TUI/desktop apps), (2) Adding authorization (RBAC, ABAC, RLS with Supabase/PostgreSQL), (3) Security auditing code or infrastructure, (4) Setting up security infrastructure (headers, CORS, CSP, rate limiting), (5) Managing secrets and credentials, (6) Preventing OWASP Top 10 vulnerabilities (injection, XSS, CSRF, etc.), (7) Reviewing code for security issues, (8) Configuring secure web applications in TypeScript, Python, or Rust. Automatically triggered when working with authentication/authorization systems, security reviews, or addressing security vulnerabilities.