Security & compliance skill suite for OWASP scanning, CVE detection, GDPR/SOC2 auditing, threat modeling, and incident response workflows
---
name: sparkfinderoven-claude-security-compliance-suite
description: Security & compliance skill suite for OWASP scanning, CVE detection, GDPR/SOC2 auditing, threat modeling, and incident response workflows
triggers:
- scan this code for OWASP vulnerabilities
- check dependencies for CVEs
- run a GDPR compliance audit
- create a threat model for this architecture
- generate a security incident playbook
- audit IAM permissions for least privilege
- detect secrets in the codebase
- assess SOC2 readiness
---
# π Security & Compliance Skills Suite
> Skill by [ara.so](https://ara.so) β Security Skills collection.
This skill suite provides AI coding agents with specialized commands and workflows for security auditing, vulnerability management, compliance (GDPR/SOC2/ISO27001), and incident response. Derived from hesreallyhim/awesome-claude-code, it offers 10 specialized commands and 5 multi-step workflows with structured output.
## What This Project Does
The Security & Compliance Skills Suite equips AI agents with:
- **OWASP Top-10 vulnerability scanning** with CVSS scores
- **Dependency CVE detection** with upgrade paths
- **Compliance auditing** (GDPR, SOC2, ISO27001)
- **Threat modeling** using STRIDE methodology
- **IAM security audits** for least-privilege assessment
- **Secret detection** for pre-commit hooks
- **Incident response playbooks** with structured workflows
- **Penetration test reporting** with executive summaries
All commands follow a consistent 5-step interaction pattern with visual progress tracking and prioritized action plans.
## Installation
### Method 1: Clone to Claude Skills Directory
```bash
# Clone the repository
git clone https://github.com/sparkfinderoven/r01-hesreallyhim-awesome-claude-code-security.git
# Copy to Claude skills directory
mkdir -p ~/.claude/skills
cp -r r01-hesreallyhim-awesome-claude-code-security ~/.claude/skills/security-compliance-suite/
```
### Method 2: Manual Setup
```bash
# Create skill directory
mkdir -p ~/.claude/skills/security-compliance-suite
# Download and extract
cd ~/.claude/skills/security-compliance-suite
# Add skill files manually
```
### Activate in Claude Code
In a Claude Code session:
```bash
/read ~/.claude/skills/security-compliance-suite/SKILL.md
```
Or reference in your project's `.claude/config.json`:
```json
{
"skills": [
"~/.claude/skills/security-compliance-suite"
]
}
```
## Core Commands
### `/owasp-scan` - OWASP Top-10 Vulnerability Scan
Scans code for OWASP Top-10 vulnerabilities with exploit descriptions, CVSS scores, and remediation steps.
**Usage:**
```bash
/owasp-scan <target_path>
/owasp-scan src/api --verbose
/owasp-scan . --format json
```
**Example Output Structure:**
```
ββββββββββββββββββββββββββββββββββββββββββββββββββββ
β OWASP Scan β src/api/ β
β βββββββββββββββββββββββββββββββββββββββββββββββββββ£
β Injection checks β 23 files β
β Auth checks β 12 files β
β XSS checks β 45 files β
β CSRF checks β 8 files β
ββββββββββββββββββββββββββββββββββββββββββββββββββββ
FINDINGS (sort: severity desc)
ββββββββ¬βββββββββββββββββββββββββββββββββββββ¬βββββββ¬βββββββββββ
β Sev β Finding β CVSS β File β
ββββββββΌβββββββββββββββββββββββββββββββββββββΌβββββββΌβββββββββββ€
β π΄ β SQL injection via string concat β 9.8 β db.js:45 β
β π΄ β JWT algorithm confusion β 9.1 β auth.js β
β π β Missing CSRF token validation β 6.5 β form.js β
ββββββββ΄βββββββββββββββββββββββββββββββββββββ΄βββββββ΄βββββββββββ
```
**Code Pattern for SQL Injection Detection:**
```javascript
// VULNERABLE - String concatenation
const query = "SELECT * FROM users WHERE id = " + userId;
// SECURE - Parameterized query
const query = "SELECT * FROM users WHERE id = ?";
db.execute(query, [userId]);
```
### `/dep-cve` - Dependency CVE Report
Scans project dependencies for known CVEs with exploitability scores and upgrade paths.
