Back to Details

security-audit

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

/security-audit

/security-audit

Multi-agent security audit with findings saved to timestamped report.
多Agent安全审计,审计结果将保存至带时间戳的报告中。

Usage

使用方法

bash
/security-audit yourbench           # Full security review
/security-audit coordinatr          # Audit specific project
bash
/security-audit yourbench           # 全面安全审查
/security-audit coordinatr          # 审计特定项目

Audit Dimensions

审计维度

Five security-auditor agents run in parallel:
AgentFocus AreaChecks
Agent 1: Auth & AccessAuthentication, AuthorizationJWT handling, session management, RBAC, privilege escalation
Agent 2: Input & DataInjection, ValidationSQL injection, XSS, command injection, input sanitization
Agent 3: Crypto & SecretsCryptography, SecretsHardcoded credentials, weak crypto, key management, PII
Agent 4: Config & DeployConfiguration, InfrastructureCORS, CSRF, security headers, exposed endpoints, debug mode
Agent 5: DependenciesSupply Chain, LibrariesVulnerable packages, outdated deps, license issues
五个安全审计Agent将并行运行:
Agent聚焦领域检查内容
Agent 1: Auth & Access身份认证、权限授权JWT处理、会话管理、RBAC、权限提升
Agent 2: Input & Data注入攻击、数据校验SQL注入、XSS、命令注入、输入清理
Agent 3: Crypto & Secrets加密技术、密钥管理硬编码凭证、弱加密、密钥管理、PII数据
Agent 4: Config & Deploy配置管理、基础设施CORS、CSRF、安全头、暴露端点、调试模式
Agent 5: Dependencies供应链、第三方库易受攻击的包、过时依赖、许可证问题

OWASP Top 10 Coverage

OWASP Top 10 覆盖范围

OWASP RiskCoverage
A01 Broken Access ControlAgent 1
A02 Cryptographic FailuresAgent 3
A03 InjectionAgent 2
A04 Insecure DesignAgents 1, 4
A05 Security MisconfigurationAgent 4
A06 Vulnerable ComponentsAgent 5
A07 Auth FailuresAgent 1
A08 Data Integrity FailuresAgents 2, 3
A09 Logging FailuresAgent 4
A10 SSRFAgent 2
OWASP风险项负责Agent
A01 访问控制失效Agent 1
A02 加密机制失败Agent 3
A03 注入攻击Agent 2
A04 不安全设计Agents 1, 4
A05 安全配置错误Agent 4
A06 易受攻击的组件Agent 5
A07 身份认证失败Agent 1
A08 数据完整性失败Agents 2, 3
A09 日志与监控失败Agent 4
A10 服务器端请求伪造(SSRF)Agent 2

Execution Flow

执行流程

1. Validate Project

1. 验证项目

bash
ls spaces/[project]/
bash
ls spaces/[project]/

2. Launch Parallel Audits

2. 启动并行审计

5 security-auditor agents run concurrently with focused prompts.
5个安全审计Agent将携带聚焦指令并发运行。

3. Consolidate Findings

3. 整合审计结果

Aggregate by:
  • Severity: Critical, High, Medium, Low, Info
  • Category: OWASP classification
  • Location: File path + line number
  • Remediation: Specific fix guidance
按以下维度聚合:
  • 严重程度: 关键、高、中、低、信息级
  • 分类: OWASP 分类标准
  • 位置: 文件路径 + 行号
  • 修复建议: 具体的修复指导

4. Generate Report

4. 生成报告

bash
Write: .claude/temp/security-audit-[project]-[timestamp].md
bash
Write: .claude/temp/security-audit-[project]-[timestamp].md

Report Structure

报告结构

markdown
undefined
markdown
undefined

Security Audit: [Project Name]

安全审计报告: [项目名称]

Date: YYYY-MM-DD HH:MM:SS
日期: YYYY-MM-DD HH:MM:SS

Executive Summary

执行摘要

  • Critical issues: X
  • High severity: Y
  • Total findings: Z
  • 关键问题: X
  • 高严重程度问题: Y
  • 总问题数: Z

Critical Issues

关键问题

[Issue Title]

[问题标题]

  • Severity: Critical
  • Category: SQL Injection (CWE-89)
  • Location: src/api/users.py:42
  • Description: [What's wrong]
  • Impact: [What could happen]
  • Remediation: [How to fix]
  • 严重程度: 关键
  • 分类: SQL注入(CWE-89)
  • 位置: src/api/users.py:42
  • 描述: [问题详情]
  • 影响: 可能造成的后果
  • 修复建议: 修复方法

High Severity Issues

高严重程度问题

[...]
[...]

Recommendations

建议

  • Priority actions
  • Long-term improvements
  • 优先处理事项
  • 长期改进方案

Scan Coverage

扫描覆盖范围

  • Files scanned: X
  • Technologies: Z
undefined
  • 扫描文件数: X
  • 涉及技术: Z
undefined

When to Use

使用场景

  • Before production deployments
  • After major feature additions
  • Monthly security reviews
  • Before external security audits
  • After dependency updates
  • 生产环境部署前
  • 重大功能更新后
  • 月度安全审查
  • 外部安全审计前
  • 依赖包更新后

Output Location

输出位置

.claude/temp/security-audit-yourbench-2026-01-08-143022.md
Reports saved to 
.claude/temp/
(gitignored) for review.
.claude/temp/security-audit-yourbench-2026-01-08-143022.md
报告将保存至 
.claude/temp/
目录(已加入git忽略)供查看。

Notes

注意事项

  • Read-only: No code changes made
  • Non-blocking: Doesn't prevent commits
  • Parallel execution: Agents run concurrently
  • False positives possible: Manual review recommended
  • 只读模式: 不会修改任何代码
  • 非阻塞: 不会阻止代码提交
  • 并行执行: 多个Agent同时运行
  • 可能存在误报: 建议进行人工复核

Integration

集成流程

Implement security feature → /security-audit → Fix issues → /commit
实现安全功能 → /security-audit → 修复问题 → /commit