| name | when-auditing-security-use-security-analyzer |
| version | 1.0.0 |
| description | Comprehensive security auditing across static analysis, dynamic testing, dependency vulnerabilities, secrets detection, and OWASP compliance |
| agents | security-manager, code-analyzer, tester |
| complexity | HIGH |
| triggers | security audit, vulnerability scan, penetration test, security review, compliance check |
| categories | security, testing, compliance |
| coordination | [object Object] |
| memory_patterns | swarm/security/findings, swarm/security/vulnerabilities, swarm/security/compliance |
Security Analyzer - Comprehensive Security Auditing Skill
Overview
This skill provides multi-vector security analysis combining static code analysis, dynamic testing, dependency auditing, secrets detection, and OWASP Top 10 compliance checking. Uses coordinated agents with validation gates between phases.
Architecture
Security Manager (Coordinator)
├─→ Phase 1: Static Analysis (Code Analyzer)
├─→ Phase 2: Dynamic Testing (Tester)
├─→ Phase 3: Dependency Audit (Security Manager)
├─→ Phase 4: Secrets Detection (Code Analyzer)
└─→ Phase 5: Compliance Check (Security Manager)
Phase 1: Static Code Analysis
Objective
Identify code-level vulnerabilities, security anti-patterns, and unsafe practices.
Security Manager Setup
# Initialize security audit session
npx claude-flow@alpha hooks pre-task --description "Security static analysis initialization"
npx claude-flow@alpha hooks session-restore --session-id "security-audit-${DATE}"
# Set up memory namespace
npx claude-flow@alpha memory store \
--key "swarm/security/config" \
--value '{
"scan_type": "static",
"severity_threshold": "medium",
"frameworks": ["owasp", "cwe"],
"timestamp": "'$(date -Iseconds)'"
}'
Code Analyzer Execution
# Spawn code analyzer agent for static analysis
# Agent performs:
# 1. SQL Injection Detection
npx claude-flow@alpha hooks pre-task --description "SQL injection vulnerability scan"
# Scan patterns:
# ❌ VULNERABLE:
# const query = "SELECT * FROM users WHERE id = " + userId;
# db.query("SELECT * FROM " + tableName);
#
# ✅ SECURE:
# const query = "SELECT * FROM users WHERE id = ?";
# db.query(query, [userId]);
grep -rn "\.query\|\.exec" --include="*.js" --include="*.ts" . | \
grep -v "?" | grep -v "\$[0-9]" > /tmp/sql-findings.txt
# 2. XSS Vulnerability Detection
# ❌ VULNERABLE:
# element.innerHTML = userInput;
# eval(userInput);
# new Function(userInput)();
#
# ✅ SECURE:
# element.textContent = userInput;
# JSON.parse(sanitizedInput);
grep -rn "innerHTML\|eval\|new Function" --include="*.js" --include="*.jsx" . > /tmp/xss-findings.txt
# 3. Path Traversal Detection
# ❌ VULNERABLE:
# fs.readFile(userPath);
# require(userInput);
#
# ✅ SECURE:
# const safePath = path.join(baseDir, path.normalize(userPath));
# if (!safePath.startsWith(baseDir)) throw new Error('Invalid path');
grep -rn "readFile\|writeFile\|require.*\+" --include="*.js" . > /tmp/path-traversal-findings.txt
# 4. Insecure Cryptography
# ❌ VULNERABLE:
# crypto.createHash('md5');
# crypto.createCipher('des', key);
#
# ✅ SECURE:
# crypto.createHash('sha256');
# crypto.createCipheriv('aes-256-gcm', key, iv);
grep -rn "md5\|sha1\|des\|rc4" --include="*.js" --include="*.ts" . > /tmp/crypto-findings.txt
# Store findings in memory
npx claude-flow@alpha memory store \
--key "swarm/security/static-analysis" \
--value "$(cat /tmp/*-findings.txt | jq -Rs '{findings: ., timestamp: now}')"
npx claude-flow@alpha hooks post-task --task-id "static-analysis"
Validation Gate 1
# Check if critical vulnerabilities found
CRITICAL_COUNT=$(cat /tmp/*-findings.txt | grep -c ".")
if [ "$CRITICAL_COUNT" -gt 0 ]; then
echo "⚠️ GATE FAILED: $CRITICAL_COUNT potential vulnerabilities found"
npx claude-flow@alpha hooks notify --message "Static analysis found $CRITICAL_COUNT issues - review required"
# Continue but flag for review
fi
Phase 2: Dynamic Security Testing
Objective
Runtime vulnerability detection through active testing and fuzzing.