**Usage:**
```bash
/dep-cve
/dep-cve --scope full --output md
/dep-cve --severity high,critical
```
**Example Implementation Pattern:**
```javascript
// package.json analysis
const auditDependencies = async (packageJsonPath) => {
const pkg = require(packageJsonPath);
const deps = { ...pkg.dependencies, ...pkg.devDependencies };
const vulnerabilities = [];
for (const [name, version] of Object.entries(deps)) {
const cves = await queryNVD(name, version);
vulnerabilities.push(...cves);
}
return vulnerabilities.sort((a, b) => b.cvss - a.cvss);
};
```
**Expected Output:**
```
CVE REPORT β 234 dependencies scanned
βββββββββββββββ¬ββββββββββ¬βββββββ¬βββββββββββββββββββββββββ
β Package β CVE β CVSS β Fix β
βββββββββββββββΌββββββββββΌβββββββΌβββββββββββββββββββββββββ€
β express β CVE-... β 9.8 β Upgrade to 4.18.2+ β
β lodash β CVE-... β 7.4 β Upgrade to 4.17.21 β
β axios β CVE-... β 6.5 β Upgrade to 1.6.0 β
βββββββββββββββ΄ββββββββββ΄βββββββ΄βββββββββββββββββββββββββ
ACTION PLAN:
β‘ Critical: Upgrade express (15 min)
β‘ High: Upgrade lodash (10 min)
β‘ Medium: Review axios usage (30 min)
```
### `/gdpr-audit` - GDPR Compliance Audit
Maps data flows, identifies consent gaps, and generates DPA checklists.
**Usage:**
```bash
/gdpr-audit
/gdpr-audit --scope full
/gdpr-audit --output report.md
```
**Code Example - Data Flow Detection:**
```python
# Detect personal data processing
import ast
class GDPRAnalyzer(ast.NodeVisitor):
PII_FIELDS = ['email', 'phone', 'address', 'ssn', 'name']
def __init__(self):
self.data_flows = []
def visit_Assign(self, node):
# Check for PII in assignments
if isinstance(node.value, ast.Call):
if any(pii in ast.dump(node) for pii in self.PII_FIELDS):
self.data_flows.append({
'line': node.lineno,
'type': 'data_collection',
'lawful_basis': 'NEEDS_REVIEW'
})
self.generic_visit(node)
# Usage
with open('user_service.py') as f:
tree = ast.parse(f.read())
analyzer = GDPRAnalyzer()
analyzer.visit(tree)
```
**Audit Checklist Output:**
```
GDPR DATA FLOW MAP
ββββββββββββββββββββ¬βββββββββββββββββ¬βββββββββββββββββββ
β Data Type β Lawful Basis β Retention β
ββββββββββββββββββββΌβββββββββββββββββΌβββββββββββββββββββ€
β Email β β Consent β β 2 years β
β Phone β β NEEDS REVIEW β β Indefinite β
β IP Address β β Legitimate β β 90 days β
ββββββββββββββββββββ΄βββββββββββββββββ΄βββββββββββββββββββ
GAPS FOUND:
β‘ Phone number: No consent mechanism
β‘ IP logging: Review retention policy
β‘ Cookie banner: Missing granular controls
```
### `/soc2-readiness` - SOC2 Compliance Assessment
Performs gap analysis across all 5 SOC2 Trust Service Criteria.
**Usage:**
```bash
/soc2-readiness
/soc2-readiness --criteria availability,confidentiality
```
**Assessment Framework:**
```yaml
# SOC2 Control Matrix
trust_service_criteria:
- id: CC6.1
criterion: Security
control: Logical access controls
evidence_required:
- IAM policies
- MFA enforcement
- Access logs
- id: CC7.2
criterion: Availability
control: System monitoring
evidence_required:
- Uptime metrics
- Incident response logs
- Backup verification
```
**Output Format:**
```
SOC2 TYPE II READINESS β 5 criteria assessed
SECURITY (Common Criteria)
CC6.1 Logical Access β MFA not enforced (gap: 23%)
CC6.6 Encryption β TLS 1.3, AES-256
CC6.7 Key Management β Manual key rotation
AVAILABILITY
A1.1 System Monitoring β 24/7 alerting
A1.2 Backup & Recovery β RPO exceeds policy
READINESS SCORE: 67% (needs 85%+ for audit)
PRIORITY ACTIONS:
1. Enforce MFA org-wide (2 weeks)
2. Automate key rotation (1 week)
3. Improve backup RPO (3 days)
```
### `/threat-model` - STRIDE Threat Modeling
Generates STRIDE threat models for architecture diagrams with risk matrices.
