Templates
S

Security Audit Fast

Boost productivity using this perform, comprehensive, security, assessment. Includes structured workflows, validation checks, and reusable patterns for security.

CommandClipticssecurityv1.0.0MIT
0 views0 copies

Security Audit Fast

Perform a comprehensive 10-point security assessment covering dependencies, authentication, input validation, data protection, secrets management, error handling, infrastructure, and security headers.

When to Use This Command

Run this command when...

  • You need a systematic security review across all layers of your application before deploying to production
  • You want to check for OWASP Top 10 vulnerabilities, dependency CVEs, and configuration weaknesses in a single pass
  • You are preparing for a security compliance audit and need documented findings with severity ratings
  • You need to verify that authentication, authorization, input validation, and encryption are implemented correctly
  • You want to review CORS, CSP, security headers, and cookie attributes for your web application

Quick Start

# .claude/commands/security-audit-fast.yaml
name: Security Audit Fast
description: Comprehensive 10-point security assessment
inputs:
  - name: focus
    description: "Focus area or 'all' for complete audit"
    default: "all"
# Run complete security audit
claude "security-audit-fast"

# Focus on authentication and authorization
claude "security-audit-fast --focus auth"

# Audit with automated fixes where possible
claude "security-audit-fast --fix"
Output:
  [audit] Running 10-point security assessment...
  ┌─────────────────────────────┬──────────┬──────────┐
  │ Category                    │ Findings │ Severity │
  ├─────────────────────────────┼──────────┼──────────┤
  │ Dependencies                │ 3        │ High     │
  │ Authentication              │ 1        │ Medium   │
  │ Input Validation            │ 2        │ High     │
  │ Data Protection             │ 0        │ Pass     │
  │ Secrets Management          │ 1        │ Critical │
  │ Error Handling              │ 2        │ Low      │
  │ Infrastructure              │ 1        │ Medium   │
  │ Security Headers            │ 3        │ Medium   │
  └─────────────────────────────┴──────────┴──────────┘
  Total: 13 findings (1 critical, 5 high, 4 medium, 3 low)
  Done. Report saved to security-audit.md

Core Concepts

ConceptDescription
10-Point AssessmentStructured audit covering: deps, auth, input, data, secrets, errors, infra, headers, CORS, and reporting
Severity ClassificationFindings rated Critical, High, Medium, or Low using industry-standard criteria
Automated ScanningUses npm audit, pip check, cargo audit, and framework-specific tools when available
Manual ReviewComplements automated scanning with pattern-based code analysis for logic vulnerabilities
Remediation StepsEach finding includes specific fix instructions with code examples and file references
Audit Coverage:
  ┌──────────────────────────────────────────┐
  │         10-Point Security Audit          │
  ├────────────┬────────────┬────────────────┤
  │ Layer 1    │ Layer 2    │ Layer 3        │
  │ Deps       │ Auth       │ Infrastructure │
  │ Secrets    │ Input Val  │ Headers/CORS   │
  │ Data Prot  │ Error Hdl  │ Logging        │
  └────────────┴────────────┴────────────────┘
         │            │              │
         ▼            ▼              ▼
    ┌─────────────────────────────────────┐
    │   Consolidated Report + Fixes      │
    └─────────────────────────────────────┘

Configuration

ParameterTypeDefaultDescription
focusstring"all"Specific audit area: deps, auth, input, data, secrets, infra, headers, or all
fixbooleanfalseAutomatically apply safe fixes like updating dependencies and adding headers
outputstring"security-audit.md"Report file path and format (md or json)
severitystring"low"Minimum severity to include in the report
cibooleanfalseExit with non-zero code if critical or high findings exist (for CI pipelines)

Best Practices

  1. Run the full audit before every release -- A comprehensive 10-point check catches issues that targeted scans miss. Make it part of your release checklist.
  2. Address critical findings before deployment -- Critical findings like exposed secrets or SQL injection must be fixed immediately. Block deployments until critical items are resolved.
  3. Use CI mode in pipelines -- The --ci flag returns a non-zero exit code on critical/high findings, letting you gate deployments on security compliance automatically.
  4. Audit after dependency updates -- New package versions can introduce vulnerabilities. Run the audit after npm update or equivalent to catch regressions.
  5. Track findings over time -- Compare audit reports between releases to verify that previous findings were addressed and no new critical issues appeared.

Common Issues

  1. No package manager detected -- The audit needs a recognized package manager (npm, pip, cargo, etc.) for dependency scanning. Projects without one will skip that section.
  2. Incomplete results without running services -- Some checks like CORS and security headers require the application to be running. Start the server before auditing for complete coverage.
  3. Too many low-severity findings -- Use --severity medium to filter out informational findings and focus the report on actionable security issues.
Community

Reviews

Write a review

No reviews yet. Be the first to review this template!

Similar Templates

$

Git Commit Message Generator

Generates well-structured conventional commit messages by analyzing staged changes. Follows Conventional Commits spec with scope detection.

Command
60
View →
$

React Component Scaffolder

Scaffolds a complete React component with TypeScript types, Tailwind styles, Storybook stories, and unit tests. Follows project conventions automatically.

Command
00
View →
$

CI/CD Pipeline Generator

Generates GitHub Actions workflows for CI/CD including linting, testing, building, and deploying. Detects project stack automatically.

Command
00
View →