Tester Agent Execution
npx claude-flow@alpha hooks pre-task --description "Dynamic security testing"
# 1. Authentication Bypass Testing
cat > /tmp/auth-test.js << 'EOF'
// Test suite for authentication vulnerabilities
const axios = require('axios');
async function testAuthBypass() {
const tests = [
// SQL Injection in auth
{ username: "admin'--", password: "anything" },
{ username: "admin' OR '1'='1", password: "" },
// JWT manipulation
{ token: "eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0..." }, // None algorithm
// Session fixation
{ session: "../../admin-session" },
// NoSQL injection
{ username: { "$ne": null }, password: { "$ne": null } }
];
const vulnerabilities = [];
for (const test of tests) {
try {
const response = await axios.post('http://localhost:3000/login', test);
if (response.status === 200) {
vulnerabilities.push({
type: 'AUTH_BYPASS',
severity: 'CRITICAL',
payload: test,
description: 'Authentication bypass successful'
});
}
} catch (e) {
// Expected - auth failed
}
}
return vulnerabilities;
}
module.exports = { testAuthBypass };
EOF
# 2. CSRF Testing
cat > /tmp/csrf-test.js << 'EOF'
async function testCSRF() {
const response = await axios.post('http://localhost:3000/api/transfer', {
to: 'attacker',
amount: 1000
}, {
headers: {
'Origin': 'http://evil.com',
'Referer': 'http://evil.com'
}
});
// Should be rejected without CSRF token
if (response.status === 200) {
return {
type: 'CSRF',
severity: 'HIGH',
description: 'Missing CSRF protection on state-changing operation'
};
}
}
EOF
# 3. Rate Limiting Test
cat > /tmp/rate-limit-test.js << 'EOF'
async function testRateLimit() {
const requests = [];
for (let i = 0; i < 1000; i++) {
requests.push(axios.get('http://localhost:3000/api/data'));
}
const responses = await Promise.all(requests);
const successCount = responses.filter(r => r.status === 200).length;
if (successCount > 100) {
return {
type: 'NO_RATE_LIMIT',
severity: 'MEDIUM',
description: `No rate limiting detected - ${successCount}/1000 requests succeeded`
};
}
}
EOF
# Execute dynamic tests
node /tmp/auth-test.js > /tmp/dynamic-findings.json
node /tmp/csrf-test.js >> /tmp/dynamic-findings.json
node /tmp/rate-limit-test.js >> /tmp/dynamic-findings.json
npx claude-flow@alpha memory store \
--key "swarm/security/dynamic-testing" \
--value "$(cat /tmp/dynamic-findings.json)"
npx claude-flow@alpha hooks post-task --task-id "dynamic-testing"
Validation Gate 2
CRITICAL_RUNTIME=$(jq '[.[] | select(.severity == "CRITICAL")] | length' /tmp/dynamic-findings.json)
if [ "$CRITICAL_RUNTIME" -gt 0 ]; then
echo "🚨 GATE FAILED: $CRITICAL_RUNTIME critical runtime vulnerabilities"
exit 1 # Hard stop for critical runtime issues
fi
Phase 3: Dependency Security Audit
Objective
Identify known vulnerabilities (CVEs) in dependencies and supply chain risks.
