playbooks

home / skills / shunsukehayashi / miyabi-claude-plugins / security-audit

security-audit skill

/miyabi-full/skills/security-audit

This skill performs comprehensive security audits and vulnerability scanning across dependencies, code, and secrets to harden deployments.

npx playbooks add skill shunsukehayashi/miyabi-claude-plugins --skill security-audit

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
4.3 KB
---
name: Security Audit and Vulnerability Scanning
description: Comprehensive security audit workflow including dependency scanning, unsafe code detection, and secret management. Use when scanning for vulnerabilities or before production deployment.
allowed-tools: Bash, Read, Grep, Glob
---

# 🔐 Security Audit and Vulnerability Scanning

**Version**: 2.0.0
**Last Updated**: 2025-11-22
**Priority**: ⭐⭐⭐⭐ (P1 Level)
**Purpose**: 包括的セキュリティ監査と脆弱性スキャン

---

## 📋 概要

依存関係の脆弱性スキャン、unsafeコード検出、シークレット管理を含む
包括的なセキュリティ監査ワークフローを提供します。

---

## 🎯 P0: 呼び出しトリガー

| トリガー | 例 |
|---------|-----|
| 脆弱性スキャン | "scan for security vulnerabilities" |
| CVE確認 | "are there any CVEs?" |
| コード監査 | "audit the codebase" |
| デプロイ前 | "before production deployment" |
| 定期監査 | "weekly security check" |

---

## 🔧 P1: セキュリティツール一覧

### ツール優先順位

| ツール | 用途 | 頻度 | コマンド |
|--------|------|------|---------|
| `cargo-audit` | 依存関係CVE | 高 | `cargo audit` |
| `cargo-deny` | ポリシー強制 | 高 | `cargo deny check` |
| `cargo-geiger` | unsafe検出 | 中 | `cargo geiger` |
| `gitleaks` | シークレット検出 | 高 | `gitleaks detect` |
| `cargo-supply-chain` | サプライチェーン | 低 | `cargo supply-chain` |

---

## 🚀 P2: 監査パターン

### Pattern 1: フルセキュリティ監査

```bash
# Step 1: 依存関係脆弱性
cargo audit

# Step 2: ポリシーチェック
cargo deny check

# Step 3: unsafe使用量
cargo geiger --output-format Json

# Step 4: シークレット検出
gitleaks detect --source . --verbose

# Step 5: サプライチェーン
cargo supply-chain crates
```

### Pattern 2: クイック監査(CI用)

```bash
# 最小限のチェック(2-3分)
cargo audit && cargo deny check advisories
```

### Pattern 3: Clippy セキュリティリント

```bash
# セキュリティ関連警告
cargo clippy -- \
  -D warnings \
  -W clippy::all \
  -W clippy::pedantic \
  -A clippy::missing_errors_doc
```

---

## ⚡ P3: 脆弱性対応

### 重大度別対応

| 重大度 | 対応期限 | アクション |
|--------|---------|-----------|
| Critical | 即時 | デプロイ停止、即時修正 |
| High | 24時間 | 優先修正、回避策検討 |
| Medium | 1週間 | 計画的修正 |
| Low | 1ヶ月 | 次回アップデート時 |

### 依存関係更新

```bash
# 特定クレート更新
cargo update -p vulnerable-crate

# Cargo.toml バージョン指定
[dependencies]
vulnerable-crate = ">=1.2.3"  # 修正版以降
```

---

## 📊 deny.toml設定例

```toml
[advisories]
db-path = "~/.cargo/advisory-db"
vulnerability = "deny"
unmaintained = "warn"

[licenses]
allow = ["MIT", "Apache-2.0", "BSD-3-Clause"]
copyleft = "deny"

[bans]
multiple-versions = "warn"
wildcards = "deny"

[sources]
allow-git = []
```

---

## 🛡️ シークレット管理

### 検出パターン

| パターン | 例 | アクション |
|----------|-----|-----------|
| AWS Key | `AKIA...` | 即時無効化 |
| GitHub Token | `ghp_...` | 即時無効化 |
| API Key | `sk-...` | 即時無効化 |
| Private Key | `-----BEGIN` | リポジトリからパージ |

### 誤コミット対応

```bash
# ファイル削除
git rm --cached secrets.json
git commit --amend --no-edit

# 履歴からパージ(重大な場合)
git filter-repo --invert-paths --path secrets.json
```

---

## ✅ 成功基準

| チェック項目 | 基準 |
|-------------|------|
| `cargo audit` | 0 vulnerabilities |
| `cargo deny` | 0 denied |
| `cargo geiger` | unsafe最小化 |
| `gitleaks` | 0 secrets |

### 出力フォーマット

```
🔐 Security Audit Results

✅ Dependencies: 0 vulnerabilities
✅ Policy: All checks passed
⚠️ Unsafe: 5 blocks (3rd party only)
✅ Secrets: No leaks detected

Ready for production ✓
```

---

## 🔗 関連Skills

- **Rust Development**: ビルド品質
- **Dependency Management**: 依存関係更新
- **Debugging**: セキュリティ問題調査

Overview

This skill provides a comprehensive security audit and vulnerability scanning workflow for codebases, focusing on dependency CVEs, unsafe-code detection, and secret discovery. It combines prioritized tooling and repeatable patterns for full audits or quick CI checks to validate readiness before production deployment. The workflow emphasizes actionable remediation steps and clear severity-driven response timelines.

How this skill works

The skill runs a sequence of native security tools to inspect dependencies, enforce policy, detect unsafe code usage, and find secrets. Typical flows include a full audit (cargo audit, cargo deny, cargo geiger, gitleaks, supply-chain checks) or a shortened CI-friendly pipeline for fast feedback. Outputs are normalized into a concise result summary with pass/fail criteria and remediation recommendations.

When to use it

  • Before any production deployment or release
  • As part of CI pipelines for pull requests and merges
  • During routine security posture reviews or weekly audits
  • When responding to a reported CVE or supply-chain alert
  • Before accepting third-party dependencies or large merges

Best practices

  • Prioritize fixes by severity: immediate action for critical, 24 hours for high
  • Run a quick audit in CI (cargo audit && cargo deny check advisories) and a full audit on main branch
  • Treat any discovered secrets as compromised: rotate and purge from history
  • Keep advisory DBs and tool versions up to date before scans
  • Enforce deny.toml policies to fail builds on unacceptable licenses or vulnerabilities

Example use cases

  • Full pre-release security gate that halts deployment on critical findings
  • CI job that runs a 2–3 minute quick audit for each pull request
  • Incident response checklist when a new CVE is published against a dependency
  • Secrets leak detection across the repo with immediate token rotation steps
  • Policy enforcement for license and supply-chain constraints in a mono-repo

FAQ

Which tools are recommended and in what order should I run them?

Run dependency CVE checks (cargo audit) first, then policy enforcement (cargo deny), unsafe-code scanning (cargo geiger), secret detection (gitleaks), and optional supply-chain checks. This order surfaces immediate risks before deeper analysis.

What do I do if gitleaks or cargo audit finds a secret or vulnerability?

Treat secrets as compromised—rotate keys and remove them from the repo history. For vulnerabilities, follow severity timelines: stop deployment for critical, patch or mitigate high within 24 hours, and plan fixes for medium/low.