| name | audit-skill |
| description | Comprehensive audit capabilities for security, code quality, module structure, compliance, and performance analysis. Use this skill when performing security audits, code reviews, vulnerability assessments, module structure validation, or generating audit reports. |
| license | LGPL-3.0 |
| allowed-tools | bash, view, edit, create |
| metadata | [object Object] |
Audit Skill for Odoo InsightPulse
A comprehensive skill for performing multi-dimensional audits on Odoo codebases, including security vulnerabilities, code quality, module structure compliance, and performance analysis.
When to Use This Skill
Use this skill when you need to:
- Security Audits: Identify vulnerabilities, hardcoded credentials, weak authentication, exposed secrets
- Code Quality Reviews: Check coding standards, detect code smells, validate OCA compliance
- Module Structure Audits: Verify module manifests, dependencies, and Odoo best practices
- Compliance Checks: Validate LGPL-3.0 licensing, GDPR requirements, data privacy
- Performance Analysis: Identify N+1 queries, missing indexes, inefficient algorithms
- Dependency Audits: Check for outdated packages, security vulnerabilities in dependencies
- Configuration Audits: Validate production readiness, environment configurations
- Database Audits: Check filesystem vs database module state, orphaned records
Core Capabilities
1. Security Audits
Critical Vulnerability Detection:
- Hardcoded credentials (passwords, API keys, tokens)
- Exposed database credentials
- Weak encryption implementations
- Missing authentication/authorization
- SQL injection vulnerabilities
- XSS (Cross-Site Scripting) risks
- CSRF token validation
- Insecure file uploads
- Path traversal vulnerabilities
Secret Detection Patterns:
# Hardcoded passwords
admin_passwd = "password123"
db_password = "secret"
# API keys in code
OPENAI_API_KEY = "sk-..."
GITHUB_TOKEN = "ghp_..."
# Base64 encoded secrets
SECRET = "YWRtaW46cGFzc3dvcmQ="
Security Best Practices:
- Environment variable usage
- Secret rotation policies
- Encryption at rest and in transit
- Principle of least privilege
- Row-level security (RLS) policies
- Audit trail logging
2. Code Quality Audits
OCA Compliance Checks:
- Module structure validation
- Manifest (
__manifest__.py) completeness - Security rules (
ir.model.access.csv) - Model naming conventions
- View structure and inheritance
- Python code style (PEP 8)
- Docstring completeness
Code Smell Detection:
- Duplicate code blocks
- Long methods (>50 lines)
- Deep nesting (>4 levels)
- God classes (>500 lines)
- Unused imports and variables
- Magic numbers
- Missing error handling
- Poor naming conventions
Anti-Patterns:
# Anti-pattern: Direct SQL queries
self.env.cr.execute("SELECT * FROM users")
# Better: Use ORM
self.env['res.users'].search([])
# Anti-pattern: No error handling
result = external_api_call()
# Better: Proper exception handling
try:
result = external_api_call()
except Exception as e:
_logger.error(f"API call failed: {e}")
raise UserError(_("External service unavailable"))
3. Module Structure Audits
Required Files Check:
__manifest__.py(required)__init__.py(required)README.md(recommended)security/ir.model.access.csv(if has models)views/directory (if has UI)models/directory (if has models)data/directory (if has data files)tests/directory (recommended)
Manifest Validation:
# Required keys
{
'name': 'Module Name',
'version': '19.0.1.0.0',
'category': 'Category',
'summary': 'Short description',
'description': 'Long description',
'author': 'Author Name',
'website': 'https://...',
'license': 'LGPL-3',
'depends': ['base', 'mail'],
'data': [
'security/ir.model.access.csv',
'views/menu.xml',
],
'installable': True,
