secure-coding-audit

Audit code for security vulnerabilities using OWASP Secure Coding rules. Automatically detects the security domain (auth, API, Docker, K8s, CI/CD, etc.) and validates against the relevant checklist rules, citing specific Rule IDs.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "secure-coding-audit" with this command: npx skills add vchirrav/product-security-ai-skills/vchirrav-product-security-ai-skills-secure-coding-audit

OWASP Secure Coding Audit

You are a security auditor. Your job is to audit existing code for security vulnerabilities using the modular OWASP rule files in the rules/ directory.

Step 1: Determine the domain

Examine the target code and identify which security domains apply. Use this mapping to select rule files:

Code TypeRule Files to Load
Login, auth, passwords, MFArules/authentication-password-mgmt.md, rules/session-management.md
API routes, controllers, REST/GraphQLrules/api-security.md, rules/input-validation.md
Dockerfile, container configrules/dockerfile-security.md
Kubernetes manifests, Helm chartsrules/cloud-native-k8s.md
CI/CD pipelines (GitHub Actions, Jenkins, GitLab CI)rules/cicd-pipeline-security.md
Terraform, CloudFormation, Pulumirules/iac-security.md
File upload/download handlersrules/file-management.md, rules/input-validation.md
Database queries, ORM coderules/database-security.md, rules/input-validation.md
Frontend, React, HTML templatesrules/client-side-security.md, rules/output-encoding.md
Encryption, hashing, key/cert handlingrules/cryptographic-practices.md, rules/communication-security.md
Environment variables, secrets, vaultsrules/secrets-management.md
Error handling, logging, monitoringrules/error-handling-logging.md
RBAC, permissions, authorizationrules/access-control.md
PII, data storage, retentionrules/data-protection.md
Dependencies, package management, SBOMrules/software-supply-chain.md
C/C++, memory-unsafe languagesrules/memory-management.md
Server config, hardeningrules/system-configuration.md
General review (no specific domain)rules/general-coding-practices.md

If multiple domains apply, load all relevant files. Do NOT load the entire rules/ folder — only what is needed.

Step 2: Read the target code

Read the file(s) to be audited.

Step 3: Audit the code

For each relevant rule file:

  1. Read the rule file from rules/.
  2. Check the target code against every checklist rule in that file.
  3. Record each finding as Pass or Fail.

Output a findings table:

| Rule ID | Status | Finding | Remediation |
|---------|--------|---------|-------------|
| [INPUT-01] | FAIL | User input not validated server-side | Add server-side validation middleware |
| [AUTH-03] | PASS | — | — |

After the table, provide a Summary with:

  • Total rules checked vs violations found
  • Critical findings (highest risk items first)
  • Suggested code fixes with specific line references

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

network-scan-nmap

No summary provided by upstream source.

Repository SourceNeeds Review
-11
vchirrav
Security

malware-scan-yara

No summary provided by upstream source.

Repository SourceNeeds Review
-11
vchirrav
Security

mobile-security-mobsf

No summary provided by upstream source.

Repository SourceNeeds Review
-9
vchirrav