Security & compliance skill suite providing OWASP scanning, CVE detection, GDPR/SOC2 audits, threat modeling, and incident response workflows for AI coding agents
---
name: awesome-claude-code-security-compliance-suite
description: Security & compliance skill suite providing OWASP scanning, CVE detection, GDPR/SOC2 audits, threat modeling, and incident response workflows for AI coding agents
triggers:
- scan this code for OWASP vulnerabilities
- check dependencies for CVEs and security issues
- audit this application for GDPR compliance
- generate a threat model for this architecture
- create a SOC2 readiness assessment
- detect secrets and credentials in the codebase
- perform an IAM least privilege audit
- generate a security incident response playbook
---
# π Security & Compliance Skills Suite
> Skill by [ara.so](https://ara.so) β Security Skills collection.
A comprehensive security and compliance skill suite derived from hesreallyhim/awesome-claude-code, providing specialized commands and workflows for security audits, vulnerability management, GDPR/SOC2/ISO27001 compliance, and incident response.
## What This Project Does
This skill suite provides **10 specialized security commands** and **5 multi-step compliance workflows** with structured output UI for:
- **Vulnerability Scanning**: OWASP Top-10 analysis, dependency CVE detection
- **Compliance Auditing**: GDPR, SOC2, ISO27001 gap analysis
- **Security Operations**: Threat modeling, penetration testing, IAM audits
- **Incident Response**: Breach response playbooks and investigation workflows
- **Policy Generation**: Privacy policies, security documentation
All commands use consistent structured output with progress tracking, findings tables, and prioritized action plans.
## Installation
### Quick Install (Local Skills Directory)
```bash
# Create Claude skills directory if it doesn't exist
mkdir -p ~/.claude/skills
# Clone the skill suite
git clone https://github.com/sparkfinderoven/r01-hesreallyhim-awesome-claude-code-security.git \
~/.claude/skills/awesome-claude-code-security
# Activate in Claude Code session
# In your IDE with Claude Code, run:
/read ~/.claude/skills/awesome-claude-code-security/SKILL.md
```
### Manual Installation
```bash
# Clone the repository
git clone https://github.com/sparkfinderoven/r01-hesreallyhim-awesome-claude-code-security.git
# Navigate to project directory
cd r01-hesreallyhim-awesome-claude-code-security
# Read the skill documentation
cat SKILL.md
```
### Verification
Verify installation by checking available commands:
```bash
# List all security commands
ls -la ~/.claude/skills/awesome-claude-code-security/
# Expected output:
# - SKILL.md (this file)
# - README.md (documentation)
# - commands/ (individual command definitions)
# - workflows/ (multi-step workflow definitions)
```
## Core Commands
### 1. OWASP Top-10 Security Scan
Scans code for OWASP Top-10 vulnerabilities with CVSS scores and remediation guidance.
```bash
/owasp-scan <target_directory>
# Options
/owasp-scan src/ --format json
/owasp-scan . --severity critical,high
/owasp-scan api/ --output report.md
```
**Example Output Structure:**
```
ββββββββββββββββββββββββββββββββββββββββββββββββββββ
β OWASP Security Scan β ./src/api β
β βββββββββββββββββββββββββββββββββββββββββββββββββββ£
β Files scanned β 47 β
β OWASP checks β 14 β
β Findings β 8 issues β
ββββββββββββββββββββββββββββββββββββββββββββββββββββ
FINDINGS (severity: desc)
ββββββββ¬βββββββββββββββββββββββββββββββ¬βββββββββββ¬βββββββββββββββ
β Sev β Vulnerability β CVSS β File β
ββββββββΌβββββββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββ€
β π΄ β SQL Injection β 9.8 β users.js:42 β
β π΄ β JWT None Algorithm β 9.1 β auth.js:18 β
β π β CORS Misconfiguration β 6.5 β server.js:12 β
ββββββββ΄βββββββββββββββββββββββββββββββ΄βββββββββββ΄βββββββββββββββ
REMEDIATION
β’ SQL Injection: Use parameterized queries or ORM
β’ JWT None: Validate algorithm in token verification
β’ CORS: Restrict origins to known domains
```
### 2. Dependency CVE Scanner
Scans project dependencies for known CVEs with exploitability scores.
