Back to Details

medusa-security

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Medusa Security Skill

Medusa安全扫描Skill

Identity

功能定位

AI-first security scanner integration skill. Leverages Medusa's 76 scanners and 3,000+ detection patterns for comprehensive security analysis including AI/ML-specific vulnerability detection.
AI优先的安全扫描集成Skill。利用Medusa的76款扫描器和3000+检测规则,开展全面的安全分析,包括AI/ML专属漏洞检测。

Capabilities

核心能力

  1. Full Scan — All 76 scanners, comprehensive security analysis
  2. AI-Only Scan — Prompt injection, MCP security, agent security, RAG security
  3. Quick Scan — Git-changed files only for rapid development feedback
  4. Targeted Scan — Specific scanner categories (mcp, secrets, prompt-injection, etc.)
  5. SARIF Output Parsing — Standard SARIF v2.1.0 structured findings
  6. JSON Output Parsing — Medusa-native JSON format
  7. OWASP Mapping — Maps findings to OWASP Agentic AI (ASI01-10) and OWASP Top 10 (A01-10)
  8. Remediation Guidance — Links findings to agent-studio skills and agents
  9. CI/CD Integration — Fail-on thresholds, SARIF upload for GitHub Code Scanning
  1. 全量扫描 — 启用全部76款扫描器,进行全面安全分析
  2. 仅AI扫描 — 检测提示注入、MCP安全、Agent安全、RAG安全相关漏洞
  3. 快速扫描 — 仅扫描Git变更文件,为开发提供快速反馈
  4. 定向扫描 — 针对特定扫描器类别(mcp、密钥、提示注入等)进行扫描
  5. SARIF输出解析 — 支持标准SARIF v2.1.0结构化结果
  6. JSON输出解析 — 支持Medusa原生JSON格式
  7. OWASP映射 — 将检测结果映射至OWASP Agentic AI(ASI01-10)和OWASP Top 10(A01-10)
  8. 修复指导 — 将检测结果关联至agent-studio的Skill和Agent
  9. CI/CD集成 — 支持失败阈值配置、上传SARIF至GitHub Code Scanning

Prerequisites

前置要求

Python 3.10+
pip install medusa-security
Check installation: 
python -m medusa --version
Python 3.10+
pip install medusa-security
验证安装:
python -m medusa --version

Workflow: Full Security Scan

工作流:全量安全扫描

bash
undefined
bash
undefined

Step 1: Verify installation

步骤1:验证安装

python -m medusa --version
python -m medusa --version

Step 2: Run scan

步骤2:执行扫描

medusa scan . --format sarif --fail-on high
medusa scan . --format sarif --fail-on high

Step 3: Parse output (use scripts/main.cjs)

步骤3:解析输出(使用scripts/main.cjs)

node .claude/skills/medusa-security/scripts/main.cjs --mode full --target .
node .claude/skills/medusa-security/scripts/main.cjs --mode full --target .

Step 4: Review findings by severity

步骤4:按严重程度查看结果

CRITICAL → immediate fix required

CRITICAL → 立即修复

HIGH → fix before release

HIGH → 发布前修复

MEDIUM → fix in next sprint

MEDIUM → 下一个迭代修复

LOW → track and address

LOW → 跟踪并处理

undefined
undefined

Workflow: AI-Only Scan

工作流:仅AI扫描

bash
medusa scan . --format sarif --ai-only
Scans only: prompt injection (800+ patterns), MCP security (400+ patterns), agent security (500+ patterns), RAG security (300+ patterns).
bash
medusa scan . --format sarif --ai-only
仅扫描以下内容:提示注入(800+规则)、MCP安全(400+规则)、Agent安全(500+规则)、RAG安全(300+规则)。

Workflow: Quick Scan (Development)

工作流:快速扫描(开发阶段)

bash
medusa scan . --format sarif --quick
Only scans git-changed files. Use during development for rapid feedback.
bash
medusa scan . --format sarif --quick
仅扫描Git变更文件,适用于开发阶段快速获取反馈。

