# 代码安全审计技能

**GitHub**: [3stonebrother/code-audit](https://github.com/3stonebrother/code-audit) | **Gitea**: [mc-skills/3stonebrother--code-audit](http://192.168.0.109:3000/mc-skills/3stonebrother--code-audit)

## 中文摘要

专业白盒代码安全审计工具，支持9种语言、14种框架、55+漏洞类型检测，提供快速/标准/深度三种扫描模式，具备多智能体并行分析和攻击链构建能力，适用于CI/CD集成、渗透测试和安全合规场景。

## 标签

`安全审计` `漏洞检测` `静态分析` `白盒测试` `Claude Code`

---

## README 原文

# Code Audit Skill for Claude Code

> Professional white-box code security audit skill with 55+ vulnerability types, dual-track audit model, and multi-agent deep analysis.

[中文文档](README_CN.md)

## Overview

Code Audit is a professional security audit skill for [Claude Code](https://docs.anthropic.com/en/docs/claude-code). It performs static white-box analysis to systematically discover and verify security vulnerabilities in source code.

### Key Features

- **9 Languages**: Java, Python, Go, PHP, JavaScript/Node.js, C/C++, .NET/C#, Ruby, Rust
- **14 Frameworks**: Spring Boot, Django, Flask, FastAPI, Express, Koa, Gin, Laravel, Rails, ASP.NET Core, Rust Web, NestJS/Fastify, MyBatis
- **55+ Vulnerability Types**: SQL injection, RCE, deserialization, SSRF, SSTI, XXE, IDOR, race conditions, business logic flaws, and more
- **143 Mandatory Detection Items**: Language-specific checklists across 10 security dimensions (D1-D10)
- **Dual-Track Audit Model**: Sink-driven for injection/RCE + Control-driven for authorization/business logic
- **Multi-Agent Deep Analysis**: Parallel agent execution for large codebases (874+ Java files in ~15 min)
- **WooYun Case Library**: 88,636 real-world vulnerability cases (2010-2016) for pattern reference
- **Attack Chain Construction**: Automatic chaining of findings into exploitable attack paths

## Installation

```bash
# Clone to Claude Code skills directory
cp -r code-audit ~/.claude/skills/

# Or clone from repository
cd ~/.claude/skills
git clone <repository-url> code-audit
```

The skill activates automatically when you request security audits in Claude Code.

## Usage

### Trigger Phrases

```
"Audit this project"
"Check code security"
"Find security vulnerabilities"
"/audit" or "/code-audit"
```

### Scan Modes

| Mode | Use Case | Scope |
|------|----------|-------|
| **Quick** | CI/CD, small projects | High-risk vulns, secrets, dependency CVEs |
| **Standard** | Regular audits | OWASP Top 10, auth, crypto, 1-2 rounds |
| **Deep** | Critical projects, pentests | Full coverage, attack chains, business logic, 2-3 rounds |

### Example

```
User: /code-audit deep /path/to/project

Claude: [MODE] deep
        [RECON] 874 files, Spring Boot 1.5 + Shiro 1.6 + JPA + Freemarker
        [PLAN] 5 Agents, D1-D10 coverage, estimated 125 turns
        ... (user confirms) ...
        [REPORT] 10 Critical, 14 High, 12 Medium, 4 Low
```

## Architecture

### Dual-Track Audit Model

Different vulnerability types require fundamentally different detection strategies:

| Track | Dimensions | Method | What It Finds |
|-------|-----------|--------|---------------|
| **Sink-driven** | D1 (Injection), D4 (Deserialization), D5 (File Ops), D6 (SSRF) | Grep dangerous patterns -> trace data flow -> verify no defense | Dangerous code that exists |
| **Control-driven** | D3 (Authorization), D9 (Business Logic) | Enumerate endpoints -> verify security controls exist -> missing = vuln | Security controls that are **absent** |
| **Config-driven** | D2 (Auth), D7 (Crypto), D8 (Config), D10 (Supply Chain) | Search configs -> compare against baseline | Misconfigurations |

