playbooks

home / skills / proffesor-for-testing / agentic-qe / qe-security-compliance

qe-security-compliance skill

/v3/assets/skills/qe-security-compliance

This skill guides security auditing, vulnerability scanning, and compliance validation for OWASP, SOC2, GDPR, and related standards.

npx playbooks add skill proffesor-for-testing/agentic-qe --skill qe-security-compliance

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
5.3 KB
---
name: "QE Security Compliance"
description: "Security auditing, vulnerability scanning, and compliance validation for OWASP, SOC2, GDPR, and other standards."
---

# QE Security Compliance

## Purpose

Guide the use of v3's security and compliance testing capabilities including SAST/DAST scanning, vulnerability detection, compliance auditing, and security gate enforcement.

## Activation

- When performing security audits
- When scanning for vulnerabilities
- When validating compliance
- When checking dependencies
- When setting up security gates

## Quick Start

```bash
# Full security scan
aqe security scan --scope src/ --checks all

# Vulnerability check
aqe security vulns --dependencies --severity critical,high

# Compliance audit
aqe security compliance --standard soc2 --output report.html

# OWASP check
aqe security owasp --top-10 --scope src/
```

## Agent Workflow

```typescript
// Security audit
Task("Security audit", `
  Perform comprehensive security audit:
  - SAST scan for code vulnerabilities
  - Dependency vulnerability check
  - Secret detection in code and configs
  - OWASP Top 10 validation
  Generate security report with remediation steps.
`, "qe-security-auditor")

// Compliance validation
Task("SOC2 compliance check", `
  Validate SOC2 compliance requirements:
  - Access control verification
  - Encryption validation
  - Audit logging check
  - Data retention compliance
  Generate compliance evidence report.
`, "qe-compliance-checker")
```

## Security Operations

### 1. SAST Scanning

```typescript
await securityScanner.staticAnalysis({
  scope: 'src/**/*.ts',
  checks: [
    'sql-injection',
    'xss',
    'command-injection',
    'path-traversal',
    'insecure-crypto',
    'hardcoded-secrets'
  ],
  rules: 'owasp-top-10',
  severity: ['critical', 'high', 'medium']
});
```

### 2. Dependency Scanning

```typescript
await securityScanner.dependencyCheck({
  sources: ['package.json', 'package-lock.json'],
  checks: {
    knownVulnerabilities: true,
    outdatedPackages: true,
    licenseCompliance: true,
    supplyChainRisk: true
  },
  severity: ['critical', 'high'],
  autoFix: {
    enabled: true,
    dryRun: false
  }
});
```

### 3. Compliance Audit

```typescript
await complianceChecker.audit({
  standards: ['SOC2', 'GDPR', 'HIPAA'],
  scope: {
    code: 'src/',
    configs: 'config/',
    infrastructure: 'terraform/'
  },
  output: {
    gaps: true,
    evidence: true,
    recommendations: true
  }
});
```

### 4. Secret Detection

```typescript
await securityScanner.detectSecrets({
  scope: ['.', 'config/', '.env*'],
  patterns: [
    'api-keys',
    'passwords',
    'tokens',
    'private-keys',
    'connection-strings'
  ],
  exclude: ['*.test.ts', 'mocks/'],
  action: {
    onDetect: 'block',
    notify: ['security-team']
  }
});
```

## OWASP Top 10 Coverage

```yaml
owasp_2021:
  A01_broken_access_control:
    checks: [privilege-escalation, idor, cors-misconfiguration]
    automated: true

  A02_cryptographic_failures:
    checks: [weak-encryption, missing-encryption, key-management]
    automated: true

  A03_injection:
    checks: [sql, nosql, command, xss, ldap]
    automated: true

  A04_insecure_design:
    checks: [threat-modeling, secure-patterns]
    automated: partial

  A05_security_misconfiguration:
    checks: [default-credentials, unnecessary-features]
    automated: true

  A06_vulnerable_components:
    checks: [outdated-deps, known-cves]
    automated: true

  A07_auth_failures:
    checks: [weak-passwords, session-issues]
    automated: true

  A08_software_data_integrity:
    checks: [insecure-deserialization, cicd-security]
    automated: partial

  A09_logging_monitoring:
    checks: [insufficient-logging, missing-alerts]
    automated: partial

  A10_ssrf:
    checks: [server-side-request-forgery]
    automated: true
```

