Codex

security-assessment

Execute STRIDE threat modeling, vulnerability scanning, and security control validation with risk scoring

104 stars

byjmagly

View on GitHub Installation ↓

Best use case

security-assessment is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

It is a strong fit for teams already working in Codex.

Execute STRIDE threat modeling, vulnerability scanning, and security control validation with risk scoring

Teams using security-assessment should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

You only need a quick one-off answer and do not need a reusable workflow.
You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/security-assessment/SKILL.md --create-dirs "https://raw.githubusercontent.com/jmagly/aiwg/main/.agents/skills/security-assessment/SKILL.md"

Manual Installation

Download SKILL.md from GitHub
Place it in .claude/skills/security-assessment/SKILL.md inside your project
Restart your AI agent — it will auto-discover the skill

How security-assessment Compares

Feature / Agent	security-assessment	Standard Approach
Platform Support	Codex	Limited / Varies
Context Awareness	High	Baseline
Installation Complexity	Unknown	N/A

Frequently Asked Questions

What does this skill do?

Execute STRIDE threat modeling, vulnerability scanning, and security control validation with risk scoring

Which AI agents support this skill?

This skill is designed for Codex.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

Related Guides

Cursor vs Codex for AI Workflows

Compare Cursor and Codex for AI coding workflows, repository assistance, debugging, refactoring, and reusable developer skills.

AI Agents for Startups

Explore AI agent skills for startup validation, product research, growth experiments, documentation, and fast execution with small teams.

AI Agents for Coding

Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.

SKILL.md Source

# security-assessment

Execute threat modeling, vulnerability scanning, and security control validation.

## Triggers


Alternate expressions and non-obvious activations (primary phrases are matched automatically from the skill description):

- "STRIDE [component]" → threat model using STRIDE framework
- "OWASP check" → OWASP Top 10 validation
- "SAST" / "DAST" → static/dynamic application security testing
- "CVE scan" → known vulnerability enumeration
- "is the code safe" → colloquial security check
- "pentest prep" → pre-penetration-test readiness

## Purpose

This skill orchestrates comprehensive security assessment through:
- STRIDE threat modeling
- Vulnerability pattern detection
- Security control validation
- Compliance verification
- Risk scoring and prioritization

## Behavior

When triggered, this skill:

1. **Determines scope**:
   - Component-level, system-level, or full assessment
   - Identify assets and trust boundaries
   - Load existing threat model if available

2. **Executes threat modeling**:
   - Dispatch Security Architect for STRIDE analysis
   - Enumerate threats per component
   - Identify attack vectors

3. **Runs vulnerability patterns**:
   - Dispatch Security Auditor for pattern scanning
   - Check OWASP Top 10
   - Identify secrets exposure risks
   - Review dependency vulnerabilities

4. **Validates controls**:
   - Dispatch Security Gatekeeper
   - Map controls to threats
   - Verify implementation
   - Check coverage gaps

5. **Assesses privacy**:
   - Dispatch Privacy Officer (if PII involved)
   - Check data handling
   - Verify consent mechanisms

6. **Generates report**:
   - Risk-ranked findings
   - CVSS scores where applicable
   - Remediation guidance
   - Compliance status

## STRIDE Threat Categories

| Category | Description | Example |
|----------|-------------|---------|
| **S**poofing | Impersonating something/someone | Fake user credentials |
| **T**ampering | Modifying data or code | SQL injection |
| **R**epudiation | Denying actions | Missing audit logs |
| **I**nformation Disclosure | Exposing information | Data leakage |
| **D**enial of Service | Disrupting availability | Resource exhaustion |
| **E**levation of Privilege | Gaining unauthorized access | Broken access control |