```bash
/dep-cve
# Options
/dep-cve --scope production
/dep-cve --output json > cve-report.json
/dep-cve --min-cvss 7.0
/dep-cve --show-paths
```
**Example for Node.js project:**
```bash
# Scans package.json and package-lock.json
/dep-cve --scope full
# Output includes:
# - CVE IDs with CVSS scores
# - Affected package versions
# - Upgrade paths
# - Exploitability assessment
```
**Expected Output:**
```
ββββββββββββββββββββββββββββββββββββββββββββββββββββ
β CVE Dependency Scan β
β βββββββββββββββββββββββββββββββββββββββββββββββββββ£
β Dependencies checked β 234 β
β CVEs found β 12 β
β Critical β 3 β
β High β 5 β
β Medium β 4 β
ββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββ¬βββββββββββ¬ββββββββββββββ¬βββββββββββββββ¬ββββββββββββββ
β Package β CVE β CVSS β Installed β Fixed In β
βββββββββββββββΌβββββββββββΌββββββββββββββΌβββββββββββββββΌββββββββββββββ€
β lodash β CVE-2021 β 9.8 π΄ β 4.17.15 β 4.17.21 β
β axios β CVE-2022 β 8.1 π΄ β 0.21.0 β 0.21.4 β
β express β CVE-2022 β 7.5 π β 4.17.1 β 4.18.2 β
βββββββββββββββ΄βββββββββββ΄ββββββββββββββ΄βββββββββββββββ΄ββββββββββββββ
UPGRADE COMMANDS
npm install lodash@4.17.21
npm install axios@0.21.4
npm install express@4.18.2
```
### 3. GDPR Compliance Audit
Maps data flows, identifies consent gaps, and generates DPA checklist.
```bash
/gdpr-audit <application_path>
# Options
/gdpr-audit . --data-map
/gdpr-audit src/ --consent-analysis
/gdpr-audit . --full-report --output gdpr-audit.pdf
```
**Example Analysis:**
```
ββββββββββββββββββββββββββββββββββββββββββββββββββββ
β GDPR Compliance Audit β
β βββββββββββββββββββββββββββββββββββββββββββββββββββ£
β Data flows mapped β 24 β
β Personal data types β 8 β
β Consent gaps β 5 β
β DPA requirements β 12/15 met β
ββββββββββββββββββββββββββββββββββββββββββββββββββββ
DATA FLOW MAP
User Registration β Database (PII: email, name, phone)
β³ Consent: β Missing explicit opt-in
β³ Retention: β No deletion policy defined
β³ Encryption: β AES-256 at rest
Analytics Pipeline β Third-party (IP address, user agent)
β³ Consent: β No cookie banner
β³ DPA: β No Data Processing Agreement on file
COMPLIANCE GAPS
π΄ Critical:
β’ No cookie consent mechanism implemented
β’ Missing data retention policies in privacy policy
β’ No user data deletion endpoint
π High:
β’ DPA missing for analytics provider
β’ DSAR (data subject access request) workflow undefined
```
### 4. SOC2 Readiness Assessment
Performs gap analysis across all 5 Trust Service Criteria.
```bash
/soc2-readiness
# Options
/soc2-readiness --criteria security,availability
/soc2-readiness --type type2
/soc2-readiness --output xlsx
```
**Example Output:**
```
ββββββββββββββββββββββββββββββββββββββββββββββββββββ
β SOC 2 Type II Readiness Assessment β
β βββββββββββββββββββββββββββββββββββββββββββββββββββ£
β Security β 65% ready β
β Availability β 90% ready β
β Confidentiality β 45% ready β
β Processing Integrity β 70% ready β
β Privacy β 50% ready β
ββββββββββββββββββββββββββββββββββββββββββββββββββββ
SECURITY GAPS
β CC6.1: No background checks policy
β CC6.6: Missing logical access reviews (quarterly)
β CC7.2: Incomplete system monitoring
AVAILABILITY GAPS
β A1.2: RTO/RPO not documented in DR plan
REMEDIATION TIMELINE
Quick Wins (1-2 weeks):
β’ Document RTO/RPO targets
β’ Implement access review schedule
Medium-term (1-3 months):
β’ Establish background check policy
β’ Deploy SIEM for continuous monitoring
Strategic (3-6 months):
β’ Conduct third-party penetration test
β’ Implement data classification framework
```
### 5. Threat Modeling (STRIDE)
Generates STRIDE threat model for architecture diagrams.
