security-audit

Use when a codebase needs a formal security audit beyond a quick scan — applies OWASP Top 10 and STRIDE threat modeling from a CSO perspective to surface systemic vulnerabilities.

8 stars

Best use case

security-audit is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Use when a codebase needs a formal security audit beyond a quick scan — applies OWASP Top 10 and STRIDE threat modeling from a CSO perspective to surface systemic vulnerabilities.

Teams using security-audit should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/security-audit/SKILL.md --create-dirs "https://raw.githubusercontent.com/drvoss/everything-copilot-cli/main/skills/workflow/security-audit/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/security-audit/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How security-audit Compares

Feature / Agentsecurity-auditStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Use when a codebase needs a formal security audit beyond a quick scan — applies OWASP Top 10 and STRIDE threat modeling from a CSO perspective to surface systemic vulnerabilities.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Security Audit Skill

A structured security review workflow inspired by gstack's `/cso` role. Treat every
audit as if you are the Chief Security Officer: adversarial, systematic, and unapologetic
about raising issues.

This skill is distinct from the `security-scan` development skill — it covers full
threat modeling, not just code-level checks.

## When to Use

- Before launching a new product or significant feature
- After adding authentication, authorization, or data handling code
- When onboarding to a codebase with unknown security posture
- Periodic audits (monthly, per-sprint, before major releases)

## Audit Framework

### OWASP Top 10 Checklist

Copilot will systematically check each OWASP category:

```text
> Perform an OWASP Top 10 audit on this codebase. For each category:
> 1. Check if the application is potentially vulnerable
> 2. Find specific code locations if vulnerable
> 3. Recommend a fix
> 4. Rate severity: Critical / High / Medium / Low
```

OWASP categories to cover:

- **A01 Broken Access Control** — authorization bypasses, privilege escalation
- **A02 Cryptographic Failures** — weak encryption, hardcoded secrets, cleartext data
- **A03 Injection** — SQL, NoSQL, OS command, LDAP injection
- **A04 Insecure Design** — threat modeling gaps, missing security controls
- **A05 Security Misconfiguration** — default credentials, verbose errors, open cloud storage
- **A06 Vulnerable Components** — outdated dependencies with known CVEs
- **A07 Auth Failures** — session management, credential stuffing, weak passwords
- **A08 Software Integrity** — unsigned updates, insecure CI/CD, deserialization
- **A09 Logging Failures** — missing security logs, log injection
- **A10 SSRF** — server-side request forgery, internal service exposure

### STRIDE Threat Modeling

For each major component (API endpoint, service, data store):

```text
> Apply STRIDE threat modeling to the [component]. For each threat type,
> describe the attack vector, assess likelihood (1-5), assess impact (1-5),
> and recommend a mitigation.
```

| Threat | Question |
|--------|----------|
| **S**poofing | Can an attacker impersonate a user or service? |
| **T**ampering | Can data be modified in transit or at rest? |
| **R**epudiation | Can an actor deny performing an action? |
| **I**nformation Disclosure | Can sensitive data be exposed unintentionally? |
| **D**enial of Service | Can the system be made unavailable? |
| **E**levation of Privilege | Can a low-privilege user gain higher access? |

### Secrets Scan

```text
> Scan the codebase for hardcoded secrets, API keys, passwords, and tokens.
> Include config files, environment examples, and test fixtures.
```

Check these patterns:

- Hardcoded API keys, tokens, passwords
- `.env.example` files with real values
- Comments containing credentials
- Git history (check `.git` log for accidentally committed secrets)
- Infrastructure-as-code files (Terraform, CloudFormation)

### Dependency Audit

```text
> Audit our dependencies for known CVEs. Run npm audit / pip audit / 
> bundler-audit and summarize critical and high severity issues.
```

### Auth & Session Review

```text
> Review the authentication and session management implementation:
> - Token expiration and refresh logic
> - Password hashing (bcrypt/argon2, not MD5/SHA1)
> - Session fixation and hijacking prevention
> - OAuth/OIDC implementation correctness
> - MFA implementation
```

## Full Audit Workflow

```text
# 1. Get the lay of the land
> Map the attack surface: list all public API endpoints, auth endpoints,
> file upload handlers, and external service integrations.

# 2. OWASP sweep
> Perform an OWASP Top 10 audit. Start with A01-A03 (highest frequency).

# 3. Threat model critical paths
> Apply STRIDE to our authentication flow and payment processing.

# 4. Secrets scan
> Scan for hardcoded secrets and credentials.

# 5. Dependency check
npm audit --audit-level=high

# 6. Generate report
> Generate a security audit report with:
> - Executive summary (3 sentences)
> - Critical findings (must fix before launch)
> - High findings (fix within 2 weeks)
> - Medium/Low findings (backlog)
> - Recommended next steps
```

