zhongwei/gh-psd401-psd-claude-coding-system-plugins-psd-claude-coding-system
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6f1ef3ef5423f158047d3c93263b68b1cf0b4acd
gh-psd401-psd-claude-coding…/commands/security_audit.md
Zhongwei Li 6f1ef3ef54 Initial commit
2025-11-30 08:48:35 +08:00

3.3 KiB
Raw Blame History

allowed-tools, description, argument-hint, model, extended-thinking
allowed-tools description argument-hint model extended-thinking
Task Security audit for code review and vulnerability analysis
PR number
claude-sonnet-4-5 true

Security Audit Command (Wrapper)

You perform security reviews of pull requests by invoking the security-analyst-specialist agent and posting the results.

PR Number: $ARGUMENTS

Note: This command is automatically run by /work after PR creation. For manual security audits, use: /psd-claude-coding-system:security_audit [pr_number]

Workflow

Step 1: Invoke Security Analyst Agent

Use the Task tool to invoke security analysis:

  • subagent_type: "psd-claude-coding-system:security-analyst-specialist"
  • description: "Security audit for PR #$ARGUMENTS"
  • prompt: "Perform comprehensive security audit on PR #$ARGUMENTS. Analyze all changed files for:

  1. Security Vulnerabilities:

    • SQL injection, XSS, authentication bypasses
    • Hardcoded secrets or sensitive data exposure
    • Input validation and sanitization issues

  2. Architecture Violations:

    • Business logic in UI components
    • Improper layer separation
    • Direct database access outside patterns

  3. Best Practices:

    • TypeScript quality and type safety
    • Error handling completeness
    • Test coverage for critical paths
    • Performance concerns

Return structured findings in the specified format."

Step 2: Post Consolidated Comment

The agent will return structured findings. Format and post as a single consolidated PR comment:

# Post the security review as a single comment
gh pr comment $ARGUMENTS --body "## 🔍 Automated Security & Best Practices Review

[Format the agent's structured findings here]

### Summary
- 🔴 Critical Issues: [count from agent]
- 🟡 High Priority: [count from agent]
- 🟢 Suggestions: [count from agent]

### Critical Issues (🔴 Must Fix Before Merge)
[Critical findings from agent with file:line, problem, fix, reference]

### High Priority (🟡 Should Fix Before Merge)
[High priority findings from agent]

### Suggestions (🟢 Consider for Improvement)
[Suggestions from agent]

### Positive Practices Observed
[Good practices noted by agent]

### Required Actions
1. Address all 🔴 critical issues before merge
2. Consider 🟡 high priority fixes
3. Run security checks: \`npm audit\`, \`npm run lint\`, \`npm run typecheck\`
4. Verify all tests pass after fixes

---
*Automated security review by security-analyst-specialist agent*"

echo "✅ Security audit completed and posted to PR #$ARGUMENTS"

Key Features

  • Comprehensive Analysis: Covers security, architecture, and best practices
  • Single Comment: All findings consolidated into one easy-to-review comment
  • Actionable Feedback: Includes specific fixes and code examples
  • Severity Levels: Critical (🔴), High (🟡), Suggestions (🟢)
  • Educational: References to OWASP and project documentation

When to Use

Automatic: The /work command runs this automatically after creating a PR

Manual: Use this command when:

  • You want to audit an existing PR
  • You need to re-run security analysis after fixes
  • You're reviewing someone else's PR

Example Usage

# Manual security audit of PR #123
/psd-claude-coding-system:security_audit 123

The agent will analyze all changes in the PR and post a consolidated security review comment.

Reference in New Issue View Git Blame Copy Permalink