'application': False,
'auto_install': False,
}
Dependency Validation:
- Circular dependency detection
- Missing dependency declarations
- Unused dependencies
- Version compatibility
4. Database Audits
Module State Verification:
- Filesystem modules vs database records
- Installed vs uninstalled modules
- Modules requiring upgrade
- Orphaned database records
- Missing security rules
Performance Analysis:
- Missing database indexes
- Inefficient queries
- N+1 query patterns
- Large table scans
- Slow view computations
5. Configuration Audits
Production Readiness:
- Environment variables properly set
- Debug mode disabled
- Secure admin password
- Database connection pooling
- Resource limits configured
- Backup strategy in place
- Monitoring enabled
- Log rotation configured
Docker Configuration:
- Multi-stage builds
- Non-root user
- Health checks
- Resource limits
- Volume mounts
- Network isolation
6. Compliance Audits
LGPL-3.0 License:
- License file present
- License headers in files
- Third-party notices
- No proprietary dependencies
GDPR Compliance:
- Personal data identification
- Data retention policies
- Right to erasure implementation
- Consent management
- Data portability
- Privacy policy
Audit Execution Workflow
Step 1: Initialize Audit
# Set audit context
AUDIT_TYPE="security" # or: code-quality, module-structure, performance
AUDIT_SCOPE="full" # or: module-name, directory-path
AUDIT_OUTPUT="json" # or: markdown, csv
Step 2: Run Automated Checks
# Security audit
./scripts/audit-security.sh --scope "$AUDIT_SCOPE" --output "$AUDIT_OUTPUT"
# Module structure audit
./scripts/audit-modules.sh odoo_db --output table
# Code quality audit
flake8 addons/ --config .flake8
pylint addons/ --rcfile .pylintrc-mandatory
Step 3: Manual Review
- Review flagged files
- Validate findings
- Assess severity (Critical, High, Medium, Low)
- Calculate CVSS scores
- Document remediation steps
Step 4: Generate Report
Report Structure:
- Executive Summary
- Overall Risk Score
- Critical Vulnerabilities
- High Priority Issues
- Medium Priority Issues
- Low Priority Issues
- Recommendations
- Remediation Timeline
Step 5: Track Remediation
- Create issues for each finding
- Assign severity and priority
- Set remediation deadlines
- Track progress
- Re-audit after fixes
Audit Report Template
# Security Audit Report
**Project**: InsightPulse Odoo
**Date**: YYYY-MM-DD
**Auditor**: Agent Name
**Scope**: Full codebase / Specific module
## Executive Summary
Overall Risk Score: X.X/10 (Critical/High/Medium/Low)
- Critical: X vulnerabilities
- High: X vulnerabilities
- Medium: X vulnerabilities
- Low: X vulnerabilities
## Critical Vulnerabilities
### 1. Hardcoded Credentials
**Location**: `/path/to/file.py:line`
**Risk**: CVSS 9.8 (Critical)
**Description**: Admin password exposed in configuration
**Remediation**:
- Use environment variables
- Rotate credentials immediately
- Implement secret management
## Recommendations
1. Immediate actions (Critical/High)
2. Short-term improvements (Medium)
3. Long-term enhancements (Low)
## Compliance Status
- [x] LGPL-3.0 License
- [ ] GDPR Compliance
- [x] Security Best Practices
- [ ] Code Quality Standards
Integration with Existing Tools
Security Scanners
# Bandit - Python security linter
bandit -r addons/ -f json -o security-audit.json
# Safety - Dependency vulnerability scanner
safety check --json
# Semgrep - Static analysis
semgrep --config=auto addons/
Code Quality Tools
# Flake8 - Style guide enforcement
flake8 addons/ --max-line-length=88 --extend-ignore=E203
# Pylint - Code quality checker
pylint addons/ --output-format=json
# Black - Code formatter (check only)
black addons/ --check
Odoo-Specific Tools
# OCA maintainer tools
oca-autopep8 -ri addons/