**Usage:**
```bash
/threat-model architecture.png
/threat-model --format mermaid --output threats.md
```
**STRIDE Analysis Pattern:**
```python
# STRIDE threat categories
STRIDE = {
'Spoofing': ['authentication', 'identity'],
'Tampering': ['data_integrity', 'code_integrity'],
'Repudiation': ['logging', 'audit_trail'],
'Information_Disclosure': ['encryption', 'access_control'],
'Denial_of_Service': ['rate_limiting', 'resource_exhaustion'],
'Elevation_of_Privilege': ['authorization', 'input_validation']
}
def analyze_component(component, data_flows):
threats = []
for category, indicators in STRIDE.items():
if not has_controls(component, indicators):
threats.append({
'category': category,
'severity': calculate_severity(component, data_flows),
'mitigation': suggest_controls(category)
})
return threats
```
**Example Output:**
```
THREAT MODEL β Web API Architecture
COMPONENTS:
[Client] β [API Gateway] β [Auth Service] β [Database]
STRIDE THREATS:
βββββββββββββββββββββββ¬βββββββββββ¬βββββββββββββββββββββββββββ
β Threat β Risk β Mitigation β
βββββββββββββββββββββββΌβββββββββββΌβββββββββββββββββββββββββββ€
β Spoofing: API keys β π΄ High β Implement JWT + refresh β
β Tampering: API req β π Med β Add HMAC signatures β
β Info Disclosure β π΄ High β Encrypt data at rest β
β DoS: Rate limiting β π‘ Low β Add WAF rules β
βββββββββββββββββββββββ΄βββββββββββ΄βββββββββββββββββββββββββββ
RISK MATRIX:
Impact β
Low Med High
L ββββββββ¬βββββββ¬βββββββ
i β π’ β π‘ β π β
k ββββββββΌβββββββΌβββββββ€
e β π‘ β π β π΄ β β API Spoofing
l ββββββββΌβββββββΌβββββββ€
i β π β π΄ β π΄ β
h ββββββββ΄βββββββ΄βββββββ
o
o
d
```
### `/secret-detect` - Pre-commit Secret Detection
Configures pre-commit hooks to detect secrets with entropy scanning.
**Usage:**
```bash
/secret-detect --install
/secret-detect --scan .
/secret-detect --config .secrets.yaml
```
**Hook Configuration:**
```yaml
# .pre-commit-config.yaml
repos:
- repo: local
hooks:
- id: detect-secrets
name: Detect secrets
entry: detect-secrets-hook
language: system
files: .*
exclude: |
(?x)^(
package-lock.json|
\.secrets\.baseline
)$
# .secrets.yaml
plugins:
- name: ArtifactoryDetector
- name: AWSKeyDetector
- name: Base64HighEntropyString
limit: 4.5
- name: PrivateKeyDetector
filters:
- path: tests/fixtures/
- path: docs/examples/
```
**Entropy Detection Implementation:**
```python
import math
from collections import Counter
def calculate_entropy(string):
"""Calculate Shannon entropy to detect high-entropy secrets"""
if not string:
return 0
entropy = 0
for count in Counter(string).values():
probability = count / len(string)
entropy -= probability * math.log2(probability)
return entropy
def scan_for_secrets(content, entropy_threshold=4.5):
"""Scan content for potential secrets"""
findings = []
# Regex patterns for known secret types
patterns = {
'AWS_KEY': r'AKIA[0-9A-Z]{16}',
'PRIVATE_KEY': r'-----BEGIN (RSA|EC|OPENSSH) PRIVATE KEY-----',
'JWT': r'eyJ[A-Za-z0-9-_=]+\.eyJ[A-Za-z0-9-_=]+\.[A-Za-z0-9-_.+/=]*',
'GITHUB_TOKEN': r'gh[ps]_[A-Za-z0-9]{36}'
}
for secret_type, pattern in patterns.items():
matches = re.finditer(pattern, content)
for match in matches:
findings.append({
'type': secret_type,
'value': match.group()[:8] + '...',
'line': content[:match.start()].count('\n') + 1
})
# High-entropy string detection
for word in content.split():
if len(word) > 20 and calculate_entropy(word) > entropy_threshold:
findings.append({
'type': 'HIGH_ENTROPY',
'entropy': calculate_entropy(word),
'line': 'N/A'
})
return findings
```
**Example Scan Output:**
```
SECRET DETECTION β Pre-commit hook scan
SECRETS FOUND:
ββββββββββββββββββ¬βββββββββββββββ¬βββββββββββββββββββββββ
β Type β Location β Value β
ββββββββββββββββββΌβββββββββββββββΌβββββββββββββββββββββββ€
β AWS_KEY β config.js:12 β AKIA4ODZ... β
β PRIVATE_KEY β auth.py:45 β -----BEGIN RSA... β
β HIGH_ENTROPY β utils.js:89 β entropy: 5.2 β
ββββββββββββββββββ΄βββββββββββββββ΄βββββββββββββββββββββββ
REMEDIATION:
β‘ Move secrets to environment variables
β‘ Add affected files to .gitignore
β‘ Rotate exposed credentials
β‘ Update .secrets.baseline
```
### `/iam-audit` - IAM Least Privilege Audit
Audits IAM roles for over-permissioned access, stale users, and MFA gaps.