Security Manager Execution
npx claude-flow@alpha hooks pre-task --description "Dependency vulnerability scan"
# 1. NPM Audit
npm audit --json > /tmp/npm-audit.json 2>&1 || true
# 2. Check for outdated packages with known vulnerabilities
npm outdated --json > /tmp/outdated.json 2>&1 || true
# 3. License compliance check
npx license-checker --json > /tmp/licenses.json 2>&1 || true
# 4. Check for malicious packages (typosquatting)
cat package.json | jq -r '.dependencies | keys[]' | while read pkg; do
# Check against known malicious package database
if grep -q "$pkg" /tmp/malicious-packages.txt 2>/dev/null; then
echo "⚠️ MALICIOUS PACKAGE DETECTED: $pkg"
fi
done > /tmp/malicious-check.txt
# 5. SBOM (Software Bill of Materials) generation
npx @cyclonedx/cyclonedx-npm --output-file /tmp/sbom.json
# Analyze CVE severity
jq '{
critical: [.vulnerabilities | to_entries[] | select(.value.severity == "critical")],
high: [.vulnerabilities | to_entries[] | select(.value.severity == "high")],
moderate: [.vulnerabilities | to_entries[] | select(.value.severity == "moderate")],
low: [.vulnerabilities | to_entries[] | select(.value.severity == "low")],
total: .metadata.vulnerabilities
}' /tmp/npm-audit.json > /tmp/dependency-summary.json
npx claude-flow@alpha memory store \
--key "swarm/security/dependencies" \
--value "$(cat /tmp/dependency-summary.json)"
npx claude-flow@alpha hooks post-task --task-id "dependency-audit"
Validation Gate 3
CRITICAL_DEPS=$(jq '.critical | length' /tmp/dependency-summary.json)
HIGH_DEPS=$(jq '.high | length' /tmp/dependency-summary.json)
if [ "$CRITICAL_DEPS" -gt 0 ]; then
echo "🚨 GATE FAILED: $CRITICAL_DEPS critical dependency vulnerabilities"
npx claude-flow@alpha hooks notify --message "Critical CVEs detected in dependencies"
exit 1
fi
if [ "$HIGH_DEPS" -gt 5 ]; then
echo "⚠️ WARNING: $HIGH_DEPS high-severity dependency vulnerabilities"
fi
Phase 4: Secrets Detection
Objective
Identify exposed secrets, API keys, credentials, and sensitive data.
Code Analyzer Execution
npx claude-flow@alpha hooks pre-task --description "Secrets and credentials detection"
# 1. Pattern-based secret detection
cat > /tmp/secret-patterns.txt << 'EOF'
# API Keys
AKIA[0-9A-Z]{16} # AWS Access Key
AIza[0-9A-Za-z_-]{35} # Google API Key
[REDACTED-EXAMPLE-PATTERN] # Stripe Secret Key pattern
xox[baprs]-[0-9]{10,12}-[0-9]{10,12}-[a-zA-Z0-9]{24} # Slack Token
# Passwords
password\s*=\s*['"]\w+['"]
api_key\s*=\s*['"]\w+['"]
secret\s*=\s*['"]\w+['"]
# Private Keys
-----BEGIN (RSA|DSA|EC|OPENSSH) PRIVATE KEY-----
# Database Credentials
(mongodb|postgres|mysql):\/\/[^:]+:[^@]+@
# JWT Tokens
eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}
EOF
# Scan codebase
grep -rEn -f /tmp/secret-patterns.txt \
--include="*.js" --include="*.ts" --include="*.json" --include="*.yaml" --include="*.env*" \
--exclude-dir=node_modules --exclude-dir=.git \
. > /tmp/secrets-found.txt 2>&1 || true
# 2. Entropy-based detection (random strings likely to be secrets)
find . -type f \( -name "*.js" -o -name "*.ts" -o -name "*.json" \) \
-not -path "*/node_modules/*" -not -path "*/.git/*" \
-exec grep -Eon '[A-Za-z0-9+/]{40,}' {} \; | \
awk 'length($0) > 40' > /tmp/high-entropy-strings.txt
# 3. Environment variable exposure check
grep -rn "process\.env\." --include="*.js" --include="*.ts" . | \
grep -v "process\.env\.NODE_ENV" | \
grep -v "\/\/" > /tmp/env-usage.txt
# 4. Hardcoded IP addresses and URLs
grep -rEon '\b([0-9]{1,3}\.){3}[0-9]{1,3}\b' \
--include="*.js" --include="*.ts" --include="*.json" \
. > /tmp/hardcoded-ips.txt
# Generate report
cat > /tmp/secrets-report.json << EOF
{
"secrets_found": $(wc -l < /tmp/secrets-found.txt),
"high_entropy_strings": $(wc -l < /tmp/high-entropy-strings.txt),
"env_exposures": $(wc -l < /tmp/env-usage.txt),
"hardcoded_ips": $(wc -l < /tmp/hardcoded-ips.txt),
"findings": $(cat /tmp/secrets-found.txt | jq -Rs 'split("\n") | map(select(length > 0))')
}
EOF
npx claude-flow@alpha memory store \
--key "swarm/security/secrets" \
--value "$(cat /tmp/secrets-report.json)"
npx claude-flow@alpha hooks post-task --task-id "secrets-detection"
Validation Gate 4
SECRETS_COUNT=$(jq '.secrets_found' /tmp/secrets-report.json)
if [ "$SECRETS_COUNT" -gt 0 ]; then
echo "🚨 GATE FAILED: $SECRETS_COUNT potential secrets detected"
echo "Review findings in /tmp/secrets-found.txt"
exit 1
fi
Phase 5: OWASP Top 10 Compliance Check
Objective
Verify compliance with OWASP Top 10 security standards.