oca-isort -rc addons/
# Odoo module analyzer
./scripts/audit-modules.sh odoo_db --output json
Best Practices
Security
- Never commit secrets: Use
.envfiles with.gitignore - Rotate credentials: After any exposure or quarterly
- Least privilege: Grant minimum necessary permissions
- Encrypt sensitive data: At rest and in transit
- Audit trails: Log all security-relevant actions
- Regular scans: Automated security checks in CI/CD
Code Quality
- Follow OCA guidelines: Module structure and naming
- Write tests: Minimum 80% coverage for new code
- Document code: Clear docstrings for all public methods
- Handle errors: Proper exception handling with logging
- Avoid anti-patterns: No direct SQL, use ORM
- Keep it DRY: Don't repeat yourself
Performance
- Add indexes: On frequently queried fields
- Optimize queries: Avoid N+1 patterns
- Use computed fields: With proper
store=True - Cache when possible: For expensive operations
- Profile bottlenecks: Use Odoo profiler
- Monitor resources: CPU, memory, database connections
Common Issues and Solutions
Issue: Hardcoded Credentials
Detection:
grep -r "password\s*=\s*['\"]" addons/ --include="*.py"
Solution:
# Bad
db_password = "mysecret"
# Good
import os
db_password = os.environ.get('DB_PASSWORD')
Issue: Missing Security Rules
Detection:
# Check for models without access rules
models_with_no_access = []
for model in self.env['ir.model'].search([]):
access_count = self.env['ir.model.access'].search_count([
('model_id', '=', model.id)
])
if access_count == 0:
models_with_no_access.append(model.model)
Solution:
Create security/ir.model.access.csv:
id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink
access_my_model_user,my.model.user,model_my_model,base.group_user,1,0,0,0
access_my_model_manager,my.model.manager,model_my_model,base.group_system,1,1,1,1
Issue: N+1 Query Pattern
Detection:
# Bad - N+1 queries
for order in orders:
print(order.partner_id.name) # Separate query for each order
Solution:
# Good - Single query with prefetch
orders = self.env['sale.order'].search([]).with_prefetch(['partner_id'])
for order in orders:
print(order.partner_id.name)
Issue: Missing Database Indexes
Detection:
# Analyze slow queries in PostgreSQL logs
grep "duration:" /var/log/postgresql/postgresql.log | sort -t: -k2 -n | tail -20
Solution:
class MyModel(models.Model):
_name = 'my.model'
reference = fields.Char(string='Reference', index=True) # Add index
date = fields.Date(string='Date', index=True)
Severity Classification
Critical (9.0-10.0 CVSS)
- Remote code execution
- Authentication bypass
- Exposed credentials
- Data breach potential
High (7.0-8.9 CVSS)
- SQL injection
- XSS vulnerabilities
- Privilege escalation
- Missing authentication
Medium (4.0-6.9 CVSS)
- Information disclosure
- CSRF vulnerabilities
- Insecure configurations
- Missing input validation
Low (0.1-3.9 CVSS)
- Code quality issues
- Missing documentation
- Performance concerns
- Minor security hardening
Quick Reference
Run Security Audit
cd /home/runner/work/insightpulse-odoo/insightpulse-odoo
grep -r "password\s*=\s*['\"]" . --include="*.py" --include="*.conf"
bandit -r addons/ -ll
safety check
Run Module Audit
./scripts/audit-modules.sh odoo_db --output table
Run Code Quality Audit
flake8 addons/ --config .flake8
pylint addons/ --rcfile .pylintrc-mandatory
Generate Full Report
./scripts/comprehensive-audit.sh --output-dir ./audit-reports
Related Documentation
Skill Maintenance
This skill should be updated when:
- New vulnerability patterns are discovered
- OCA guidelines change
- Odoo version upgrades (new APIs, deprecated features)
- New audit tools become available
- Compliance requirements evolve
Version: 1.0.0 Last Updated: 2025-11-01 Maintainer: InsightPulse Team