**Usage:**
```bash
/iam-audit
/iam-audit --provider aws
/iam-audit --output report.json
```
**Audit Logic Example:**
```python
# AWS IAM audit example
import boto3
from datetime import datetime, timedelta
def audit_iam_users():
iam = boto3.client('iam')
findings = []
users = iam.list_users()['Users']
for user in users:
username = user['UserName']
# Check MFA
mfa_devices = iam.list_mfa_devices(UserName=username)
if not mfa_devices['MFADevices']:
findings.append({
'user': username,
'issue': 'NO_MFA',
'severity': 'HIGH'
})
# Check last access
last_used = iam.get_user(UserName=username).get('PasswordLastUsed')
if last_used:
days_inactive = (datetime.now(last_used.tzinfo) - last_used).days
if days_inactive > 90:
findings.append({
'user': username,
'issue': 'STALE_ACCESS',
'days_inactive': days_inactive,
'severity': 'MEDIUM'
})
# Check attached policies
policies = iam.list_attached_user_policies(UserName=username)
for policy in policies['AttachedPolicies']:
if policy['PolicyName'] in ['AdministratorAccess', 'PowerUserAccess']:
findings.append({
'user': username,
'issue': 'OVERPRIVILEGED',
'policy': policy['PolicyName'],
'severity': 'HIGH'
})
return findings
```
**Output Format:**
```
IAM AUDIT β AWS Account (account-id: 123456789012)
FINDINGS:
ββββββββββββββββββββ¬ββββββββββββββββββ¬βββββββββββ¬βββββββββββββββ
β User/Role β Issue β Severity β Remediation β
ββββββββββββββββββββΌββββββββββββββββββΌβββββββββββΌβββββββββββββββ€
β admin-user β NO_MFA β π΄ High β Enable MFA β
β deploy-role β OVERPRIVILEGED β π΄ High β Scope policy β
β old-contractor β STALE (180d) β π Med β Deactivate β
β dev-service β UNUSED_KEY β π‘ Low β Rotate key β
ββββββββββββββββββββ΄ββββββββββββββββββ΄βββββββββββ΄βββββββββββββββ
STATISTICS:
Total users: 47
Without MFA: 12 (26%)
Stale (90d+): 8 (17%)
Admin access: 5 (11%)
PRIORITY ACTIONS:
1. Enforce MFA policy (1 day)
2. Remove stale users (2 hours)
3. Replace admin roles with scoped policies (1 week)
```
### `/incident-playbook` - Security Incident Response
Generates incident response playbooks: triage β contain β eradicate β recover β lessons learned.