```bash
/threat-model <architecture_file>
# Options
/threat-model architecture.png --framework stride
/threat-model system-design.md --risk-matrix
/threat-model . --auto-discover
```
**Example for Web Application:**
```
ββββββββββββββββββββββββββββββββββββββββββββββββββββ
β STRIDE Threat Model β
β βββββββββββββββββββββββββββββββββββββββββββββββββββ£
β Components analyzed β 8 β
β Data flows β 12 β
β Threats identified β 18 β
ββββββββββββββββββββββββββββββββββββββββββββββββββββ
ARCHITECTURE COMPONENTS
β’ Web Application (React SPA)
β’ API Gateway (nginx)
β’ Backend API (Node.js/Express)
β’ Database (PostgreSQL)
β’ Auth Service (OAuth2)
β’ External Payment Gateway
THREAT ANALYSIS (STRIDE)
[S]poofing
π΄ API Gateway: No mutual TLS for backend communication
Impact: High | Likelihood: Medium
Mitigation: Implement mTLS between gateway and API
[T]ampering
π Database: SQL injection possible via user input
Impact: Critical | Likelihood: Low
Mitigation: Use parameterized queries
[R]epudiation
π‘ API: Insufficient audit logging for sensitive operations
Impact: Medium | Likelihood: Medium
Mitigation: Implement comprehensive audit trail
[I]nformation Disclosure
π΄ Payment Flow: PCI data logged in application logs
Impact: Critical | Likelihood: Medium
Mitigation: Implement PCI-compliant logging filters
[D]enial of Service
π API: No rate limiting on public endpoints
Impact: High | Likelihood: High
Mitigation: Implement rate limiting middleware
[E]levation of Privilege
π΄ Auth: JWT lacks role claims validation
Impact: Critical | Likelihood: Medium
Mitigation: Add RBAC middleware with role enforcement
RISK MATRIX
Impact β
Likelihood β Low Medium High Critical
ββββββββββββΌβββββββββββββββββββββββββββββββββββ
High β DoS
Medium β Repud. Spoof InfoDisc, EoP
Low β Tamper
```
### 6. Penetration Test Report Generator
Structures penetration test findings with executive summary and remediation.
```bash
/pentest-report <findings_file>
# Options
/pentest-report findings.json --template executive
/pentest-report scan-results/ --format pdf
/pentest-report . --cvss-threshold 7.0
```
**Example Report Structure:**
```
ββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Penetration Test Report β
β Target: api.example.com β
β Date: 2024-01-15 β
β βββββββββββββββββββββββββββββββββββββββββββββββββββ£
β Critical findings β 4 β
β High findings β 7 β
β Medium findings β 12 β
β Low/Info β 8 β
ββββββββββββββββββββββββββββββββββββββββββββββββββββ
EXECUTIVE SUMMARY
The penetration test identified 31 findings across the web application
and API infrastructure. 4 critical vulnerabilities require immediate
remediation, including SQL injection and authentication bypass issues.
CRITICAL FINDINGS
1. SQL Injection in User Search (CVSS 9.8)
Location: /api/v1/users/search?q=
Description:
User-supplied input in the 'q' parameter is directly concatenated
into SQL query without sanitization.
Proof of Concept:
GET /api/v1/users/search?q=' OR '1'='1
Remediation:
β’ Implement parameterized queries
β’ Add input validation and sanitization
β’ Deploy WAF rules to detect SQL injection patterns
Timeline: Immediate (< 48 hours)
2. Authentication Bypass via JWT None Algorithm (CVSS 9.1)
Location: /api/v1/auth/verify
Description:
JWT library accepts 'none' algorithm, allowing unsigned tokens.
Proof of Concept:
eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiYWRtaW4ifQ.
Remediation:
β’ Explicitly reject 'none' algorithm in JWT verification
β’ Implement algorithm whitelist
β’ Add token signature validation tests
Timeline: Immediate (< 48 hours)
REMEDIATION ROADMAP
Immediate (< 48 hours):
β Fix SQL injection vulnerabilities
β Patch JWT authentication bypass
β Disable debug endpoints in production
Short-term (1-2 weeks):
β Implement rate limiting
β Add CSRF protection
β Deploy Web Application Firewall
Medium-term (1 month):
β Conduct security code review
β Implement security headers (CSP, HSTS)
β Add automated security scanning to CI/CD
```
### 7. Secret Detection (Pre-commit Hook)
Configures pre-commit hooks for secret and credential detection.