Security Manager Execution
npx claude-flow@alpha hooks pre-task --description "OWASP Top 10 compliance audit"
# OWASP Top 10 2021 Checklist
cat > /tmp/owasp-compliance.json << 'EOF'
{
"A01:2021-Broken_Access_Control": {
"checks": [
"Authorization checks on all endpoints",
"IDOR prevention",
"CORS properly configured",
"Directory listing disabled"
],
"status": "pending"
},
"A02:2021-Cryptographic_Failures": {
"checks": [
"No sensitive data in transit without TLS",
"Strong encryption algorithms (AES-256, SHA-256+)",
"Secure key management",
"No hardcoded secrets"
],
"status": "pending"
},
"A03:2021-Injection": {
"checks": [
"Parameterized queries for SQL",
"Input validation and sanitization",
"No eval() or dangerous functions",
"NoSQL injection prevention"
],
"status": "pending"
},
"A04:2021-Insecure_Design": {
"checks": [
"Threat modeling performed",
"Security requirements documented",
"Secure coding patterns used",
"Defense in depth implemented"
],
"status": "pending"
},
"A05:2021-Security_Misconfiguration": {
"checks": [
"Default credentials changed",
"Unnecessary features disabled",
"Security headers configured",
"Error messages don't leak info"
],
"status": "pending"
},
"A06:2021-Vulnerable_Components": {
"checks": [
"All dependencies up to date",
"No known CVEs in dependencies",
"SBOM maintained",
"Regular security scanning"
],
"status": "pending"
},
"A07:2021-Auth_AuthZ_Failures": {
"checks": [
"Strong password policy",
"MFA available",
"Session management secure",
"No credential stuffing vulnerability"
],
"status": "pending"
},
"A08:2021-Software_Data_Integrity": {
"checks": [
"CI/CD pipeline secured",
"Code signing implemented",
"Integrity verification",
"No untrusted deserialization"
],
"status": "pending"
},
"A09:2021-Logging_Monitoring_Failures": {
"checks": [
"Security events logged",
"Log aggregation configured",
"Alerting set up",
"Audit trails maintained"
],
"status": "pending"
},
"A10:2021-SSRF": {
"checks": [
"URL validation on user input",
"Network segmentation",
"Whitelist for external requests",
"No blind SSRF vulnerabilities"
],
"status": "pending"
}
}
EOF
# Automated compliance checks
# A01: Access Control
if grep -rq "req\.user\|req\.session" --include="*.js" .; then
if grep -rq "if.*\.role\|authorize\|checkPermission" --include="*.js" .; then
jq '.["A01:2021-Broken_Access_Control"].status = "pass"' /tmp/owasp-compliance.json > /tmp/owasp-temp.json
mv /tmp/owasp-temp.json /tmp/owasp-compliance.json
else
jq '.["A01:2021-Broken_Access_Control"].status = "fail"' /tmp/owasp-compliance.json > /tmp/owasp-temp.json
mv /tmp/owasp-temp.json /tmp/owasp-compliance.json
fi
fi
# A02: Cryptographic Failures (check from Phase 1 findings)
if [ ! -s /tmp/crypto-findings.txt ]; then
jq '.["A02:2021-Cryptographic_Failures"].status = "pass"' /tmp/owasp-compliance.json > /tmp/owasp-temp.json
mv /tmp/owasp-temp.json /tmp/owasp-compliance.json
else
jq '.["A02:2021-Cryptographic_Failures"].status = "fail"' /tmp/owasp-compliance.json > /tmp/owasp-temp.json
mv /tmp/owasp-temp.json /tmp/owasp-compliance.json
fi
# A03: Injection (check from Phase 1 findings)
if [ ! -s /tmp/sql-findings.txt ] && [ ! -s /tmp/xss-findings.txt ]; then
