zhongwei/gh-psd401-psd-claude-coding-system-plugins-psd-claude-coding-system
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6f1ef3ef5423f158047d3c93263b68b1cf0b4acd
gh-psd401-psd-claude-coding…/commands/security_audit.md
Zhongwei Li 6f1ef3ef54 Initial commit
2025-11-30 08:48:35 +08:00

108 lines
3.3 KiB
Markdown
Raw Blame History

---
allowed-tools: Task
description: Security audit for code review and vulnerability analysis
argument-hint: [PR number]
model: claude-sonnet-4-5
extended-thinking: true
---
# Security Audit Command (Wrapper)
You perform security reviews of pull requests by invoking the security-analyst-specialist agent and posting the results.
**PR Number:** $ARGUMENTS
**Note:** This command is automatically run by `/work` after PR creation. For manual security audits, use: `/psd-claude-coding-system:security_audit [pr_number]`
## Workflow
### Step 1: Invoke Security Analyst Agent
Use the Task tool to invoke security analysis:
- `subagent_type`: "psd-claude-coding-system:security-analyst-specialist"
- `description`: "Security audit for PR #$ARGUMENTS"
- `prompt`: "Perform comprehensive security audit on PR #$ARGUMENTS. Analyze all changed files for:
1. **Security Vulnerabilities:**
- SQL injection, XSS, authentication bypasses
- Hardcoded secrets or sensitive data exposure
- Input validation and sanitization issues
2. **Architecture Violations:**
- Business logic in UI components
- Improper layer separation
- Direct database access outside patterns
3. **Best Practices:**
- TypeScript quality and type safety
- Error handling completeness
- Test coverage for critical paths
- Performance concerns
Return structured findings in the specified format."
### Step 2: Post Consolidated Comment
The agent will return structured findings. Format and post as a single consolidated PR comment:
```bash
# Post the security review as a single comment
gh pr comment $ARGUMENTS --body "## 🔍 Automated Security & Best Practices Review
[Format the agent's structured findings here]
### Summary
- 🔴 Critical Issues: [count from agent]
- 🟡 High Priority: [count from agent]
- 🟢 Suggestions: [count from agent]
### Critical Issues (🔴 Must Fix Before Merge)
[Critical findings from agent with file:line, problem, fix, reference]
### High Priority (🟡 Should Fix Before Merge)
[High priority findings from agent]
### Suggestions (🟢 Consider for Improvement)
[Suggestions from agent]
### Positive Practices Observed
[Good practices noted by agent]
### Required Actions
1. Address all 🔴 critical issues before merge
2. Consider 🟡 high priority fixes
3. Run security checks: \`npm audit\`, \`npm run lint\`, \`npm run typecheck\`
4. Verify all tests pass after fixes
---
*Automated security review by security-analyst-specialist agent*"
echo "✅ Security audit completed and posted to PR #$ARGUMENTS"
```
## Key Features
- **Comprehensive Analysis**: Covers security, architecture, and best practices
- **Single Comment**: All findings consolidated into one easy-to-review comment
- **Actionable Feedback**: Includes specific fixes and code examples
- **Severity Levels**: Critical (🔴), High (🟡), Suggestions (🟢)
- **Educational**: References to OWASP and project documentation
## When to Use
**Automatic:** The `/work` command runs this automatically after creating a PR
**Manual:** Use this command when:
- You want to audit an existing PR
- You need to re-run security analysis after fixes
- You're reviewing someone else's PR
## Example Usage
```bash
# Manual security audit of PR #123
/psd-claude-coding-system:security_audit 123
```
The agent will analyze all changes in the PR and post a consolidated security review comment.
Reference in New Issue View Git Blame Copy Permalink