## Assessment Flow

```
┌─────────────────────────────────────────────────────────┐
│ 1. SCOPE IDENTIFICATION                                 │
│    • Define assessment boundary                         │
│    • Identify assets (data, services, infrastructure)   │
│    • Map trust boundaries                               │
│    • Load existing threat model (if any)                │
└─────────────────────────────────────────────────────────┘
                          │
                          ▼
┌─────────────────────────────────────────────────────────┐
│ 2. THREAT MODELING (Security Architect)                 │
│    • Data flow analysis                                 │
│    • STRIDE enumeration per component                   │
│    • Attack vector identification                       │
│    • Trust boundary crossing analysis                   │
└─────────────────────────────────────────────────────────┘
                          │
                          ▼
┌─────────────────────────────────────────────────────────┐
│ 3. VULNERABILITY SCANNING (Security Auditor)            │
│    • OWASP Top 10 pattern check                         │
│    • Secrets exposure scan                              │
│    • Dependency vulnerability check                     │
│    • Configuration review                               │
│    • Code pattern analysis                              │
└─────────────────────────────────────────────────────────┘
                          │
                          ▼
┌─────────────────────────────────────────────────────────┐
│ 4. CONTROL VALIDATION (Security Gatekeeper)             │
│    • Map security requirements to controls              │
│    • Verify control implementation                      │
│    • Check control effectiveness                        │
│    • Identify coverage gaps                             │
└─────────────────────────────────────────────────────────┘
                          │
                          ▼
┌─────────────────────────────────────────────────────────┐
│ 5. PRIVACY ASSESSMENT (Privacy Officer) [if PII]        │
│    • Data inventory review                              │
│    • Consent mechanism validation                       │
│    • Data retention compliance                          │
│    • Cross-border transfer assessment                   │
└─────────────────────────────────────────────────────────┘
                          │
                          ▼
┌─────────────────────────────────────────────────────────┐
│ 6. RISK SCORING & REPORTING                             │
│    • Calculate CVSS scores                              │
│    • Prioritize by risk (likelihood × impact)           │
│    • Generate remediation guidance                      │
│    • Produce assessment report                          │
└─────────────────────────────────────────────────────────┘
```

## OWASP Top 10 Checks

| # | Category | Patterns Checked |
|---|----------|-----------------|
| A01 | Broken Access Control | RBAC, ABAC, path traversal, CORS |
| A02 | Cryptographic Failures | Weak algorithms, key management, TLS |
| A03 | Injection | SQL, NoSQL, LDAP, OS command, XSS |
| A04 | Insecure Design | Threat modeling gaps, missing controls |
| A05 | Security Misconfiguration | Defaults, unnecessary features, verbose errors |
| A06 | Vulnerable Components | Outdated dependencies, known CVEs |
| A07 | Auth Failures | Password policies, MFA, session management |
| A08 | Data Integrity Failures | CI/CD security, unsigned updates |
| A09 | Logging Failures | Missing logs, sensitive data in logs |
| A10 | SSRF | Internal resource access, URL validation |

## Severity Scoring

### CVSS Base Metrics

```yaml
severity_levels:
  critical:
    cvss_range: [9.0, 10.0]
    description: Immediate remediation required
    sla: 24 hours

  high:
    cvss_range: [7.0, 8.9]
    description: Remediation within sprint
    sla: 7 days

  medium:
    cvss_range: [4.0, 6.9]
    description: Plan remediation
    sla: 30 days

  low:
    cvss_range: [0.1, 3.9]
    description: Address as time permits
    sla: 90 days

  informational:
    cvss_range: [0.0, 0.0]
    description: Awareness only
    sla: none
```

## Assessment Report Format

```markdown
# Security Assessment Report

**Date**: 2025-12-08
**Scope**: Full System Assessment
**Assessors**: security-architect, security-auditor, security-gatekeeper

## Executive Summary

| Severity | Count |
|----------|-------|
| Critical | 0 |
| High | 2 |
| Medium | 5 |
| Low | 8 |
| Informational | 3 |

**Overall Risk Level**: MEDIUM
**Recommendation**: Address high-severity findings before production deployment

## Threat Model Summary

### Trust Boundaries
1. External → API Gateway
2. API Gateway → Internal Services
3. Services → Database

### STRIDE Analysis

| Component | S | T | R | I | D | E | Total |
|-----------|---|---|---|---|---|---|-------|
| API Gateway | 2 | 1 | 0 | 1 | 1 | 1 | 6 |
| Auth Service | 3 | 1 | 1 | 2 | 0 | 2 | 9 |
| Data Service | 1 | 2 | 1 | 3 | 1 | 1 | 9 |

## Findings

### HIGH-001: Insufficient Input Validation
- **Severity**: High (CVSS 7.5)
- **Component**: API Gateway
- **Category**: A03 Injection
- **Description**: User input not sanitized before database query
- **Impact**: SQL injection possible, data exfiltration risk
- **Remediation**: Implement parameterized queries, add input validation
- **Status**: Open

### HIGH-002: Missing Rate Limiting
- **Severity**: High (CVSS 7.2)
- **Component**: API Gateway
- **Category**: A05 Denial of Service
- **Description**: No rate limiting on authentication endpoints
- **Impact**: Brute force attacks, credential stuffing
- **Remediation**: Implement rate limiting, add account lockout
- **Status**: Open

### MEDIUM-001: Verbose Error Messages
...

## Control Assessment

| Control | Requirement | Status | Gap |
|---------|-------------|--------|-----|
| Authentication | MFA for privileged users | ✅ Implemented | None |
| Authorization | RBAC with least privilege | ⚠️ Partial | Admin role too broad |
| Encryption | TLS 1.2+ for transit | ✅ Implemented | None |
| Encryption | AES-256 at rest | ⚠️ Partial | Logs not encrypted |
| Logging | Security event logging | ✅ Implemented | None |
| Monitoring | Real-time alerting | ❌ Missing | Not configured |

## Compliance Status

| Framework | Status | Gaps |
|-----------|--------|------|
| OWASP Top 10 | 7/10 compliant | A03, A05, A09 |
| SOC 2 | Partial | Monitoring, encryption |
| GDPR | Compliant | None identified |

## Remediation Roadmap

### Immediate (24-48 hours)
- [ ] Fix SQL injection vulnerability (HIGH-001)
- [ ] Implement rate limiting (HIGH-002)

### Short-term (1-2 weeks)
- [ ] Reduce admin role permissions
- [ ] Encrypt log storage
- [ ] Configure monitoring alerts

### Medium-term (1 month)
- [ ] Address medium-severity findings
- [ ] Complete SOC 2 gap remediation

## Next Assessment

Recommended: 30 days or after major changes
```