```bash
/secret-detect init
# Options
/secret-detect scan <directory>
/secret-detect --entropy-threshold 4.5
/secret-detect --add-patterns custom-patterns.json
```
**Example Configuration:**
```bash
# Initialize secret detection
/secret-detect init
# Creates .pre-commit-config.yaml
```
**Generated `.pre-commit-config.yaml`:**
```yaml
repos:
- repo: https://github.com/Yelp/detect-secrets
rev: v1.4.0
hooks:
- id: detect-secrets
args:
- '--baseline'
- '.secrets.baseline'
- '--exclude-files'
- 'package-lock.json|.*\.min\.js'
- repo: https://github.com/gitleaks/gitleaks
rev: v8.18.0
hooks:
- id: gitleaks
args:
- '--verbose'
- '--redact'
# Custom entropy scanning
- repo: local
hooks:
- id: high-entropy-strings
name: Detect high-entropy strings
entry: python scripts/entropy-scan.py
language: python
args: ['--threshold', '4.5']
```
**Scan Example:**
```bash
/secret-detect scan src/
# Output:
ββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Secret Detection Scan β
β βββββββββββββββββββββββββββββββββββββββββββββββββββ£
β Files scanned β 156 β
β Secrets detected β 8 β
β High entropy strings β 3 β
ββββββββββββββββββββββββββββββββββββββββββββββββββββ
DETECTED SECRETS
βββββββββββββββββββββββ¬βββββββββββββββββββ¬ββββββββββββββββββ
β Type β File β Line β
βββββββββββββββββββββββΌβββββββββββββββββββΌββββββββββββββββββ€
β AWS Access Key β config.js β 12 β
β Private Key β certs/dev.key β 1 β
β API Key (Generic) β api-client.js β 45 β
β High Entropy String β utils.js β 89 β
βββββββββββββββββββββββ΄βββββββββββββββββββ΄ββββββββββββββββββ
REMEDIATION
β’ Move secrets to environment variables
β’ Add affected files to .gitignore
β’ Rotate exposed credentials immediately
β’ Review git history with: git log -p <file>
```
### 8. IAM Least Privilege Audit
Audits IAM roles for over-permissions, stale access, and MFA gaps.
```bash
/iam-audit
# Options
/iam-audit --provider aws
/iam-audit --check-mfa
/iam-audit --stale-days 90
/iam-audit --output csv
```
**Example AWS IAM Audit:**
```
ββββββββββββββββββββββββββββββββββββββββββββββββββββ
β IAM Least Privilege Audit (AWS) β
β βββββββββββββββββββββββββββββββββββββββββββββββββββ£
β Users analyzed β 24 β
β Roles analyzed β 18 β
β Over-permissioned β 7 β
β Stale access (90d) β 5 β
β Missing MFA β 3 β
ββββββββββββββββββββββββββββββββββββββββββββββββββββ
OVER-PERMISSIONED ROLES
ββββββββββββββββββββ¬ββββββββββββββββββ¬βββββββββββββββββββ
β Role/User β Issue β Last Used β
ββββββββββββββββββββΌββββββββββββββββββΌβββββββββββββββββββ€
β DevOps-Role β Admin policy β 2 days ago β
β DataScience-Role β S3 Full Access β 15 days ago β
β CI-Pipeline β IAM permissions β 1 day ago β
ββββββββββββββββββββ΄ββββββββββββββββββ΄βββββββββββββββββββ
RECOMMENDATIONS
DevOps-Role:
Current: AdministratorAccess
Recommended: Custom policy with specific permissions
Unused services: RDS, Lambda, DynamoDB
Suggested Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:*",
"s3:GetObject",
"s3:PutObject",
"cloudwatch:PutMetricData"
],
"Resource": "*"
}
]
}
STALE ACCESS (>90 days)
β’ jenkins-user (145 days) - Consider deactivating
β’ legacy-integration (234 days) - Remove
β’ contractor-temp (98 days) - Review and remove
MISSING MFA
π΄ admin-user (console access)
π΄ ops-team-lead (console access)
β backup-operator (API only)
ACTION PLAN
Immediate:
β Enable MFA for admin-user and ops-team-lead
β Deactivate access for legacy-integration
Short-term:
β Replace AdministratorAccess with scoped policies
β Implement 90-day access review process
β Add MFA enforcement policy
```
### 9. Security Incident Playbook
Generates security incident response playbook following NIST framework.