jq '.["A03:2021-Injection"].status = "pass"' /tmp/owasp-compliance.json > /tmp/owasp-temp.json
mv /tmp/owasp-temp.json /tmp/owasp-compliance.json
else
jq '.["A03:2021-Injection"].status = "fail"' /tmp/owasp-compliance.json > /tmp/owasp-temp.json
mv /tmp/owasp-temp.json /tmp/owasp-compliance.json
fi
# A05: Security Misconfiguration
if grep -rq "helmet\|cors" package.json; then
jq '.["A05:2021-Security_Misconfiguration"].status = "pass"' /tmp/owasp-compliance.json > /tmp/owasp-temp.json
mv /tmp/owasp-temp.json /tmp/owasp-compliance.json
fi
# A06: Vulnerable Components (from Phase 3)
if [ "$(jq '.critical | length' /tmp/dependency-summary.json)" -eq 0 ]; then
jq '.["A06:2021-Vulnerable_Components"].status = "pass"' /tmp/owasp-compliance.json > /tmp/owasp-temp.json
mv /tmp/owasp-temp.json /tmp/owasp-compliance.json
else
jq '.["A06:2021-Vulnerable_Components"].status = "fail"' /tmp/owasp-compliance.json > /tmp/owasp-temp.json
mv /tmp/owasp-temp.json /tmp/owasp-compliance.json
fi
# Generate compliance score
TOTAL_CHECKS=$(jq '[.[].status] | length' /tmp/owasp-compliance.json)
PASSED_CHECKS=$(jq '[.[].status | select(. == "pass")] | length' /tmp/owasp-compliance.json)
COMPLIANCE_SCORE=$(echo "scale=2; $PASSED_CHECKS / $TOTAL_CHECKS * 100" | bc)
jq ". + {compliance_score: $COMPLIANCE_SCORE, total_checks: $TOTAL_CHECKS, passed: $PASSED_CHECKS}" \
/tmp/owasp-compliance.json > /tmp/owasp-final.json
npx claude-flow@alpha memory store \
--key "swarm/security/owasp-compliance" \
--value "$(cat /tmp/owasp-final.json)"
npx claude-flow@alpha hooks post-task --task-id "owasp-compliance"
Validation Gate 5
COMPLIANCE_SCORE=$(jq '.compliance_score' /tmp/owasp-final.json)
if (( $(echo "$COMPLIANCE_SCORE < 70" | bc -l) )); then
echo "🚨 GATE FAILED: OWASP compliance score $COMPLIANCE_SCORE% (minimum 70%)"
exit 1
fi
echo "✅ OWASP Compliance: $COMPLIANCE_SCORE%"
Final Report Generation
# Consolidate all findings
cat > /tmp/security-audit-report.json << EOF
{
"timestamp": "$(date -Iseconds)",
"summary": {
"static_analysis": $(cat /tmp/*-findings.txt | wc -l),
"dynamic_vulnerabilities": $(jq 'length' /tmp/dynamic-findings.json 2>/dev/null || echo 0),
"dependency_cves": $(jq '.total' /tmp/dependency-summary.json 2>/dev/null || echo 0),
"secrets_exposed": $(jq '.secrets_found' /tmp/secrets-report.json 2>/dev/null || echo 0),
"owasp_compliance": $(jq '.compliance_score' /tmp/owasp-final.json 2>/dev/null || echo 0)
},
"details": {
"static_analysis": $(npx claude-flow@alpha memory retrieve --key "swarm/security/static-analysis"),
"dynamic_testing": $(npx claude-flow@alpha memory retrieve --key "swarm/security/dynamic-testing"),
"dependencies": $(npx claude-flow@alpha memory retrieve --key "swarm/security/dependencies"),
"secrets": $(npx claude-flow@alpha memory retrieve --key "swarm/security/secrets"),
"owasp": $(npx claude-flow@alpha memory retrieve --key "swarm/security/owasp-compliance")
},
"recommendations": []
}
EOF
# Generate markdown report
cat > /tmp/SECURITY-AUDIT-REPORT.md << 'EOF'
# Security Audit Report
**Generated:** $(date)
**Scan Duration:** [calculated from hooks]
## Executive Summary
| Metric | Count | Status |
|--------|-------|--------|
