Code Audit Skill
专业代码安全审计技能 | Professional Code Security Audit 支持模式: quick / standard / deep
When to Use This Skill
This skill should be used when:
-
User requests code audit, security audit, or vulnerability scanning
-
User asks to check code security or find security issues
-
User mentions /audit or /code-audit
-
User wants to review code for vulnerabilities before deployment
-
User needs penetration testing preparation or security assessment
Trigger phrases:
-
"审计这个项目" / "Audit this project"
-
"检查代码安全" / "Check code security"
-
"找出安全漏洞" / "Find security vulnerabilities"
-
"/audit", "/code-audit"
Quick Reference
Scan Modes
Mode Use Case Scope
Quick CI/CD, small projects High-risk vulns, secrets, dependency CVEs
Standard Regular audits OWASP Top 10, auth, crypto
Deep Critical projects, pentests Full coverage, attack chains, business logic
Core Workflow
- Reconnaissance → Identify tech stack, map attack surface
- Vulnerability Hunt → Search patterns, trace data flow
- Verification → Confirm exploitability, filter false positives
- Docker Verify → [NEW] Dynamic verification in sandbox (optional)
- Report → Document findings with PoC and fixes
Docker部署验证
对于深度审计,可使用Docker沙箱进行动态验证:
生成验证环境
code-audit --generate-docker-env
启动并验证
docker-compose up -d docker exec -it sandbox python /workspace/poc/verify_all.py
详见: references/core/docker_verification.md
Execution Controller(执行控制器 — 必经路径)
⚠️ 以下步骤是审计执行的必经路径,不是参考建议。 每步有必须产出的输出,后续步骤依赖前序输出。不产出 = 用户可见缺失。
Step 1: 模式判定
根据用户指令确定审计模式:
用户指令关键词 模式
"快速扫描" "quick" "CI检查" quick
"审计" "扫描" "安全检查"(无特殊说明) standard
"深度审计" "deep" "渗透测试准备" "全面审计" deep
无法判定 问用户,不得自行假设
反降级规则: 用户指定的模式不可自行降级。项目规模大不是降级理由,而是启用 Multi-Agent 的理由。降级需用户明确确认。
必须输出:
[MODE] {quick|standard|deep}
Step 2: 文档加载
按模式加载必要文档(用 Read 工具实际读取,不是"知道有这个文件"):
模式 必须 Read 的文档
quick 当前 SKILL.md 已加载,无需额外文档
standard
- references/checklists/coverage_matrix.md
- 对应语言 checklist
deep
- agent.md (完整读取,不可跳过) + coverage_matrix.md
- 对应语言 checklist
deep 模式下 agent.md 是必读文档 — Step 4 的执行计划模板包含只有 agent.md 中才有的字段(维度权重、Agent 切分模板、门控条件、执行状态机)。
必须输出:
[LOADED] {实际 Read 的文档列表,含行数}
Step 3: 侦察(Reconnaissance)
对目标项目执行攻击面测绘。
必须输出:
[RECON] 项目规模: {X files, Y directories} 技术栈: {language, framework, version} 项目类型: {CMS | 金融 | SaaS | 数据平台 | 身份认证 | IoT | 通用Web} 入口点: {Controller/Router/Handler 数量} 关键模块: {列表}
Step 4: 执行计划 → STOP
基于 Step 1-3 的输出生成执行计划。输出后暂停,等待用户确认才能继续。
quick/standard 模板:
[PLAN] 模式: {mode} 技术栈: {from Step 3} 扫描维度: {计划覆盖的 D1-D10 维度} 已加载文档: {from Step 2}
deep 模板(全部字段必填 — 标注了信息来源文档):
[PLAN] 模式: deep 项目规模: {from Step 3} 技术栈: {from Step 3} 维度权重: {from agent.md 状态机 → 项目类型维度权重,如 CMS: D5(++), D1(+), D3(+), D6(+)} Agent 方案: {from agent.md Agent 模板 → 每个 Agent 负责的维度和 max_turns} Agent 数量: {from agent.md 规模建议 → 小型(<10K) 2-3, 中型(10K-100K) 3-5, 大型(>100K) 5-9} D9 覆盖策略: {若项目有后台管理/多角色/多租户 → D9 必查,D3 Agent 须同时覆盖 D9a(IDOR+权限一致性+Mass Assignment)} 轮次规划: R1 广度扫描 → R1 评估 → R2 增量补漏(按需) 门控条件: PHASE_1_RECON → ROUND_N_RUNNING → ROUND_N_EVALUATION → REPORT 预估总 turns: {Agent数 × max_turns} 已加载文档: {from Step 2}
⚠️ STOP — 输出执行计划后暂停。等待用户确认后才能开始审计。
Step 5: 执行
用户确认后,按执行计划和已加载文档执行:
-
quick: 高危模式匹配扫描,直接输出
-
standard: 按 Phase 1→5 顺序执行
-
deep: 严格按 agent.md 执行状态机
-
启动 Multi-Agent 并行(按 Step 4 确认的 Agent 方案)
-
遵守每个 State 的门控条件
-
轮次评估使用 agent.md 三问法则
Step 6: 报告门控
生成报告前验证:
前置条件 quick standard deep
高危模式扫描完成 ✅ ✅ ✅
D1-D10 覆盖率标记(✅已覆盖/⚠️浅覆盖/❌未覆盖) — ✅ ✅
所有 Agent 完成或超时标注 — — ✅
轮次评估三问通过 — — ✅
不满足前置条件 → 不得生成最终报告。
Anti-Hallucination Rules (MUST FOLLOW)
⚠️ Every finding MUST be based on actual code read via tools
✗ Do NOT guess file paths based on "typical project structure" ✗ Do NOT fabricate code snippets from memory ✗ Do NOT report vulnerabilities in files you haven't read
✓ MUST use Read/Glob to verify file exists before reporting ✓ MUST quote actual code from Read tool output ✓ MUST match project's actual tech stack
Core principle: Better to miss a vulnerability than report a false positive.
