playbooks

home / skills / git-fg / thecattoolkit / auditing-security

auditing-security skill

/plugins/sys-core/skills/auditing-security

This skill audits code changes for secrets and security issues, guiding safe commits and comprehensive vulnerability checks across projects.

npx playbooks add skill git-fg/thecattoolkit --skill auditing-security

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
2.4 KB
---
name: auditing-security
description: "Scans for secrets and performs comprehensive security audits. MUST Use when verifying security of code changes or auditing file safety."
context: fork
user-invocable: true
agent: security-auditor
allowed-tools: [Read, Grep, Glob]
---

# Security Audit Standards

## Active Hooks


### 1. Secret Detection
**Trigger:** `PreToolUse` (Edit/Write)
**Action:** Scans content for:
- API Keys (OpenAI, Anthropic, AWS)
- Bearer Tokens
- Private Keys
- GitHub Tokens

### 2. File Protection
**Trigger:** `PreToolUse` (Edit/Write)
**Action:** Warns on modification of:
- Lock files (`package-lock.json`, `poetry.lock`)
- Secrets directories (`.env`, `credentials/`)
- Git internals



## Configuration

Patterns are defined in:
- `plugins/verify/hooks/scripts/security-check.py`
- `plugins/verify/hooks/scripts/protect-files.py`

## Manual Audit Protocol

### Phase 1: Discovery
1. **Identify Project Context**: Programming languages, config files, dependencies
2. **Locate Targets**: Source files, configuration files, dependency manifests
3. **Check Frameworks**: Security libraries or frameworks in use

### Phase 2: Scanning
**Secret Detection:**
- API keys: `/api[_-]?key["\s]*[:=]["\s]*[a-zA-Z0-9]{20,}/`
- Tokens: `/token["\s]*[:=]["\s]*[a-zA-Z0-9]{20,}/`
- Passwords: `/(password|passwd|pwd)["\s]*[:=]["\s]*["'][^"']{6,}["']/`
- Private keys: `/-----BEGIN.*PRIVATE KEY-----/`

**OWASP Top 10 Detection:**
- Injection flaws (SQL, NoSQL, OS command injection)
- Broken authentication
- Sensitive data exposure
- XML external entities (XXE)
- Broken access control
- Security misconfiguration
- Cross-site scripting (XSS)
- Insecure deserialization
- Using components with known vulnerabilities
- Insufficient logging & monitoring

**Anti-Patterns:**
- Unsafe eval() or exec() usage
- Hardcoded cryptographic keys
- Weak random number generation
- Missing input validation
- Insecure file operations
- Path traversal vulnerabilities
- Command injection vectors

### Phase 3: Reporting
**Structured Security Report:**
```markdown
# Security Audit Report

## Executive Summary
- Total files scanned: [N]
- Critical issues: [N]
- High severity: [N]
- Medium severity: [N]
- Low severity: [N]

## Critical Findings
[Critical security issues requiring immediate attention]

## High Severity
[Significant vulnerabilities]

## Medium Severity
[Potential security concerns]

## Low Severity
[Best practice violations]

## Recommendations
[Priority-ordered remediation steps]
```

Overview

This skill scans code and files for exposed secrets and performs comprehensive security audits focused on code changes and file safety. It combines automated secret detection and file-protection checks with a manual audit protocol to produce structured, actionable reports. Use it to verify security before merging changes or publishing artifacts.

How this skill works

On edit or write actions it runs pre-commit style hooks that detect API keys, bearer tokens, private keys, GitHub tokens, and other sensitive strings. It also flags modifications to lock files, secrets directories, and Git internals to prevent accidental exposure. For deeper reviews, it follows a three-phase manual audit: discovery, targeted scanning (including OWASP Top 10 checks and anti-pattern detection), and structured reporting with prioritized remediation.

When to use it

  • Before merging pull requests that introduce code or configuration changes
  • When auditing a repository for accidental secret exposure
  • Prior to releasing packages or publishing builds
  • During code reviews for high-risk components (auth, crypto, file handling)
  • When onboarding new components or third-party dependencies

Best practices

  • Run automated secret scans on every edit or commit and block pushes with detected secrets
  • Treat lock files and .env/credentials directories as protected—review modifications manually
  • Combine pattern-based scanning with targeted OWASP-style checks for logical vulnerabilities
  • Prioritize remediation by severity and provide clear, stepwise recommendations
  • Rotate any discovered credentials immediately and replace with environment-managed secrets

Example use cases

  • Detecting an accidentally committed OpenAI or AWS API key in a feature branch
  • Auditing a repository before a production release to ensure no private keys are included
  • Flagging changes that modify package-lock.json or poetry.lock files for manual review
  • Performing a security review of authentication and input handling code against OWASP Top 10
  • Generating a structured security audit report to share with stakeholders

FAQ

Which types of secrets are detected automatically?

The automated checks look for API keys (OpenAI, Anthropic, AWS), bearer tokens, GitHub tokens, and private key markers. Pattern rules cover common token and password formats as well as PEM private key headers.

What happens if a lock file or .env is modified?

The skill warns on modifications to lock files and secrets directories so reviewers can verify the change is intentional and safe before allowing commits or merges.