| Static Vulnerabilities | $(cat /tmp/*-findings.txt | wc -l) | $([ $(cat /tmp/*-findings.txt | wc -l) -eq 0 ] && echo "✅ PASS" || echo "⚠️ REVIEW") |
| Runtime Vulnerabilities | $(jq 'length' /tmp/dynamic-findings.json) | $([ $(jq 'length' /tmp/dynamic-findings.json) -eq 0 ] && echo "✅ PASS" || echo "🚨 FAIL") |
| Dependency CVEs | $(jq '.total' /tmp/dependency-summary.json) | $([ $(jq '.critical | length' /tmp/dependency-summary.json) -eq 0 ] && echo "✅ PASS" || echo "🚨 FAIL") |
| Exposed Secrets | $(jq '.secrets_found' /tmp/secrets-report.json) | $([ $(jq '.secrets_found' /tmp/secrets-report.json) -eq 0 ] && echo "✅ PASS" || echo "🚨 FAIL") |
| OWASP Compliance | $(jq '.compliance_score' /tmp/owasp-final.json)% | $([ $(echo "$(jq '.compliance_score' /tmp/owasp-final.json) >= 70" | bc) -eq 1 ] && echo "✅ PASS" || echo "🚨 FAIL") |
## Detailed Findings
### 1. Static Code Analysis
[Detailed findings from /tmp/*-findings.txt]
### 2. Dynamic Security Testing
[Detailed findings from /tmp/dynamic-findings.json]
### 3. Dependency Vulnerabilities
[Detailed findings from /tmp/dependency-summary.json]
### 4. Secrets Detection
[Detailed findings from /tmp/secrets-report.json]
### 5. OWASP Top 10 Compliance
[Detailed findings from /tmp/owasp-final.json]
## Recommendations
1. **Critical Priority:**
- Fix all critical runtime vulnerabilities immediately
- Remove exposed secrets from codebase
- Update dependencies with critical CVEs
2. **High Priority:**
- Address SQL injection vulnerabilities
- Implement missing authentication checks
- Configure security headers
3. **Medium Priority:**
- Improve OWASP compliance score
- Add rate limiting
- Enhance logging and monitoring
## Remediation Guide
[Specific code examples and fixes for each vulnerability type]
EOF
# Store final report
npx claude-flow@alpha memory store \
--key "swarm/security/final-report" \
--value "$(cat /tmp/security-audit-report.json)"
# End session
npx claude-flow@alpha hooks session-end --export-metrics true
echo "✅ Security audit complete. Report: /tmp/SECURITY-AUDIT-REPORT.md"
Usage Examples
Full Security Audit
npx claude-flow@alpha skill run when-auditing-security-use-security-analyzer
Specific Phase
npx claude-flow@alpha skill run when-auditing-security-use-security-analyzer --phase static-analysis
npx claude-flow@alpha skill run when-auditing-security-use-security-analyzer --phase secrets-detection
Custom Configuration
npx claude-flow@alpha skill run when-auditing-security-use-security-analyzer \
--config '{
"severity_threshold": "high",
"skip_phases": ["dynamic-testing"],
"frameworks": ["owasp", "cwe", "sans-25"]
}'
Memory Patterns
This skill uses hierarchical memory storage:
swarm/security/
├─ config # Scan configuration
├─ static-analysis # Phase 1 findings
├─ dynamic-testing # Phase 2 findings
├─ dependencies # Phase 3 findings
├─ secrets # Phase 4 findings
├─ owasp-compliance # Phase 5 findings
└─ final-report # Consolidated report
Real-World Examples
Example 1: SQL Injection Found
// ❌ VULNERABLE CODE DETECTED:
app.get('/user', (req, res) => {
const query = `SELECT * FROM users WHERE id = ${req.query.id}`;
db.query(query, (err, results) => {
res.json(results);
});
});
// ✅ RECOMMENDED FIX:
app.get('/user', (req, res) => {