**Usage:**
```bash
/incident-playbook --type data-breach
/incident-playbook --type ransomware
/incident-playbook --custom
```
**Playbook Template:**
```yaml
# Data Breach Response Playbook
incident_type: data_breach
severity: HIGH
owner: CISO
phases:
1_triage:
duration: 0-2 hours
steps:
- id: T1
action: Confirm breach scope
checklist:
- Identify affected systems
- Estimate data volume
- Determine data sensitivity
- id: T2
action: Assemble response team
roles:
- Incident Commander (CISO)
- Technical Lead (SecOps)
- Legal Counsel
- Communications Lead
2_containment:
duration: 2-8 hours
steps:
- id: C1
action: Isolate affected systems
commands:
- aws ec2 modify-instance-attribute --instance-id $INSTANCE_ID --no-source-dest-check
- iptables -A INPUT -j DROP
- id: C2
action: Preserve forensic evidence
commands:
- dd if=/dev/sda of=/mnt/forensics/disk.img bs=4M
- tar czf logs-$(date +%Y%m%d).tar.gz /var/log/
3_eradication:
duration: 8-24 hours
steps:
- id: E1
action: Remove threat actor access
checklist:
- Rotate all credentials
- Revoke API keys
- Patch vulnerabilities
4_recovery:
duration: 24-72 hours
steps:
- id: R1
action: Restore from clean backups
- id: R2
action: Monitor for re-infection
5_lessons_learned:
duration: 1 week post-incident
steps:
- id: L1
action: Post-mortem report
- id: L2
action: Update runbooks
notifications:
- type: regulatory
condition: PII affected
deadline: 72 hours
recipients:
- Data Protection Authority
- Affected individuals
- type: internal
condition: always
recipients:
- Executive team
- Legal
- Board of Directors
```
**Interactive Execution:**
```
INCIDENT RESPONSE β Data Breach
PHASE 1: TRIAGE (0-2 hours)
[T1] Confirm breach scope
β Identify affected systems
β Estimate data volume: ___________
β Determine sensitivity: [PII] [PHI] [PCI] [Other]
[T2] Assemble response team
β Incident Commander: Jane Doe (CISO)
β Technical Lead: John Smith (SecOps)
β³ Legal Counsel: Contacting...
PHASE 2: CONTAINMENT (2-8 hours)
[C1] Isolate affected systems
Command: aws ec2 modify-instance-attribute --instance-id i-abc123
Execute? [y/N]: _
TIMELINE:
00:00 - Breach detected
00:15 - Response team assembled
00:45 - Systems isolated
[Current: 01:23]
NEXT STEPS:
β Complete containment checklist
β Begin forensic analysis
β Prepare regulatory notification
```
## Multi-Step Workflows
### `secure-sdlc` - Secure Software Development Lifecycle
Implements shift-left security: threat model β static scan β dynamic scan β pen test β sign-off.
**Usage:**
```bash
/workflows:secure-sdlc <project_path> --scope full
/workflows:secure-sdlc . --phase threat-model
```
**Workflow Steps:**
```
SECURE SDLC WORKFLOW
Phase 1: Requirements & Design
ββ [W1] Threat modeling (STRIDE)
ββ [W2] Security requirements gathering
ββ [W3] Architecture security review
Phase 2: Development
ββ [W4] Pre-commit secret scanning
ββ [W5] SAST (static analysis)
ββ [W6] Dependency CVE scanning
Phase 3: Testing
ββ [W7] DAST (dynamic analysis)
ββ [W8] API security testing
ββ [W9] Penetration testing
Phase 4: Deployment
ββ [W10] Container security scanning
ββ [W11] IaC security review
ββ [W12] Security sign-off
Phase 5: Operations
ββ [W13] Runtime security monitoring
ββ [W14] Vulnerability management
ββ [W15] Incident response drills
```
### `breach-response` - Data Breach Response
Data breach workflow: detect β assess β notify β remediate β post-mortem.
**Usage:**
```bash
/workflows:breach-response --severity high
```
### `compliance-audit` - Full Compliance Audit
Comprehensive audit: scope β gap analysis β evidence collection β remediation plan.
**Usage:**
```bash
/workflows:compliance-audit --framework soc2
/workflows:compliance-audit --framework gdpr,iso27001
```
### `zero-trust-design` - Zero Trust Architecture
Design zero-trust architecture: identity β network β workload β data layers.
**Usage:**
```bash
/workflows:zero-trust-design --output architecture.md
```
### `vendor-security` - Third-Party Security Assessment
Vendor security assessment: questionnaire β risk score β decision matrix.
