security
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
Chinese/security - Security Audit Workflow
/security - 安全审计工作流
Dedicated security analysis for sensitive code.
专为敏感代码提供安全分析。
When to Use
使用场景
- "Security audit"
- "Check for vulnerabilities"
- "Is this secure?"
- "Review authentication code"
- "Check for injection attacks"
- Before handling auth, payments, user data
- After adding security-sensitive features
- "安全审计"
- "检查漏洞"
- "这安全吗?"
- "审核认证代码"
- "检查注入攻击"
- 处理认证、支付、用户数据之前
- 添加安全敏感功能之后
Workflow Overview
工作流概览
┌─────────┐ ┌───────────┐
│ aegis │───▶│ arbiter │
│ │ │ │
└─────────┘ └───────────┘
Security Verify
audit fixes┌─────────┐ ┌───────────┐
│ aegis │───▶│ arbiter │
│ │ │ │
└─────────┘ └───────────┘
Security Verify
audit fixesAgent Sequence
Agent 执行序列
| # | Agent | Role | Output |
|---|---|---|---|
| 1 | aegis | Comprehensive security scan | Vulnerability report |
| 2 | arbiter | Verify fixes, run security tests | Verification report |
| 序号 | Agent | 角色 | 输出 |
|---|---|---|---|
| 1 | aegis | 全面安全扫描 | 漏洞报告 |
| 2 | arbiter | 验证修复,运行安全测试 | 验证报告 |
Why Dedicated Security?
为什么需要专用安全审计?
The workflow focuses on code quality. Security needs:
/review- Specialized vulnerability patterns
- Dependency scanning
- Secret detection
- OWASP Top 10 checks
- Authentication/authorization review
/review工作流侧重于代码质量。安全审计需要:
- 专门的漏洞模式检测
- 依赖项扫描
- 密钥检测
- OWASP Top 10 检查
- 认证/授权审核
Execution
执行步骤
Phase 1: Security Audit
阶段1:安全审计
Task(
subagent_type="aegis",
prompt="""
Security audit: [SCOPE]
Scan for:
**Injection Attacks:**
- SQL injection
- Command injection
- XSS (Cross-Site Scripting)
- LDAP injection
**Authentication/Authorization:**
- Broken authentication
- Session management issues
- Privilege escalation
- Insecure direct object references
**Data Protection:**
- Sensitive data exposure
- Hardcoded secrets/credentials
- Insecure cryptography
- Missing encryption
**Configuration:**
- Security misconfigurations
- Default credentials
- Verbose error messages
- Missing security headers
**Dependencies:**
- Known vulnerable packages
- Outdated dependencies
- Supply chain risks
Output: Detailed report with:
- Severity (CRITICAL/HIGH/MEDIUM/LOW)
- Location (file:line)
- Description
- Remediation steps
"""
)Task(
subagent_type="aegis",
prompt="""
安全审计: [SCOPE]
扫描范围:
**注入攻击:**
- SQL注入
- 命令注入
- XSS(跨站脚本攻击)
- LDAP注入
**认证/授权:**
- 认证机制缺陷
- 会话管理问题
- 权限提升
- 不安全的直接对象引用
**数据保护:**
- 敏感数据泄露
- 硬编码密钥/凭证
- 不安全的加密方式
- 缺少加密
**配置:**
- 安全配置错误
- 默认凭证
- 详细错误信息
- 缺失安全头
**依赖项:**
- 已知存在漏洞的包
- 过时的依赖项
- 供应链风险
输出:包含以下内容的详细报告:
- 严重程度(CRITICAL/HIGH/MEDIUM/LOW)
- 位置(文件:行号)
- 描述
- 修复步骤
"""
)Phase 2: Verification (After Fixes)
阶段2:验证(修复后)
Task(
subagent_type="arbiter",
prompt="""
Verify security fixes: [SCOPE]
Run:
- Security-focused tests
- Dependency audit (npm audit, pip audit)
- Re-check reported vulnerabilities
- Verify fixes don't introduce regressions
Output: Verification report
"""
)Task(
subagent_type="arbiter",
prompt="""
验证安全修复: [SCOPE]
执行以下操作:
- 安全专项测试
- 依赖项审计(npm audit, pip audit)
- 重新检查已报告的漏洞
- 验证修复不会引入回归问题
输出:验证报告
"""
)Security Scopes
安全审计范围
Full Codebase
整个代码库
User: /security
→ Scan entire codebase用户: /security
→ 扫描整个代码库Specific Area
特定区域
User: /security authentication
→ Focus on auth-related code用户: /security authentication
→ 聚焦于认证相关代码Single File
单个文件
User: /security src/api/auth.py
→ Deep dive on one file用户: /security src/api/auth.py
→ 深入分析单个文件Dependencies Only
仅依赖项
User: /security --deps
→ Only dependency vulnerabilities用户: /security --deps
→ 仅检测依赖项漏洞Example
示例
User: /security the payment processing code
Claude: Starting /security audit for payment code...
Phase 1: Security audit...