## Security Report

```typescript
interface SecurityReport {
  summary: {
    score: number;  // 0-100
    critical: number;
    high: number;
    medium: number;
    low: number;
  };
  vulnerabilities: {
    id: string;
    type: string;
    severity: 'critical' | 'high' | 'medium' | 'low';
    location: string;
    description: string;
    remediation: string;
    cwe: string;
    owasp: string;
  }[];
  dependencies: {
    vulnerable: number;
    outdated: number;
    details: DependencyVuln[];
  };
  compliance: {
    standard: string;
    status: 'compliant' | 'non-compliant' | 'partial';
    gaps: ComplianceGap[];
    evidence: Evidence[];
  }[];
  secrets: {
    detected: number;
    locations: SecretLocation[];
  };
}
```

## Security Gates

```yaml
security_gates:
  block_merge:
    - critical_vulnerabilities > 0
    - high_vulnerabilities > 2
    - secrets_detected > 0
    - compliance_failures > 0

  warn:
    - medium_vulnerabilities > 5
    - outdated_dependencies > 10

  enforce:
    - signed_commits: required
    - code_review: required
    - security_scan: required
```

## Compliance Standards

| Standard | Scope | Auto-Check |
|----------|-------|------------|
| SOC2 | Security controls | Partial |
| GDPR | Data privacy | Partial |
| HIPAA | Health data | Partial |
| PCI-DSS | Payment data | Yes |
| ISO 27001 | InfoSec | Partial |

## Coordination

**Primary Agents**: qe-security-auditor, qe-security-scanner, qe-compliance-checker
**Coordinator**: qe-security-coordinator
**Related Skills**: qe-quality-assessment, qe-contract-testing

Overview

This skill provides automated security auditing, vulnerability scanning, and compliance validation for OWASP, SOC2, GDPR, and other standards. It combines SAST/DAST, dependency checks, secret detection, and compliance evidence generation to produce actionable security reports and enforce security gates. Use it to detect risks early and to validate regulatory and organizational controls.

How this skill works

The skill runs static analysis, dependency vulnerability scans, secret detection, and compliance audits across code, configs, and infrastructure. It maps findings to OWASP Top 10 and common compliance frameworks, generates evidence and remediation guidance, and can enforce security gates to block merges or require mitigations. Outputs include a scored SecurityReport with vulnerabilities, dependency details, compliance gaps, and secrets.

When to use it

  • Before merging a release to block critical or policy-violating changes
  • During CI to continuously scan code, dependencies, and configs
  • When preparing for SOC2, GDPR, HIPAA, PCI-DSS, or ISO 27001 assessments
  • When onboarding a new codebase to discover legacy risks and secrets
  • To monitor supply-chain and third-party dependency vulnerabilities

Best practices

  • Run full scans (SAST, dependency, secrets) in CI and periodic full audits in scheduled pipelines
  • Fail fast: enforce security gates for critical issues and secrets to prevent unsafe merges
  • Tune rules and severity thresholds to reduce noise and prioritize actionable findings
  • Generate evidence and remediation steps for each compliance requirement to speed auditor reviews
  • Enable safe auto-fix for non-breaking dependency updates, but review changes before merge

Example use cases

  • Perform an OWASP Top 10 validation across backend and frontend source trees and produce remediation tickets
  • Run dependency checks on package.json and lockfiles to find and auto-fix high-severity CVEs
  • Detect leaked API keys and block commits that contain secrets, notifying the security team
  • Generate a SOC2 evidence report that documents access control, encryption, and logging controls
  • Enforce merge gates that block merging when critical vulnerabilities or compliance failures exist

FAQ

Which standards does the skill cover?

It covers OWASP Top 10 mapping and provides checks or partial audits for SOC2, GDPR, HIPAA, PCI-DSS, and ISO 27001.

Can I run scans in CI pipelines?

Yes. The skill is designed to run in CI: lightweight checks on PRs and full scans on scheduled or pre-release pipelines.

How are security gates enforced?

Security gates evaluate report metrics (critical/high counts, secrets, compliance failures) and can block merges, emit warnings, or require policy steps like signed commits.