qe-security-compliance
Security auditing, vulnerability scanning, and compliance validation for OWASP, SOC2, GDPR, and other standards.
Best use case
qe-security-compliance is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Security auditing, vulnerability scanning, and compliance validation for OWASP, SOC2, GDPR, and other standards.
Teams using qe-security-compliance should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/qe-security-compliance/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How qe-security-compliance Compares
| Feature / Agent | qe-security-compliance | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Security auditing, vulnerability scanning, and compliance validation for OWASP, SOC2, GDPR, and other standards.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# QE Security Compliance
## Purpose
Guide the use of v3's security and compliance testing capabilities including SAST/DAST scanning, vulnerability detection, compliance auditing, and security gate enforcement.
## Activation
- When performing security audits
- When scanning for vulnerabilities
- When validating compliance
- When checking dependencies
- When setting up security gates
## Quick Start
```bash
# Full security scan
aqe security scan --scope src/ --checks all
# Vulnerability check
aqe security vulns --dependencies --severity critical,high
# Compliance audit
aqe security compliance --standard soc2 --output report.html
# OWASP check
aqe security owasp --top-10 --scope src/
```
## Agent Workflow
```typescript
// Security audit
Task("Security audit", `
Perform comprehensive security audit:
- SAST scan for code vulnerabilities
- Dependency vulnerability check
- Secret detection in code and configs
- OWASP Top 10 validation
Generate security report with remediation steps.
`, "qe-security-auditor")
// Compliance validation
Task("SOC2 compliance check", `
Validate SOC2 compliance requirements:
- Access control verification
- Encryption validation
- Audit logging check
- Data retention compliance
Generate compliance evidence report.
`, "qe-compliance-checker")
```
## Security Operations
### 1. SAST Scanning
```typescript
await securityScanner.staticAnalysis({
scope: 'src/**/*.ts',
checks: [
'sql-injection',
'xss',
'command-injection',
'path-traversal',
'insecure-crypto',
'hardcoded-secrets'
],
rules: 'owasp-top-10',
severity: ['critical', 'high', 'medium']
});
```
### 2. Dependency Scanning
```typescript
await securityScanner.dependencyCheck({
sources: ['package.json', 'package-lock.json'],
checks: {
knownVulnerabilities: true,
outdatedPackages: true,
licenseCompliance: true,
supplyChainRisk: true
},
severity: ['critical', 'high'],
autoFix: {
enabled: true,
dryRun: false
}
});
```
### 3. Compliance Audit
```typescript
await complianceChecker.audit({
standards: ['SOC2', 'GDPR', 'HIPAA'],
scope: {
code: 'src/',
configs: 'config/',
infrastructure: 'terraform/'
},
output: {
gaps: true,
evidence: true,
recommendations: true
}
});
```
### 4. Secret Detection
```typescript
await securityScanner.detectSecrets({
scope: ['.', 'config/', '.env*'],
patterns: [
'api-keys',
'passwords',
'tokens',
'private-keys',
'connection-strings'
],
exclude: ['*.test.ts', 'mocks/'],
action: {
onDetect: 'block',
notify: ['security-team']
}
});
```
## OWASP Top 10 Coverage
```yaml
owasp_2021:
A01_broken_access_control:
checks: [privilege-escalation, idor, cors-misconfiguration]
automated: true
A02_cryptographic_failures:
checks: [weak-encryption, missing-encryption, key-management]
automated: true
A03_injection:
checks: [sql, nosql, command, xss, ldap]
automated: true
A04_insecure_design:
checks: [threat-modeling, secure-patterns]
automated: partial
A05_security_misconfiguration:
checks: [default-credentials, unnecessary-features]
automated: true
A06_vulnerable_components:
checks: [outdated-deps, known-cves]
automated: true
A07_auth_failures:
checks: [weak-passwords, session-issues]
automated: true
A08_software_data_integrity:
checks: [insecure-deserialization, cicd-security]
automated: partial
A09_logging_monitoring:
checks: [insufficient-logging, missing-alerts]
automated: partial
A10_ssrf:
checks: [server-side-request-forgery]