const query = 'SELECT * FROM users WHERE id = ?';
db.query(query, [req.query.id], (err, results) => {
if (err) return res.status(500).json({ error: 'Database error' });
res.json(results);
});
});
Example 2: Exposed API Key
// ❌ VULNERABLE CODE DETECTED:
const apiKey = 'EXAMPLE_REDACTED_NOT_REAL_KEY';
axios.get('https://api.stripe.com/v1/charges', {
headers: { 'Authorization': `Bearer ${apiKey}` }
});
// ✅ RECOMMENDED FIX:
const apiKey = process.env.STRIPE_SECRET_KEY;
if (!apiKey) throw new Error('STRIPE_SECRET_KEY not configured');
axios.get('https://api.stripe.com/v1/charges', {
headers: { 'Authorization': `Bearer ${apiKey}` }
});
Example 3: Missing Authorization
// ❌ VULNERABLE CODE DETECTED:
app.delete('/api/users/:id', (req, res) => {
User.findByIdAndDelete(req.params.id)
.then(() => res.json({ success: true }))
.catch(err => res.status(500).json({ error: err.message }));
});
// ✅ RECOMMENDED FIX:
app.delete('/api/users/:id', authenticate, authorize('admin'), (req, res) => {
// Verify user can only delete their own account or is admin
if (req.user.id !== req.params.id && req.user.role !== 'admin') {
return res.status(403).json({ error: 'Forbidden' });
}
User.findByIdAndDelete(req.params.id)
.then(() => res.json({ success: true }))
.catch(err => res.status(500).json({ error: err.message }));
});
Performance Metrics
- Static Analysis: ~30-60 seconds for 10k LOC
- Dynamic Testing: ~2-5 minutes with server startup
- Dependency Audit: ~10-20 seconds
- Secrets Detection: ~15-30 seconds for 10k LOC
- OWASP Compliance: ~5-10 seconds
Total Duration: ~5-10 minutes for comprehensive audit
Integration with CI/CD
# .github/workflows/security-audit.yml
name: Security Audit
on: [push, pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
- run: npm ci
- run: npx claude-flow@alpha skill run when-auditing-security-use-security-analyzer
- uses: actions/upload-artifact@v3
with:
name: security-report
path: /tmp/SECURITY-AUDIT-REPORT.md
Exit Codes
0- All checks passed1- Critical vulnerabilities found (hard stop)2- High-severity issues found (warning)3- Configuration error4- Scan incomplete
Support
For issues or questions about this skill:
- Check
/tmp/security-audit-report.jsonfor detailed diagnostics - Review memory at
swarm/security/*for intermediate results - Consult OWASP documentation for specific vulnerability types
Core Principles
1. Multi-Vector Analysis Finds What Single Tools Miss
No single security tool detects all vulnerabilities. Comprehensive security requires combining static analysis, dynamic testing, dependency auditing, secrets detection, and compliance checking.
In practice:
- Static analysis detects code-level issues (SQL injection, XSS patterns) but misses runtime behavior
- Dynamic testing finds authentication bypasses and business logic flaws missed by static scans
- Dependency audits catch known CVEs that code analysis cannot detect
- Secrets scanning prevents credential exposure that other tools ignore
- OWASP compliance validates holistic security posture across all vectors
2. Validation Gates Prevent False Security
Security tools produce findings, not fixes. Each phase must validate findings and block progression when critical issues exist.
