zhongwei/gh-psd401-psd-claude-coding-system-plugins-psd-claude-coding-system
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
gh-psd401-psd-claude-coding…/skills/security-scan.md
Zhongwei Li 6f1ef3ef54 Initial commit
2025-11-30 08:48:35 +08:00

4.5 KiB
Raw Permalink Blame History

Security Scan Skill

Automated security scanning and vulnerability analysis for pull requests.

Invoke Security Analyst Agent

# This skill invokes the security-analyst-specialist agent to perform comprehensive analysis

# Get the current PR number (if in PR context)
if [ -n "$PR_NUMBER" ]; then
  SCAN_CONTEXT="PR #$PR_NUMBER"
else
  SCAN_CONTEXT="current branch changes"
fi

echo "=== Running Security Analysis on $SCAN_CONTEXT ==="

# The command should use the Task tool to invoke security-analyst-specialist
# This is a template for commands to follow:

# Example invocation pattern:
# Task tool with:
#   subagent_type: "psd-claude-coding-system:security-analyst-specialist"
#   description: "Security audit for $SCAN_CONTEXT"
#   prompt: "Perform comprehensive security audit on $SCAN_CONTEXT. Analyze all changed files for:
#
#   1. Security vulnerabilities (SQL injection, XSS, auth issues, secrets)
#   2. Architecture violations (business logic in UI, improper layer separation)
#   3. Best practices compliance (TypeScript quality, error handling, testing)
#
#   Return structured findings in the specified format so they can be posted as a single consolidated PR comment."

Post Security Findings to PR

# After agent returns findings, post as consolidated comment

if [ -n "$PR_NUMBER" ]; then
  # Format findings from agent into PR comment
  gh pr comment $PR_NUMBER --body "## 🔍 Automated Security & Best Practices Review

$AGENT_FINDINGS

### Summary
- 🔴 Critical Issues: $CRITICAL_COUNT
- 🟡 High Priority: $HIGH_COUNT
- 🟢 Suggestions: $SUGGESTION_COUNT

### Critical Issues (🔴 Must Fix Before Merge)
$CRITICAL_FINDINGS

### High Priority (🟡 Should Fix Before Merge)
$HIGH_FINDINGS

### Suggestions (🟢 Consider for Improvement)
$SUGGESTIONS

### Positive Practices Observed
$POSITIVE_FINDINGS

### Required Actions
1. Address all 🔴 critical issues before merge
2. Consider 🟡 high priority fixes
3. Run tests after fixes: \`npm run test\`, \`npm run lint\`, \`npm run typecheck\`

---
*Automated security review by security-analyst-specialist agent*"

  echo "✅ Security review posted to PR #$PR_NUMBER"
else
  echo "=== Security Findings ==="
  echo "$AGENT_FINDINGS"
fi

Pre-Implementation Security Check

For sensitive changes (auth, data, payments), run security check BEFORE implementation:

# Detect sensitive file changes
SENSITIVE_PATTERNS="auth|login|password|token|payment|billing|credit|card|ssn|encrypt|decrypt|session"

if echo "$CHANGED_FILES" | grep -iE "$SENSITIVE_PATTERNS"; then
  echo "⚠️  Sensitive files detected - running pre-implementation security check"

  # Invoke security-analyst for guidance
  # Agent should provide:
  # - Security requirements to follow
  # - Common pitfalls to avoid
  # - Recommended patterns
  # - Testing strategies

  echo "✓ Review security guidance before proceeding with implementation"
fi

Security Checklist

Common security checks to validate:

# Check for secrets in code
echo "=== Checking for exposed secrets ==="
if git diff --cached | grep -iE "api[_-]?key|secret|password|token" | grep -v "example"; then
  echo "⚠️  Possible secrets detected in staged changes"
  echo "Review carefully before committing"
fi

# Check for SQL injection vulnerabilities
echo "=== Checking for SQL injection risks ==="
if git diff --cached | grep -E "execute\(|query\(" | grep -v "prepared"; then
  echo "⚠️  Direct SQL execution detected - ensure using prepared statements"
fi

# Check for XSS vulnerabilities
echo "=== Checking for XSS risks ==="
if git diff --cached | grep -iE "innerHTML|dangerouslySetInnerHTML" | grep -v "sanitize"; then
  echo "⚠️  innerHTML usage detected - ensure proper sanitization"
fi

# Check for authentication bypass
echo "=== Checking authentication patterns ==="
if git diff --cached | grep -iE "req\.user|auth|permission" | grep -v "check"; then
  echo "  Authentication-related changes detected - verify authorization checks"
fi

echo "✓ Basic security checks complete"

Usage

Pre-Implementation (in /work command)

# Before starting implementation, check if security review needed
CHANGED_FILES=$(gh issue view $ISSUE_NUMBER --json body --jq '.body' | grep -oE '\w+\.(ts|js|py|go|rs)' || echo "")

# Include Pre-Implementation Security Check section

Post-Implementation (traditional)

# After PR created
PR_NUMBER=$(gh pr list --author "@me" --limit 1 --json number --jq '.[0].number')

# Include Invoke Security Analyst Agent section
# Then include Post Security Findings to PR section
Reference in New Issue View Git Blame Copy Permalink