Anti-Confirmation-Bias Rules (MUST FOLLOW)
⚠️ Audit MUST be methodology-driven, NOT case-driven
✗ Do NOT say "基于之前的审计经验,我将重点关注..." ✗ Do NOT prioritize certain vuln types based on "known CVEs" ✗ Do NOT skip checklist items because they seem "less likely"
✓ MUST enumerate ALL sensitive operations, then verify EACH one ✓ MUST complete the full checklist for EACH vulnerability type ✓ MUST treat all potential vulnerabilities with equal rigor
Core principle: Discover ALL potential vulnerabilities, not just familiar patterns.
Two-Layer Checklist (两层检查清单)
Layer 1: coverage_matrix.md — Phase 2A后加载,验证10个安全维度覆盖率 Layer 2: 语言语义提示 — 仅对未覆盖维度按需加载对应段落
文件 用途
references/checklists/coverage_matrix.md
覆盖率矩阵 (D1-D10)
references/checklists/universal.md
通用架构/逻辑级语义提示
references/checklists/java.md
Java 语义提示 (10维度)
references/checklists/python.md
Python 语义提示
references/checklists/php.md
PHP 语义提示
references/checklists/javascript.md
JavaScript/Node.js 语义提示
references/checklists/go.md
Go 语义提示
references/checklists/dotnet.md
.NET/C# 语义提示
references/checklists/ruby.md
Ruby 语义提示
references/checklists/c_cpp.md
C/C++ 语义提示
references/checklists/rust.md
Rust 语义提示
核心原则: Checklist 不驱动审计,而是验证覆盖。LLM 先自由审计(Phase 2A),再用矩阵查漏(Phase 2B)。
Module Reference
Core Modules (Load First)
Module Path Purpose
Capability Baseline references/core/capability_baseline.md
防止能力丢失的回归测试框架
Anti-Hallucination references/core/anti_hallucination.md
Prevent false positives
Audit Methodology references/core/comprehensive_audit_methodology.md
Systematic framework, coverage tracking
Taint Analysis references/core/taint_analysis.md
Data flow tracking, LSP-enhanced tracking, Slot type classification
PoC Generation references/core/poc_generation.md
Verification templates
External Tools references/core/external_tools_guide.md
Semgrep/Bandit integration
Language Modules (Load by Tech Stack)
Language Module Key Vulnerabilities
Java references/languages/java.md
SQL injection, XXE, deserialization
Python references/languages/python.md
Pickle, SSTI, command injection
Go references/languages/go.md
Race conditions, SSRF
PHP references/languages/php.md
File inclusion, deserialization
JavaScript references/languages/javascript.md
Prototype pollution, XSS
Security Domain Modules (Load as Needed)
Domain Module When to Load
API Security references/security/api_security.md
REST/GraphQL APIs
LLM Security references/security/llm_security.md
AI/ML applications
Serverless references/security/serverless.md
AWS Lambda, Azure Functions
Cryptography references/security/cryptography.md
Encryption, TLS, JWT
Race Conditions references/security/race_conditions.md
Concurrent operations
Tool Priority Strategy
Priority 1: External Professional Tools (if available) ├─ semgrep scan --config auto # Multi-language SAST ├─ bandit -r ./src # Python security ├─ gosec ./... # Go security └─ gitleaks detect # Secret scanning
Priority 2: Built-in Analysis (always available) ├─ LSP semantic analysis # goToDefinition, findReferences, incomingCalls ├─ Read + Grep pattern matching # Core analysis └─ Module knowledge base # 55+ vuln patterns
Priority 3: Verification ├─ PoC templates from references/core/poc_generation.md └─ Confidence scoring from references/core/verification_methodology.md
Detailed Documentation
For complete audit methodology, vulnerability patterns, and detection rules, see:
-
Full Workflow: agent.md
-
Complete audit process and detection commands
-
Vulnerability Details: references/
-
Language/framework-specific patterns
-
Tool Integration: references/core/external_tools_guide.md
-
Report Templates: references/core/taint_analysis.md
Version
-
Current: 1.0
-
Updated: 2026-02-13
v1.0 (Initial Public Release)
-
9语言143项强制检测清单 (references/checklists/ )
-
双轨并行审计框架: Sink-driven + Control-driven + Config-driven
-
Docker部署验证框架 (references/core/docker_verification.md )
-
WooYun 88,636案例库集成
-
安全控制矩阵框架