Workflow: Targeted Scan

工作流:定向扫描

bash
undefined
bash
undefined

MCP security only

仅扫描MCP安全

medusa scan . --format sarif --scanners mcp-server,mcp-config
medusa scan . --format sarif --scanners mcp-server,mcp-config

Secrets only

仅扫描密钥

medusa scan . --format sarif --scanners secrets,gitleaks,env
medusa scan . --format sarif --scanners secrets,gitleaks,env

AI context files only

仅扫描AI上下文文件

medusa scan . --format sarif --scanners ai-context
undefined
medusa scan . --format sarif --scanners ai-context
undefined

Output Processing

输出处理

The skill uses helper scripts located at 
.claude/skills/medusa-security/scripts/
:
ScriptPurpose
sarif-parser.cjs
Parses SARIF v2.1.0 output
json-parser.cjs
Parses Medusa JSON output
finding-formatter.cjs
Formats findings with OWASP mapping
main.cjs
Orchestrates the full pipeline
cli-wrapper.cjs
Wraps Medusa CLI invocation
security-review.cjs
Deterministic report writer (no Glob recursion)
本Skill使用位于
.claude/skills/medusa-security/scripts/
的辅助脚本:
脚本名称用途
sarif-parser.cjs
解析SARIF v2.1.0输出格式
json-parser.cjs
解析Medusa原生JSON输出格式
finding-formatter.cjs
为检测结果添加OWASP映射信息并格式化
main.cjs
编排完整的扫描处理流程
cli-wrapper.cjs
封装Medusa CLI调用逻辑
security-review.cjs
生成确定性报告(避免Glob递归超时)

Using the Pipeline

流程使用示例

bash
undefined
bash
undefined

Full scan with structured output

全量扫描并生成结构化输出

node .claude/skills/medusa-security/scripts/main.cjs --mode full --target .
node .claude/skills/medusa-security/scripts/main.cjs --mode full --target .

AI-only scan

仅AI扫描

node .claude/skills/medusa-security/scripts/main.cjs --mode ai-only --target .
node .claude/skills/medusa-security/scripts/main.cjs --mode ai-only --target .

Quick scan (git-changed files)

快速扫描(仅Git变更文件)

node .claude/skills/medusa-security/scripts/main.cjs --mode quick --target .
undefined
node .claude/skills/medusa-security/scripts/main.cjs --mode quick --target .
undefined

Deterministic Security Review (Recommended in Claude sessions)

确定性安全评审(推荐在Claude会话中使用)

Use this when you need the final security review report and want to avoid recursive 
Glob
timeouts:
bash
node .claude/skills/medusa-security/scripts/security-review.cjs
This writes:
/.claude/context/reports/security-review-medusa-scan-2026-02-17.md
and performs fixed-path checks on:
  • .claude/hooks/
  • .claude/lib/
  • .claude/skills/medusa-security/scripts/
  • .claude/CLAUDE.md
当你需要最终安全评审报告并希望避免递归
Glob
超时问题时,使用以下命令:
bash
node .claude/skills/medusa-security/scripts/security-review.cjs
该命令会生成报告文件:
/.claude/context/reports/security-review-medusa-scan-2026-02-17.md
并对以下路径进行固定路径检查:
  • .claude/hooks/
  • .claude/lib/
  • .claude/skills/medusa-security/scripts/
  • .claude/CLAUDE.md

Important Runtime Guardrail

重要运行时注意事项

  • Avoid recursive glob patterns like 
    .claude/skills/medusa-security/**/*
    in long sessions.
  • Prefer direct file reads and deterministic script entry points.
  • 在长会话中避免使用类似
    .claude/skills/medusa-security/**/*
    的递归glob模式。
  • 优先使用直接文件读取和确定性脚本入口。

