CulpurAnvilHub
SkillVerified★ Featured

security-audit

Scan code for OWASP Top 10 vulnerabilities, check dependencies for CVEs, identify hardcoded secrets, and generate remediation reports.

Install
/skill install security-audit

security-audit

A comprehensive static application security testing (SAST) skill that combines OWASP Top 10 code scanning, CVE dependency checking, secret detection, and remediation report generation — all from a single Anvil command.

What It Does

security-audit orchestrates multiple security scanning techniques across your codebase:

  • OWASP Top 10 (2021) scanning: SQL injection, XSS, CSRF, insecure deserialization, XXE, path traversal, command injection, SSRF, broken access control, cryptographic failures
  • CVE dependency scanning: Checks npm, pip, cargo, go.mod, composer, and gem dependencies against the NVD database and GitHub Advisory Database
  • Secret detection: Finds API keys, private keys, tokens, passwords, and connection strings using entropy analysis and pattern matching (300+ secret patterns)
  • Hardcoded credential detection: Database credentials, cloud provider keys, SSH private keys, JWT secrets
  • License compliance: Flags dependencies with incompatible licenses (GPL, AGPL, CDDL in commercial contexts)
  • Remediation reports: Severity-ranked findings with CWE IDs, CVSS scores, affected line numbers, and fix recommendations

Installation

anvil skill install security-audit

Usage

Full Audit of Current Directory

/security-audit

Audit Specific Path

/security-audit ./src/api

Dependency-Only Scan

/security-audit --scope deps

Secrets-Only Scan

/security-audit --scope secrets

OWASP Code Scan Only

/security-audit --scope sast

Export SARIF for GitHub Security Tab

/security-audit --output sarif > results.sarif

Fail CI on High+ Findings

/security-audit --fail-on high --output json

Configuration Options

OptionDescriptionDefault
--scopeall, sast, deps, secrets, licenseall
--outputjson, sarif, html, markdownmarkdown
--fail-onSeverity threshold: low, medium, high, criticalnone
--ignoreComma-separated paths to excludenode_modules,dist
--suppressPath to suppression file (.secaudit-ignore)auto
--fixAttempt auto-remediation where possiblefalse

Configuration File

Create .secaudit.json in your project root:

{
  "ignorePatterns": ["test/**", "*.test.ts", "fixtures/**"],
  "severityThreshold": "medium",
  "suppressions": [
    { "rule": "CVE-2021-44228", "reason": "Not using log4j", "expires": "2026-12-31" }
  ]
}

Requirements

  • Project with at least one supported package manager manifest (package.json, requirements.txt, Cargo.toml, go.mod, etc.)
  • Network access for CVE database lookups (offline mode available with cached DB)

Reviews

No reviews yet. Be the first!

Related Skills

SkillVerified
v1.0.0

Browser DevTools Mastery

Master Chrome DevTools for performance profiling, network analysis, memory debugging, and breakpoints.

AnvilHub - Official
1May 18, 2026
SkillVerified★ Featured
v1.0.0

TypeScript tRPC APIs

Build end-to-end type-safe APIs with tRPC, routers, procedures, middleware, and React Query integration.

AnvilHub - Official
0May 18, 2026
SkillVerified★ Featured
v1.0.0

Playwright E2E Testing

Write reliable end-to-end tests with Playwright, use locators, handle auth state, and run in CI.

AnvilHub - Official
0May 18, 2026