security-audit

# security-audit

A comprehensive static application security testing (SAST) skill that combines OWASP Top 10 code scanning, CVE dependency checking, secret detection, and remediation report generation — all from a single Anvil command.

## What It Does

security-audit orchestrates multiple security scanning techniques across your codebase:

- **OWASP Top 10 (2021) scanning**: SQL injection, XSS, CSRF, insecure deserialization, XXE, path traversal, command injection, SSRF, broken access control, cryptographic failures
- **CVE dependency scanning**: Checks npm, pip, cargo, go.mod, composer, and gem dependencies against the NVD database and GitHub Advisory Database
- **Secret detection**: Finds API keys, private keys, tokens, passwords, and connection strings using entropy analysis and pattern matching (300+ secret patterns)
- **Hardcoded credential detection**: Database credentials, cloud provider keys, SSH private keys, JWT secrets
- **License compliance**: Flags dependencies with incompatible licenses (GPL, AGPL, CDDL in commercial contexts)
- **Remediation reports**: Severity-ranked findings with CWE IDs, CVSS scores, affected line numbers, and fix recommendations

## Installation

```bash
anvil skill install security-audit
```

## Usage

### Full Audit of Current Directory
```
/security-audit
```

### Audit Specific Path
```
/security-audit ./src/api
```

### Dependency-Only Scan
```
/security-audit --scope deps
```

### Secrets-Only Scan
```
/security-audit --scope secrets
```

### OWASP Code Scan Only
```
/security-audit --scope sast
```

### Export SARIF for GitHub Security Tab
```
/security-audit --output sarif > results.sarif
```

### Fail CI on High+ Findings
```
/security-audit --fail-on high --output json
```

## Configuration Options

| Option | Description | Default |
|--------|-------------|---------|
| `--scope` | all, sast, deps, secrets, license | all |
| `--output` | json, sarif, html, markdown | markdown |
| `--fail-on` | Severity threshold: low, medium, high, critical | none |
| `--ignore` | Comma-separated paths to exclude | node_modules,dist |
| `--suppress` | Path to suppression file (.secaudit-ignore) | auto |
| `--fix` | Attempt auto-remediation where possible | false |

## Configuration File

Create `.secaudit.json` in your project root:

```json
{
"ignorePatterns": ["test/**", "*.test.ts", "fixtures/**"],
"severityThreshold": "medium",
"suppressions": [
{ "rule": "CVE-2021-44228", "reason": "Not using log4j", "expires": "2026-12-31" }
]
}
```

## Requirements

- Project with at least one supported package manager manifest (package.json, requirements.txt, Cargo.toml, go.mod, etc.)
- Network access for CVE database lookups (offline mode available with cached DB)