In practice:
- Gate 1: Critical static vulnerabilities halt deployment (SQL injection, hardcoded secrets)
- Gate 2: Runtime authentication bypasses are hard stops (cannot ship exploitable auth)
- Gate 3: Critical dependency CVEs require immediate patching or risk acceptance
- Gate 4: Exposed secrets must be revoked and rotated before deployment
- Gate 5: <70% OWASP compliance fails deployment readiness
3. Automated Security Testing is Continuous, Not One-Time
Security degrades over time as code changes, dependencies update, and new vulnerabilities emerge. One-time audits create false confidence.
In practice:
- Security scans run on every commit via CI/CD pipeline
- Dependency audits run daily to catch newly disclosed CVEs
- Penetration testing happens quarterly, not just before launch
- Security metrics track trends (vulnerability counts over time, time-to-patch)
- Security is a CI/CD quality gate, not a pre-launch checklist
Anti-Patterns
| Anti-Pattern | Problem | Solution |
|---|---|---|
| Skipping negative testing (only testing that allowed domains work) | Confirms allowlist but does not validate blocklist. Attackers exploit what you did not test. | Always test that untrusted domains are blocked. Negative testing validates security controls actually prevent attacks. |
| Treating findings as bugs, not security issues (low priority, backlog, ship first fix later) | Security vulnerabilities are not normal bugs. Exploits are public, attackers are active, time-to-exploit is hours not weeks. | Critical security findings block deployment. High severity findings require patching before release. Security is not negotiable. |
| Running scans without remediation (generating reports but not fixing issues) | Security theater. Reports provide false sense of security while vulnerabilities remain exploitable. | Every finding requires disposition: fix, mitigate, accept risk, or prove false positive. No findings without action. |
| Ignoring secrets in configuration files (environment variables in .env files committed to git) | .env files in version control expose secrets to anyone with repo access (including former employees, contractors, CI logs). | Use secret management systems (Vault, AWS Secrets Manager). Never commit secrets. Scan git history for leaked credentials. |
| *Whitelisting .com or overly broad wildcards (trusting all domains under TLD) | Wildcard patterns bypass security controls. *.com allows millions of untrusted domains including attacker-controlled sites. | Use specific domain allowlists. Wildcard only subdomains under your control (*.mycompany.com). Document justification for wildcards. |
| Deploying with known CVEs (ignoring npm audit warnings, deferring dependency updates) | Known vulnerabilities have public exploits. Attackers scan for vulnerable versions using automated tools. Easy targets. | Patch critical CVEs immediately (within 24 hours). High severity within 1 week. Automate dependency updates with Dependabot. |
Common Anti-Patterns
| Anti-Pattern | Problem | Solution |
|---|---|---|
| Skipping negative testing (only testing that allowed domains work) | Confirms allowlist but does not validate blocklist. Attackers exploit what you did not test. | Always test that untrusted domains are blocked. Negative testing validates security controls actually prevent attacks. |
| Treating findings as bugs, not security issues (low priority, backlog, ship first fix later) | Security vulnerabilities are not normal bugs. Exploits are public, attackers are active, time-to-exploit is hours not weeks. | Critical security findings block deployment. High severity findings require patching before release. Security is not negotiable. |
| Running scans without remediation (generating reports but not fixing issues) | Security theater. Reports provide false sense of security while vulnerabilities remain exploitable. | Every finding requires disposition: fix, mitigate, accept risk, or prove false positive. No findings without action. |
Conclusion
Security auditing is not a single activity but a systematic process combining multiple detection techniques, validation gates, and continuous monitoring. The five-phase approach outlined in this skill provides comprehensive coverage across static code analysis, runtime behavior, dependency vulnerabilities, credential exposure, and compliance standards. Each phase addresses blind spots in other phases, creating defense in depth through detection.
The validation gates between phases serve a critical purpose: preventing false security. Security tools generate noise alongside signal - not every finding is exploitable, but every critical finding demands response. Gates force disposition of serious issues before proceeding, ensuring that security problems do not accumulate silently. The discipline of hard stops for critical vulnerabilities creates accountability and prevents security debt.
However, automated tools are necessary but insufficient. The ultimate test of security is adversarial: can a motivated attacker exploit your system? Automated scans detect known patterns; human attackers find creative combinations and business logic flaws. Complement automated audits with manual penetration testing, threat modeling, and red team exercises. Security is a continuous arms race - your security posture must evolve as quickly as attack techniques advance.