OWASP Mapping

OWASP映射

Findings are automatically mapped to:
  • OWASP Agentic AI Top 10 (ASI01-10): Goal Hijacking, Tool Misuse, Context Poisoning, etc.
  • OWASP Top 10 (A01-10): Broken Access Control, Injection, Cryptographic Failures, etc.
检测结果会自动映射至:
  • OWASP Agentic AI Top 10(ASI01-10):目标劫持、工具滥用、上下文污染等。
  • OWASP Top 10(A01-10):访问控制失效、注入攻击、加密机制失败等。

Severity Triage

严重程度分级处理

SeverityActionTimeline
CRITICALImmediate fixBefore any merge
HIGHFix before releaseSame sprint
MEDIUMFix in next sprintNext cycle
LOWTrack and addressBacklog
严重程度处理措施时间要求
CRITICAL立即修复合并代码前完成
HIGH发布前修复同一迭代内完成
MEDIUM下一个迭代修复下一周期内完成
LOW跟踪并处理放入待办清单

Agent Integration

Agent集成

AgentUsage
security-architect
Primary consumer. Use for comprehensive security reviews.
penetration-tester
Use for targeted vulnerability scanning with authorization.
code-reviewer
Use AI-only scan as part of code review workflow.
Agent名称用途说明
security-architect
主要使用者,用于全面安全评审。
penetration-tester
用于授权后的定向漏洞扫描。
code-reviewer
将仅AI扫描作为代码评审流程的一部分。

CI/CD Integration

CI/CD集成

yaml
undefined
yaml
undefined

GitHub Actions example

GitHub Actions示例

  • name: Security Scan run: | pip install medusa-security medusa scan . --format sarif --fail-on high -o reports/
  • name: Upload SARIF uses: github/codeql-action/upload-sarif@v3 with: sarif_file: reports/medusa-results.sarif
undefined
  • name: Security Scan run: | pip install medusa-security medusa scan . --format sarif --fail-on high -o reports/
  • name: Upload SARIF uses: github/codeql-action/upload-sarif@v3 with: sarif_file: reports/medusa-results.sarif
undefined

Memory Protocol

记忆协议

After scanning:
  • Record new vulnerability patterns in 
    patterns.json
  • Log significant findings in 
    issues.md
  • Track scan history for trend analysis
  • Use 
    recordGotcha()
    for recurring false positives
javascript
const manager = require('.claude/lib/memory/memory-manager.cjs');

manager.recordGotcha({
  text: 'False positive: medusa flags X pattern in Y context',
  area: 'security-scanning',
});

manager.recordPattern({
  text: 'Prompt injection found in CLAUDE.md context files',
  area: 'ai-security',
});
扫描完成后:
  • patterns.json
    中记录新的漏洞规则
  • issues.md
    中记录重要检测结果
  • 跟踪扫描历史以进行趋势分析
  • 使用
    recordGotcha()
    记录重复出现的误报
javascript
const manager = require('.claude/lib/memory/memory-manager.cjs');

manager.recordGotcha({
  text: 'False positive: medusa flags X pattern in Y context',
  area: 'security-scanning',
});

manager.recordPattern({
  text: 'Prompt injection found in CLAUDE.md context files',
  area: 'ai-security',
});

Related Skills

相关Skill

  • security-architect
    — Threat modeling and OWASP analysis
  • static-analysis
    — CodeQL and Semgrep SARIF analysis
  • semgrep-rule-creator
    — Create custom Semgrep rules
  • insecure-defaults
    — Detect hardcoded credentials
  • variant-analysis
    — Discover vulnerability variants
  • security-architect
    — 威胁建模与OWASP分析
  • static-analysis
    — CodeQL和Semgrep SARIF分析
  • semgrep-rule-creator
    — 创建自定义Semgrep规则
  • insecure-defaults
    — 检测硬编码凭证
  • variant-analysis
    — 发现漏洞变体