automated: true
```
## Security Report
```typescript
interface SecurityReport {
summary: {
score: number; // 0-100
critical: number;
high: number;
medium: number;
low: number;
};
vulnerabilities: {
id: string;
type: string;
severity: 'critical' | 'high' | 'medium' | 'low';
location: string;
description: string;
remediation: string;
cwe: string;
owasp: string;
}[];
dependencies: {
vulnerable: number;
outdated: number;
details: DependencyVuln[];
};
compliance: {
standard: string;
status: 'compliant' | 'non-compliant' | 'partial';
gaps: ComplianceGap[];
evidence: Evidence[];
}[];
secrets: {
detected: number;
locations: SecretLocation[];
};
}
```
## Security Gates
```yaml
security_gates:
block_merge:
- critical_vulnerabilities > 0
- high_vulnerabilities > 2
- secrets_detected > 0
- compliance_failures > 0
warn:
- medium_vulnerabilities > 5
- outdated_dependencies > 10
enforce:
- signed_commits: required
- code_review: required
- security_scan: required
```
## Compliance Standards
| Standard | Scope | Auto-Check |
|----------|-------|------------|
| SOC2 | Security controls | Partial |
| GDPR | Data privacy | Partial |
| HIPAA | Health data | Partial |
| PCI-DSS | Payment data | Yes |
| ISO 27001 | InfoSec | Partial |
## Coordination
**Primary Agents**: qe-security-auditor, qe-security-scanner, qe-compliance-checker
**Coordinator**: qe-security-coordinator
**Related Skills**: qe-quality-assessment, qe-contract-testingRelated Skills
qe-security-visual-testing
Security-first visual testing combining URL validation, PII detection, and visual regression with parallel viewport support. Use when testing web applications that handle sensitive data, need visual regression coverage, or require WCAG accessibility compliance.
qe-security-testing
Test for security vulnerabilities using OWASP principles. Use when conducting security audits, testing auth, or implementing security practices.
qe-n8n-security-testing
Credential exposure detection, OAuth flow validation, API key management testing, and data sanitization verification for n8n workflows. Use when validating n8n workflow security.
qe-compliance-testing
Regulatory compliance testing for GDPR, CCPA, HIPAA, SOC2, PCI-DSS and industry-specific regulations. Use when ensuring legal compliance, preparing for audits, or handling sensitive data.
V3 Security Overhaul
Complete security architecture overhaul for claude-flow v3. Addresses critical CVEs (CVE-1, CVE-2, CVE-3) and implements secure-by-default patterns. Use for security-first v3 implementation.
security-watch
Use when working on security-sensitive code to catch secrets, eval(), innerHTML, and other dangerous patterns before they're written. Activate with /security-watch for real-time security scanning.
security-visual-testing
Security-first visual testing combining URL validation, PII detection, and visual regression with parallel viewport support. Use when testing web applications that handle sensitive data, need visual regression coverage, or require WCAG accessibility compliance.
security-testing
Scans for security vulnerabilities including XSS, SQL injection, CSRF, and auth flaws using OWASP Top 10 methodology. Use when conducting SAST/DAST scans, auditing authentication flows, testing authorization rules, or implementing security test automation.
n8n-security-testing
Credential exposure detection, OAuth flow validation, API key management testing, and data sanitization verification for n8n workflows. Use when validating n8n workflow security.
compliance-testing
Regulatory compliance testing for GDPR, CCPA, HIPAA, SOC2, PCI-DSS and industry-specific regulations. Use when ensuring legal compliance, preparing for audits, or handling sensitive data.
qe-visual-testing-advanced
Advanced visual regression testing with pixel-perfect comparison, AI-powered diff analysis, responsive design validation, and cross-browser visual consistency. Use when detecting UI regressions, validating designs, or ensuring visual consistency.
qe-verification-quality
Comprehensive truth scoring, code quality verification, and automatic rollback system with 0.95 accuracy threshold for ensuring high-quality agent outputs and codebase reliability.