```bash
/incident-playbook <incident_type>
# Options
/incident-playbook data-breach
/incident-playbook ransomware
/incident-playbook ddos-attack
/incident-playbook --format pdf
```
**Example Playbook:**
```
ββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Security Incident Playbook: Data Breach β
β βββββββββββββββββββββββββββββββββββββββββββββββββββ£
β Framework: NIST SP 800-61 β
β Phases: 5 β
ββββββββββββββββββββββββββββββββββββββββββββββββββββ
PHASE 1: DETECTION & TRIAGE (0-1 hour)
Immediate Actions:
β Confirm incident severity and scope
β Notify Security Team Lead
β Activate incident response team
β Begin incident log (time, actions, findings)
Detection Checklist:
β Review SIEM alerts and logs
β Check data exfiltration indicators
β Identify compromised systems/accounts
β Determine data types affected
Key Questions:
β’ What data was accessed/exfiltrated?
β’ How many records affected?
β’ When did the breach occur?
β’ Is the breach ongoing?
PHASE 2: CONTAINMENT (1-4 hours)
Short-term Containment:
β Isolate affected systems from network
β Disable compromised user accounts
β Block malicious IP addresses at firewall
β Reset credentials for affected systems
β Enable enhanced monitoring
Long-term Containment:
β Apply security patches
β Implement additional access controls
β Deploy IDS/IPS rules
β Segment network if not already done
Evidence Preservation:
β Take disk/memory snapshots
β Preserve logs (application, system, network)
β Document all containment actions
β Chain of custody for forensic evidence
PHASE 3: ERADICATION (4-24 hours)
β Remove malware/backdoors from affected systems
β Close vulnerability that enabled breach
β Verify no persistence mechanisms remain
β Conduct full system security scan
β Review and update security configurations
Root Cause Analysis:
β’ Entry point identification
β’ Attack vector analysis
β’ Timeline reconstruction
β’ Identify control failures
PHASE 4: RECOVERY (1-7 days)
β Restore systems from clean backups
β Verify system integrity before reconnection
β Gradually restore services (least critical first)
β Enhanced monitoring for 30 days
β User access verification
Validation:
β Penetration testing of restored systems
β Vulnerability scanning
β Security control verification
PHASE 5: POST-INCIDENT (7-30 days)
Lessons Learned Meeting (within 48 hours):
β’ What happened?
β’ What was done well?
β’ What could be improved?
β’ What will we do differently?
Deliverables:
β Incident report (technical)
β Executive summary
β Timeline of events
β Financial impact assessment
β Regulatory notification (if required)
Regulatory Obligations:
β’ GDPR: 72-hour notification to supervisory authority
β’ CCPA: Notification without unreasonable delay
β’ HIPAA: 60-day notification to affected individuals
β’ State breach notification laws (check jurisdictions)
Security Improvements:
β Update incident response plan
β Implement identified security controls
β Conduct security awareness training
β Schedule follow-up security assessment
CONTACTS
Security Team:
β’ Security Lead: ENV:SECURITY_LEAD_CONTACT
β’ On-Call SIEM: ENV:SIEM_ONCALL
β’ Forensics Team: ENV:FORENSICS_CONTACT
External:
β’ Legal Counsel: ENV:LEGAL_CONTACT
β’ PR/Communications: ENV:PR_CONTACT
β’ Cyber Insurance: ENV:INSURANCE_CONTACT
β’ Law Enforcement (FBI IC3): https://www.ic3.gov
Regulatory:
β’ GDPR DPA: ENV:DPA_CONTACT
β’ State Attorney General: ENV:STATE_AG_CONTACT
```
### 10. Privacy Policy Generator
Generates GDPR/CCPA-compliant privacy policy from data inventory.