**Usage:**
```bash
/workflows:vendor-security --vendor "Acme SaaS Provider"
```
## Configuration
### Global Configuration
Create `~/.claude/skills/security-compliance-suite/config.yaml`:
```yaml
# Security & Compliance Suite Configuration
defaults:
output_format: table # table | json | markdown
severity_threshold: medium # low | medium | high | critical
integrations:
nvd:
api_key_env: NVD_API_KEY
cache_ttl: 86400
github:
token_env: GITHUB_TOKEN
aws:
profile: default
region: us-east-1
scanning:
owasp:
categories:
- injection
- broken_auth
- sensitive_data
- xxe
- broken_access
- security_misconfig
- xss
- insecure_deserialization
- components_with_vulnerabilities
- insufficient_logging
dependencies:
package_managers:
- npm
- pip
- maven
- go
severity_threshold: medium
compliance:
gdpr:
dpo_contact: ${DPO_EMAIL}
retention_policy_days: 730
soc2:
audit_period_months: 12
required_score: 85
reporting:
template: standard
include_remediation: true
export_formats:
- markdown
- json
- pdf
```
### Project-Level Configuration
Create `.security-config.yaml` in your project root:
```yaml
# Project-specific security configuration
project:
name: My Application
criticality: high # low | medium | high | critical
scan_exclusions:
paths:
- node_modules/
- vendor/
- .git/
- tests/fixtures/
files:
- "*.min.js"
- "*.test.js"
compliance:
frameworks:
- soc2
- gdpr
data_classification:
pii_fields:
- email
- phone_number
- ssn
retention_days: 365
threat_model:
assets:
- name: User Database
classification: confidential
threats:
- sql_injection
- unauthorized_access
- name: API Gateway
classification: internal
threats:
- ddos
- injection
contacts:
security_team: security@example.com
dpo: dpo@example.com
incident_response: incidents@example.com
```
## Environment Variables
Set these environment variables for external integrations:
```bash
# NVD (National Vulnerability Database)
export NVD_API_KEY=your_nvd_api_key_here
# GitHub (for dependency scanning)
export GITHUB_TOKEN=your_github_token_here
# AWS (for IAM audits)
export AWS_PROFILE=your_aws_profile
export AWS_REGION=us-east-1
# Slack (for incident notifications)
export SLACK_WEBHOOK_URL=https://hooks.slack.com/services/YOUR/WEBHOOK/URL
# Email (for compliance notifications)
export SMTP_HOST=smtp.example.com
export SMTP_PORT=587
export SMTP_USER=alerts@example.com
export SMTP_PASSWORD=your_smtp_password
```
## Common Patterns
### Pattern 1: Daily Security Scan
```bash
#!/bin/bash
# daily-security-scan.sh
# Run OWASP scan
/owasp-scan src/ --output reports/owasp-$(date +%Y%m%d).md
# Check dependencies
/dep-cve --severity high,critical --output reports/cve-$(date +%Y%m%d).json
# Secret detection
/secret-detect --scan . --exclude node_modules/
# Send summary
if [ $? -eq 0 ]; then
echo "β Security scan completed successfully"
else
echo "β Security issues found - review reports/"
exit 1
fi
```
### Pattern 2: Pre-Deployment Security Gate
```bash
#!/bin/bash
# pre-deploy-checks.sh
set -e
echo "Running pre-deployment security checks..."
# Static analysis
/owasp-scan src/
# Dependency check
/dep-cve --severity critical
# Container scan (if using Docker)
docker scan myapp:latest
# IAM validation
/iam-audit --output iam-report.json
echo "β All security gates passed"
```
### Pattern 3: Compliance Evidence Collection
```bash
#!/bin/bash
# collect-compliance-evidence.sh
AUDIT_DATE=$(date +%Y%m%d)
EVIDENCE_DIR="compliance-evidence-${AUDIT_DATE}"
mkdir -p "${EVIDENCE_DIR}"
# SOC2 controls
/soc2-readiness --output "${EVIDENCE_DIR}/soc2-readiness.md"
# GDPR data flows
/gdpr-audit --output "${EVIDENCE_DIR}/gdpr-audit.md"
# IAM policies
/iam-audit --output "${EVIDENCE_DIR}/iam-audit.json"
# Security logs
cp /var/log/security.log "${EVIDENCE_DIR}/"
# Create archive
tar czf "${EVIDENCE_DIR}.tar.gz" "${EVIDENCE_DIR}/"
echo "β Evidence collected: ${EVIDENCE_DIR}.tar.gz"
```
### Pattern 4: Automated Incident Detection
```python
# incident_detector.py
import subprocess
import json
def check_security_posture():
"""Run security checks and detect incidents"""
findings = {
'critical': [],
'high': [],
'medium': []
}
# Run OWASP scan
Creator's repository Β· aradotso/security-skills