### 10 Security Dimensions

| # | Dimension | Coverage |
|---|-----------|----------|
| D1 | Injection | SQL/Cmd/LDAP/SSTI/SpEL/JNDI |
| D2 | Authentication | Token/Session/JWT/Filter chain |
| D3 | Authorization | CRUD permission consistency, IDOR |
| D4 | Deserialization | Java/Python/PHP gadget chains |
| D5 | File Operations | Upload/download/path traversal |
| D6 | SSRF | URL injection, protocol restriction |
| D7 | Cryptography | Key management, cipher modes, KDF |
| D8 | Configuration | Actuator, CORS, error exposure |
| D9 | Business Logic | Race conditions, mass assignment, state machine, multi-tenant |
| D10 | Supply Chain | Dependency CVEs, version checks |

### Multi-Agent Workflow

```
Phase 1: Reconnaissance
  -> Tech stack identification
  -> Attack surface mapping (5-layer deduction)
  -> Endpoint-Permission Matrix generation
  -> Agent allocation

Phase 2: Parallel Agent Execution (R1)
  -> Agent 1: Injection (D1) [sink-driven]
  -> Agent 2: Auth + AuthZ + Business Logic (D2+D3+D9) [control-driven]
  -> Agent 3: File + SSRF (D5+D6) [sink-driven]
  -> Agent 4: Deserialization (D4) [sink-driven]
  -> Agent 5: Config + Crypto + Supply Chain (D7+D8+D10) [config-driven]

Phase 3: Coverage Evaluation
  -> Per-track coverage metrics (fanout rate / endpoint audit rate)
  -> Gap identification -> R2 supplemental agents if needed

Phase 4: Report Generation
  -> Severity calibration (decision tree)
  -> Cross-agent deduplication
  -> Attack chain construction
```

## File Structure

```
code-audit/
├── SKILL.md                    # Skill entry point (frontmatter + execution controller)
├── agent.md                    # Agent workflow (state machine + dual-track model)
├── README.md                   # Documentation (English)
├── README_CN.md                # Documentation (Chinese)
└── references/
    ├── core/              (16) # Core methodology
    │   ├── phase2_deep_methodology.md   # Dual-track audit methodology
    │   ├── taint_analysis.md            # Data flow tracking
    │   ├── anti_hallucination.md        # False positive prevention
    │   └── ...
    ├── checklists/        (11) # D1-D10 coverage matrix + 9 language checklists
    ├── languages/         (18) # Language vulnerability patterns
    ├── security/          (21) # Security domain modules
    ├── frameworks/        (14) # Framework-specific modules
    ├── adapters/           (5) # Language adapters (YAML)
    ├── wooyun/             (9) # WooYun real-world case library
    ├── cases/              (1) # Real vulnerability cases
    └── reporting/          (1) # Report templates
```

## Anti-Hallucination

Every finding must be based on actual code read via tools:

- File paths must be verified with Glob/Read before reporting
- Code snippets must come from actual Read tool output
- No guessing based on "typical project structure"
- **Core principle: Better to miss a vulnerability than report a false positive**

## Supported Technologies

### Languages
Java, Python, Go, PHP, JavaScript/TypeScript, C/C++, C#/.NET, Ruby, Rust

### Frameworks
Spring Boot, Django, Flask, FastAPI, Express, Koa, Gin, Laravel, Rails, ASP.NET Core, NestJS, Fastify, Rust Web (Actix/Axum)

### Security Domains
API Security, LLM/AI Security, Serverless, Cryptography, Race Conditions, OAuth/OIDC/SAML, WebSocket/gRPC, HTTP Smuggling, Supply Chain/CI-CD

## Contributing

Contributions welcome! To add support for a new language or framework:

1. Create `references/languages/{language}.md` or `references/frameworks/{framework}.md`
2. Follow existing module format (key questions per D1-D10 dimension)
3. Include: dangerous functions, detection patterns, vulnerability examples, secure alternatives
4. Update `agent.md` tech stack routing table if needed

## References

- [Code Audit Skill 详解（上）](https://mp.weixin.qq.com/s/K5yJ9nPUzwpBV5rMPPKfCg)
- [Code Audit Skill 详解（下）](https://mp.weixin.qq.com/s/yTPehTfk1ufv3RXq6gh1mA)

## Community

Join our WeChat group for discussion and support:

<img src="image/wechat.png" alt="WeChat Group" width="300">

## License

MIT License

## Disclaimer

This skill is intended for **authorized security testing** only. Users must:
- Have legal authorization to audit the target code
- Responsibly disclose discovered vulnerabilities
- Comply with applicable laws and ethical guidelines

Unauthorized security testing of systems you do not own may be illegal.