```bash
/privacy-policy <data_inventory_file>
# Options
/privacy-policy inventory.json --jurisdiction eu,us,uk
/privacy-policy . --auto-discover
/privacy-policy data-map.yaml --format html
```
**Example Data Inventory:**
```json
{
"personal_data": [
{
"type": "contact",
"fields": ["email", "name", "phone"],
"purpose": "user_account",
"retention": "account_lifetime",
"third_parties": []
},
{
"type": "analytics",
"fields": ["ip_address", "user_agent", "session_id"],
"purpose": "service_improvement",
"retention": "90_days",
"third_parties": ["Google Analytics"]
}
]
}
```
**Generated Policy Excerpt:**
```markdown
# Privacy Policy
Last Updated: 2024-01-15
## 1. Information We Collect
### Contact Information
We collect your email address, name, and phone number when you:
- Create an account
- Contact customer support
- Subscribe to our newsletter
**Legal Basis (GDPR):** Contract performance, legitimate interest
**Retention:** Duration of account plus 30 days
### Analytics Data
We automatically collect:
- IP address
- Browser type and version
- Device information
- Pages visited and time spent
**Legal Basis (GDPR):** Legitimate interest (service improvement)
**Retention:** 90 days
## 2. How We Use Your Information
We use your information to:
- Provide and maintain our services
- Send account-related notifications
- Improve our products and services
- Comply with legal obligations
## 3. Third-Party Service Providers
We share your information with:
**Google Analytics**
- Purpose: Website analytics and usage patterns
- Data shared: IP address, user agent, page views
- Location: United States
- Privacy Policy: https://policies.google.com/privacy
- Data Processing Agreement: In place
## 4. Your Rights (GDPR)
You have the right to:
- **Access:** Request a copy of your personal data
- **Rectification:** Correct inaccurate data
- **Erasure:** Request deletion of your data
- **Restriction:** Limit processing of your data
- **Portability:** Receive your data in machine-readable format
- **Objection:** Object to processing based on legitimate interest
- **Withdraw Consent:** Where processing is based on consent
To exercise these rights, contact: ENV:PRIVACY_CONTACT_EMAIL
## 5. Your Rights (CCPA)
California residents have the right to:
- Know what personal information is collected
- Know whether personal information is sold or disclosed
- Say no to the sale of personal information
- Access your personal information
- Request deletion of personal information
- Equal service and price, even if you exercise your privacy rights
## 6. Data Security
We implement appropriate technical and organizational measures:
- Encryption in transit (TLS 1.3)
- Encryption at rest (AES-256)
- Access controls and authentication
- Regular security assessments
- Employee security training
## 7. International Data Transfers
Your data may be transferred to and processed in:
- United States (Standard Contractual Clauses)
- European Union (GDPR compliant)
We ensure appropriate safeguards are in place for all transfers.
## 8. Children's Privacy
Our services are not directed to individuals under 16. We do not
knowingly collect personal information from children.
## 9. Contact Information
Data Controller: [Company Name]
Email: ENV:PRIVACY_CONTACT_EMAIL
Address: [Company Address]
EU Representative: ENV:EU_REP_CONTACT
UK Representative: ENV:UK_REP_CONTACT
Supervisory Authority: [Relevant DPA]
```
## Multi-Step Workflows
### Workflow 1: Secure SDLC (Shift-Left Security)
End-to-end secure development lifecycle implementation.
```bash
/workflow:secure-sdlc <project_path>
# Options
/workflow:secure-sdlc . --phase all
/workflow:secure-sdlc src/ --skip-dast
```
**Workflow Steps:**
```
ββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Secure SDLC Workflow β
β βββββββββββββββββββββββββββββββββββββββββββββββββββ£
β 1. Threat Model β³ In Progress β
β 2. SAST Scan β Pending β
β 3. Dependency Check β Pending β
β 4. DAST Scan β Pending β
β 5. Penetration Test β Pending β
β 6. Security Sign-off β Pending β
ββββββββββββββββββββββββββββββββββββββββββββββββββββ
PHASE 1: THREAT MODELING
Running: /threat-model architecture.md
[Output from threat model command...]
PHASE 2: STATIC ANALYSIS
Running: /owasp-scan src/
[Output from OWASP scan...]
PHASE 3: DEPENDENCY CHECK
Running: /dep-cve --scope full
[Output from CVE scan...]
PHASE 4: DYNAMIC TESTING
Running DAST against staging environment...
[DAST results...]
PHASE 5: PENETRATION TEST
Generating penetration test checklist...
[Pentest scope and requirements...]
PHASE 6: SECURITY SIGN-OFF
Generating security release checklist...
RELEASE CRITERIA
β All critical vulnerabilities resolved
Creator's repository Β· aradotso/security-skills