[Spawns aegis]
┌─────────────────────────────────────────────────────────────┐
│ Security Audit Report │
├─────────────────────────────────────────────────────────────┤
│ Scope: src/services/payment/ │
│ Files scanned: 12 │
│ Lines analyzed: 2,847 │
├─────────────────────────────────────────────────────────────┤
│ CRITICAL (1) │
│ ────────── │
│ [C1] SQL Injection in payment.py:89 │
│ query = f"SELECT * FROM orders WHERE id = {order_id}" │
│ Fix: Use parameterized queries │
│ │
│ HIGH (2) │
│ ──────── │
│ [H1] Hardcoded API key in stripe_client.py:12 │
│ STRIPE_KEY = "sk_live_..." │
│ Fix: Move to environment variable │
│ │
│ [H2] Missing input validation in refund.py:45 │
│ amount = request.json['amount'] # No validation │
│ Fix: Validate amount is positive number │
│ │
│ MEDIUM (1) │
│ ────────── │
│ [M1] Verbose error messages in error_handler.py:23 │
│ return {"error": str(e)} # Leaks internal details │
│ Fix: Return generic message, log details internally │
│ │
│ LOW (0) │
│ ─────── │
│ None │
├─────────────────────────────────────────────────────────────┤
│ Summary: 1 critical, 2 high, 1 medium, 0 low │
│ Status: BLOCKING - Fix critical issues before release │
└─────────────────────────────────────────────────────────────┘
Fix the critical and high issues, then run:
/security --verify用户: /security 支付处理代码
Claude: 开始对支付代码执行/security审计...
阶段1:安全审计...
[Spawns aegis]
┌─────────────────────────────────────────────────────────────┐
│ 安全审计报告 │
├─────────────────────────────────────────────────────────────┤
│ 范围: src/services/payment/ │
│ 扫描文件数: 12 │
│ 分析行数: 2,847 │
├─────────────────────────────────────────────────────────────┤
│ 严重(CRITICAL)(1) │
│ ────────── │
│ [C1] payment.py:89 存在SQL注入风险 │
│ query = f"SELECT * FROM orders WHERE id = {order_id}" │
│ 修复方案: 使用参数化查询 │
│ │
│ 高风险(HIGH)(2) │
│ ──────── │
│ [H1] stripe_client.py:12 存在硬编码API密钥 │
│ STRIPE_KEY = "sk_live_..." │
│ 修复方案: 迁移至环境变量 │
│ │
│ [H2] refund.py:45 缺少输入验证 │
│ amount = request.json['amount'] # 无验证 │
│ 修复方案: 验证金额为正数 │
│ │
│ 中风险(MEDIUM)(1) │
│ ────────── │
│ [M1] error_handler.py:23 存在详细错误信息泄露 │
│ return {"error": str(e)} # 泄露内部细节 │
│ 修复方案: 返回通用提示信息,内部记录详细错误 │
│ │
│ 低风险(LOW)(0) │
│ ─────── │
│ 无 │
├─────────────────────────────────────────────────────────────┤
│ 总结: 1个严重、2个高风险、1个中风险、0个低风险 │
│ 状态: 阻塞 - 发布前需修复严重问题 │
└─────────────────────────────────────────────────────────────┘
修复严重和高风险问题后,运行:
/security --verifyAfter Fixes
修复后
User: /security --verify
Claude: Phase 2: Verifying fixes...
[Spawns arbiter]
✅ C1: SQL injection fixed - using parameterized queries
✅ H1: API key moved to environment variable
✅ H2: Input validation added
✅ M1: Error messages sanitized
All security tests passing.
Security audit: PASSED用户: /security --verify
Claude: 阶段2:验证修复...
[Spawns arbiter]
✅ C1: SQL注入已修复 - 使用参数化查询
✅ H1: API密钥已迁移至环境变量
✅ H2: 已添加输入验证
✅ M1: 错误信息已脱敏
所有安全测试通过。
安全审计:通过OWASP Top 10 Coverage
OWASP Top 10 覆盖情况
| Risk | Checked |
|---|---|
| A01 Broken Access Control | ✅ |
| A02 Cryptographic Failures | ✅ |
| A03 Injection | ✅ |
| A04 Insecure Design | ✅ |
| A05 Security Misconfiguration | ✅ |
| A06 Vulnerable Components | ✅ |
| A07 Auth Failures | ✅ |
| A08 Data Integrity Failures | ✅ |
| A09 Logging Failures | ✅ |
| A10 SSRF | ✅ |
| 风险类型 | 是否已覆盖 |
|---|---|
| A01 访问控制失效 | ✅ |
| A02 加密失败 | ✅ |
| A03 注入 | ✅ |
| A04 不安全设计 | ✅ |
| A05 安全配置错误 | ✅ |
| A06 易受攻击的组件 | ✅ |
| A07 认证失败 | ✅ |
| A08 数据完整性失败 | ✅ |
| A09 日志记录失败 | ✅ |
| A10 服务器端请求伪造(SSRF) | ✅ |
Flags
参数选项
- : Dependencies only
--deps - : Re-run after fixes
--verify - : Explicit OWASP Top 10 report
--owasp - : Focus on secret detection
--secrets
- : 仅检测依赖项
--deps - : 修复后重新运行
--verify - : 生成明确的OWASP Top 10报告
--owasp - : 聚焦于密钥检测
--secrets