## Usage Examples

### Full Assessment

```
User: "Run security review"

Skill orchestrates:
1. Load current architecture
2. Run STRIDE analysis
3. Scan for OWASP patterns
4. Validate controls
5. Generate report

Output:
"Security Assessment Complete

Findings: 0 Critical, 2 High, 5 Medium, 8 Low
Risk Level: MEDIUM

Blocking Issues:
- HIGH-001: SQL injection risk
- HIGH-002: Missing rate limiting

Report: .aiwg/security/assessment-20251208.md"
```

### Component Assessment

```
User: "Threat model the authentication service"

Skill focuses on:
- Auth service components only
- STRIDE for auth flows
- Auth-specific vulnerabilities
- Control validation for auth

Output: Targeted threat model and findings
```

### Control Validation Only

```
User: "Validate security controls"

Skill runs:
- Control mapping
- Implementation verification
- Gap analysis

Output: Control assessment summary
```

## Integration

This skill uses:
- `parallel-dispatch`: Launch security agents concurrently
- `project-awareness`: Get architecture and component info
- `artifact-metadata`: Track assessment artifacts

## Agent Orchestration

```yaml
agents:
  threat_modeling:
    agent: security-architect
    focus: STRIDE analysis, attack vectors, trust boundaries

  vulnerability_scanning:
    agent: security-auditor
    focus: OWASP patterns, secrets, dependencies, configuration

  control_validation:
    agent: security-gatekeeper
    focus: Control mapping, implementation, effectiveness

  privacy_assessment:
    agent: privacy-officer
    focus: PII handling, consent, retention, transfers
    condition: has_pii == true
```

## Output Locations

- Assessment report: `.aiwg/security/assessment-{date}.md`
- Threat model: `.aiwg/security/threat-model.md`
- Control matrix: `.aiwg/security/control-matrix.md`
- Findings tracker: `.aiwg/security/findings/`

## References

- STRIDE methodology: Microsoft Threat Modeling
- OWASP Top 10: https://owasp.org/Top10/
- CVSS Calculator: https://www.first.org/cvss/calculator/3.1
- Security templates: templates/security/

Related Skills

security-gate

104

from jmagly/aiwg

Enforce minimum security criteria before iteration close or release

Codex

security-audit

104

from jmagly/aiwg

Perform comprehensive security assessment

Codex

flow-security-review-cycle

104

from jmagly/aiwg

Orchestrate continuous security validation, threat modeling, vulnerability management, and security gate enforcement across SDLC phases

Codex

aiwg-orchestrate

104

from jmagly/aiwg

Route structured artifact work to AIWG workflows via MCP with zero parent context cost

venv-manager

104

from jmagly/aiwg

Create, manage, and validate Python virtual environments. Use for project isolation and dependency management.

pytest-runner

104

from jmagly/aiwg

Execute Python tests with pytest, supporting fixtures, markers, coverage, and parallel execution. Use for Python test automation.

vitest-runner

104

from jmagly/aiwg

Execute JavaScript/TypeScript tests with Vitest, supporting coverage, watch mode, and parallel execution. Use for JS/TS test automation.

eslint-checker

104

from jmagly/aiwg

Run ESLint for JavaScript/TypeScript code quality and style enforcement. Use for static analysis and auto-fixing.

repo-analyzer

104

from jmagly/aiwg

Analyze GitHub repositories for structure, documentation, dependencies, and contribution patterns. Use for codebase understanding and health assessment.

pr-reviewer

104

from jmagly/aiwg

Review GitHub pull requests for code quality, security, and best practices. Use for automated PR feedback and approval workflows.

YouTube Acquisition

104

from jmagly/aiwg

yt-dlp patterns for acquiring content from YouTube and video platforms

Quality Filtering

104

from jmagly/aiwg

Accept/reject logic and quality scoring heuristics for media content