mc-skills/catalog
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
catalog/repos/3stonebrother--code-audit.md

211 lines
8.1 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# 代码安全审计技能
**GitHub**: [3stonebrother/code-audit](https://github.com/3stonebrother/code-audit) | **Gitea**: [mc-skills/3stonebrother--code-audit](http://192.168.0.109:3000/mc-skills/3stonebrother--code-audit)
## 中文摘要
专业白盒代码安全审计工具支持9种语言、14种框架、55+漏洞类型检测,提供快速/标准/深度三种扫描模式具备多智能体并行分析和攻击链构建能力适用于CI/CD集成、渗透测试和安全合规场景。
## 标签
`安全审计` `漏洞检测` `静态分析` `白盒测试` `Claude Code`
---
## README 原文
# Code Audit Skill for Claude Code
> Professional white-box code security audit skill with 55+ vulnerability types, dual-track audit model, and multi-agent deep analysis.
[中文文档](README_CN.md)
## Overview
Code Audit is a professional security audit skill for [Claude Code](https://docs.anthropic.com/en/docs/claude-code). It performs static white-box analysis to systematically discover and verify security vulnerabilities in source code.
### Key Features
- **9 Languages**: Java, Python, Go, PHP, JavaScript/Node.js, C/C++, .NET/C#, Ruby, Rust
- **14 Frameworks**: Spring Boot, Django, Flask, FastAPI, Express, Koa, Gin, Laravel, Rails, ASP.NET Core, Rust Web, NestJS/Fastify, MyBatis
- **55+ Vulnerability Types**: SQL injection, RCE, deserialization, SSRF, SSTI, XXE, IDOR, race conditions, business logic flaws, and more
- **143 Mandatory Detection Items**: Language-specific checklists across 10 security dimensions (D1-D10)
- **Dual-Track Audit Model**: Sink-driven for injection/RCE + Control-driven for authorization/business logic
- **Multi-Agent Deep Analysis**: Parallel agent execution for large codebases (874+ Java files in ~15 min)
- **WooYun Case Library**: 88,636 real-world vulnerability cases (2010-2016) for pattern reference
- **Attack Chain Construction**: Automatic chaining of findings into exploitable attack paths
## Installation
```bash
# Clone to Claude Code skills directory
cp -r code-audit ~/.claude/skills/
# Or clone from repository
cd ~/.claude/skills
git clone <repository-url> code-audit
```
The skill activates automatically when you request security audits in Claude Code.
## Usage
### Trigger Phrases
```
"Audit this project"
"Check code security"
"Find security vulnerabilities"
"/audit" or "/code-audit"
```
### Scan Modes
| Mode | Use Case | Scope |
|------|----------|-------|
| **Quick** | CI/CD, small projects | High-risk vulns, secrets, dependency CVEs |
| **Standard** | Regular audits | OWASP Top 10, auth, crypto, 1-2 rounds |
| **Deep** | Critical projects, pentests | Full coverage, attack chains, business logic, 2-3 rounds |
### Example
```
User: /code-audit deep /path/to/project
Claude: [MODE] deep
[RECON] 874 files, Spring Boot 1.5 + Shiro 1.6 + JPA + Freemarker
[PLAN] 5 Agents, D1-D10 coverage, estimated 125 turns
... (user confirms) ...