## Output Format

Request a structured report:

```text
> Format the audit findings as a Markdown table:
> | Finding | Category | Severity | Location | Recommended Fix |
```

## Tips

- **Be adversarial**: Ask Copilot to think like an attacker, not a developer
- **Audit the happy path last**: Most vulnerabilities are in error handling and edge cases
- **Check the infrastructure too**: Security isn't just code — review CORS config, headers, TLS
- **Rotate secrets after audits**: If you found any, assume they're compromised
- **Schedule regular audits**: Security debt accumulates; quarterly > never

## Skill Differentiation

| Skill | Scope | When |
|-------|-------|------|
| **security-audit** (this skill) | Full threat model: OWASP + STRIDE + auth + deps. Strategic/CSO view. | Pre-launch, quarterly, new auth feature |
| [`security-scan`](../../security/security-scan/SKILL.md) | Code-level grep patterns + `npm audit`. Quick tactical scan. | Before every PR, CI integration |
| [`evaluate-repository`](../../security/evaluate-repository/SKILL.md) | Repository-wide 6-dimension scorecard (secrets, deps, auth, error handling, supply chain). | Onboarding to unknown codebase |

Run `security-scan` every PR. Run `security-audit` every sprint or release. Run `evaluate-repository` once on unfamiliar codebases.

## See Also

- [`security-scan`](../../security/security-scan/SKILL.md) — Quick code-level vulnerability scan (OWASP grep + STRIDE per feature)
- [`evaluate-repository`](../../security/evaluate-repository/SKILL.md) — Full repo security scorecard
- [`pr-multi-perspective-review`](../../development/pr-multi-perspective-review/SKILL.md) — Security Lens in PR reviews
- [`secret-detection`](../../security/secret-detection/SKILL.md) — Dedicated secret and credential scanning

Related Skills

cost-audit

8
from drvoss/everything-copilot-cli

Use when AI inference costs are growing unexpectedly, when comparing model choices by cost/quality ratio, or when optimizing token usage across a multi-model pipeline — produces an actionable cost reduction plan

security-scan

8
from drvoss/everything-copilot-cli

Use when you want a quick security pass on code changes or dependencies — checks OWASP Top 10 patterns, runs dependency audits, and surfaces critical vulnerabilities with targeted fixes.

security-bounty-hunter

8
from drvoss/everything-copilot-cli

Use when the goal is practical vulnerability discovery for responsible disclosure or bounty submission — focuses on remotely reachable, exploitable issues that qualify for real reports rather than a broad best-practices review

pr-security-review

8
from drvoss/everything-copilot-cli

Use when reviewing a pull request for security issues — automatically analyzes the diff for vulnerabilities, hardcoded secrets, injection risks, and broken access control before merging

gha-security-review

8
from drvoss/everything-copilot-cli

Use when reviewing GitHub Actions workflows for exploitable vulnerabilities — finds pwn-request patterns, expression injection, credential escalation, config poisoning, and supply chain risks, and reports only HIGH and MEDIUM confidence findings with concrete attack paths.

verification-before-completion

8
from drvoss/everything-copilot-cli

Use before claiming any task is done — run the exact command that proves the fix works, read the output, and only then report success.

using-git-worktrees

8
from drvoss/everything-copilot-cli

Use when you need multiple branches checked out at once — create isolated working directories for parallel development without cloning the repository repeatedly

triage

8
from drvoss/everything-copilot-cli

Use when a single issue needs structured triage — classify it, reproduce if needed, request missing information, and leave a durable brief or close-out note in the tracker.

to-issues

8
from drvoss/everything-copilot-cli

Use when a plan, spec, or PRD must become an actionable backlog — break it into thin dependency-aware issues that each deliver a verifiable vertical slice

sprint-workflow

8
from drvoss/everything-copilot-cli

Use when starting a new feature, refactor, or multi-step dev task — runs the full sprint cycle (Think → Plan → Build → Review → Test → Ship → Monitor) using Copilot CLI's plan/autopilot modes.

sprint-retro

8
from drvoss/everything-copilot-cli

Use at the end of a sprint to run a data-driven retrospective — analyzes session history and git metrics to surface what shipped, what slowed you down, and concrete improvements.

release

8
from drvoss/everything-copilot-cli

Use when a sprint or feature is complete and ready to ship — tags the version, generates GitHub Release notes, runs rollout or smoke verification, and publishes to npm/PyPI/Docker registries.