[REPORT] 10 Critical, 14 High, 12 Medium, 4 Low
```
## Architecture
### Dual-Track Audit Model
Different vulnerability types require fundamentally different detection strategies:
| Track | Dimensions | Method | What It Finds |
|-------|-----------|--------|---------------|
| **Sink-driven** | D1 (Injection), D4 (Deserialization), D5 (File Ops), D6 (SSRF) | Grep dangerous patterns -> trace data flow -> verify no defense | Dangerous code that exists |
| **Control-driven** | D3 (Authorization), D9 (Business Logic) | Enumerate endpoints -> verify security controls exist -> missing = vuln | Security controls that are **absent** |
| **Config-driven** | D2 (Auth), D7 (Crypto), D8 (Config), D10 (Supply Chain) | Search configs -> compare against baseline | Misconfigurations |
### 10 Security Dimensions
| # | Dimension | Coverage |
|---|-----------|----------|
| D1 | Injection | SQL/Cmd/LDAP/SSTI/SpEL/JNDI |
| D2 | Authentication | Token/Session/JWT/Filter chain |
| D3 | Authorization | CRUD permission consistency, IDOR |
| D4 | Deserialization | Java/Python/PHP gadget chains |
| D5 | File Operations | Upload/download/path traversal |
| D6 | SSRF | URL injection, protocol restriction |
| D7 | Cryptography | Key management, cipher modes, KDF |
| D8 | Configuration | Actuator, CORS, error exposure |
| D9 | Business Logic | Race conditions, mass assignment, state machine, multi-tenant |
| D10 | Supply Chain | Dependency CVEs, version checks |
### Multi-Agent Workflow
```
Phase 1: Reconnaissance
-> Tech stack identification
-> Attack surface mapping (5-layer deduction)
-> Endpoint-Permission Matrix generation
-> Agent allocation
Phase 2: Parallel Agent Execution (R1)
-> Agent 1: Injection (D1) [sink-driven]
-> Agent 2: Auth + AuthZ + Business Logic (D2+D3+D9) [control-driven]
-> Agent 3: File + SSRF (D5+D6) [sink-driven]
-> Agent 4: Deserialization (D4) [sink-driven]
-> Agent 5: Config + Crypto + Supply Chain (D7+D8+D10) [config-driven]
Phase 3: Coverage Evaluation
-> Per-track coverage metrics (fanout rate / endpoint audit rate)
-> Gap identification -> R2 supplemental agents if needed
Phase 4: Report Generation
-> Severity calibration (decision tree)
-> Cross-agent deduplication
-> Attack chain construction
```
## File Structure
```
code-audit/
├── SKILL.md # Skill entry point (frontmatter + execution controller)
├── agent.md # Agent workflow (state machine + dual-track model)
├── README.md # Documentation (English)
├── README_CN.md # Documentation (Chinese)
└── references/
├── core/ (16) # Core methodology
│ ├── phase2_deep_methodology.md # Dual-track audit methodology
│ ├── taint_analysis.md # Data flow tracking
│ ├── anti_hallucination.md # False positive prevention
│ └── ...
├── checklists/ (11) # D1-D10 coverage matrix + 9 language checklists
├── languages/ (18) # Language vulnerability patterns
├── security/ (21) # Security domain modules
├── frameworks/ (14) # Framework-specific modules
├── adapters/ (5) # Language adapters (YAML)
├── wooyun/ (9) # WooYun real-world case library
├── cases/ (1) # Real vulnerability cases
└── reporting/ (1) # Report templates
```
## Anti-Hallucination
Every finding must be based on actual code read via tools:
- File paths must be verified with Glob/Read before reporting
- Code snippets must come from actual Read tool output
- No guessing based on "typical project structure"
- **Core principle: Better to miss a vulnerability than report a false positive**
## Supported Technologies
### Languages
Java, Python, Go, PHP, JavaScript/TypeScript, C/C++, C#/.NET, Ruby, Rust
### Frameworks
Spring Boot, Django, Flask, FastAPI, Express, Koa, Gin, Laravel, Rails, ASP.NET Core, NestJS, Fastify, Rust Web (Actix/Axum)
### Security Domains
API Security, LLM/AI Security, Serverless, Cryptography, Race Conditions, OAuth/OIDC/SAML, WebSocket/gRPC, HTTP Smuggling, Supply Chain/CI-CD
## Contributing
Contributions welcome! To add support for a new language or framework:
1. Create `references/languages/{language}.md` or `references/frameworks/{framework}.md`
2. Follow existing module format (key questions per D1-D10 dimension)
3. Include: dangerous functions, detection patterns, vulnerability examples, secure alternatives
4. Update `agent.md` tech stack routing table if needed
## References
- [Code Audit Skill 详解(上)](https://mp.weixin.qq.com/s/K5yJ9nPUzwpBV5rMPPKfCg)
- [Code Audit Skill 详解(下)](https://mp.weixin.qq.com/s/yTPehTfk1ufv3RXq6gh1mA)
## Community
Join our WeChat group for discussion and support:
<img src="image/wechat.png" alt="WeChat Group" width="300">
## License
MIT License
## Disclaimer
This skill is intended for **authorized security testing** only. Users must:
- Have legal authorization to audit the target code
- Responsibly disclose discovered vulnerabilities
- Comply with applicable laws and ethical guidelines
Unauthorized security testing of systems you do not own may be illegal.
Reference in New Issue View Git Blame Copy Permalink