Security audit workflow - vulnerability scan → verification
QE Security Compliance
148
29
# Install this skill:
npx skills add proffesor-for-testing/agentic-qe --skill "QE Security Compliance"
Install specific skill from multi-skill repository
# Description
Security auditing, vulnerability scanning, and compliance validation for OWASP, SOC2, GDPR, and other standards.
# SKILL.md
name: "QE Security Compliance"
description: "Security auditing, vulnerability scanning, and compliance validation for OWASP, SOC2, GDPR, and other standards."
QE Security Compliance
Purpose
Guide the use of v3's security and compliance testing capabilities including SAST/DAST scanning, vulnerability detection, compliance auditing, and security gate enforcement.
Activation
- When performing security audits
- When scanning for vulnerabilities
- When validating compliance
- When checking dependencies
- When setting up security gates
Quick Start
# Full security scan
aqe security scan --scope src/ --checks all
# Vulnerability check
aqe security vulns --dependencies --severity critical,high
# Compliance audit
aqe security compliance --standard soc2 --output report.html
# OWASP check
aqe security owasp --top-10 --scope src/
Agent Workflow
// Security audit
Task("Security audit", `
Perform comprehensive security audit:
- SAST scan for code vulnerabilities
- Dependency vulnerability check
- Secret detection in code and configs
- OWASP Top 10 validation
Generate security report with remediation steps.
`, "qe-security-auditor")
// Compliance validation
Task("SOC2 compliance check", `
Validate SOC2 compliance requirements:
- Access control verification
- Encryption validation
- Audit logging check
- Data retention compliance
Generate compliance evidence report.
`, "qe-compliance-checker")
Security Operations
1. SAST Scanning
await securityScanner.staticAnalysis({
scope: 'src/**/*.ts',
checks: [
'sql-injection',
'xss',
'command-injection',
'path-traversal',
'insecure-crypto',
'hardcoded-secrets'
],
rules: 'owasp-top-10',
severity: ['critical', 'high', 'medium']
});
2. Dependency Scanning
await securityScanner.dependencyCheck({
sources: ['package.json', 'package-lock.json'],
checks: {
knownVulnerabilities: true,
outdatedPackages: true,
licenseCompliance: true,
supplyChainRisk: true
},
severity: ['critical', 'high'],
autoFix: {
enabled: true,
dryRun: false
}
});
3. Compliance Audit
await complianceChecker.audit({
standards: ['SOC2', 'GDPR', 'HIPAA'],
scope: {
code: 'src/',
configs: 'config/',
infrastructure: 'terraform/'
},
output: {
gaps: true,
evidence: true,
recommendations: true
}
});
4. Secret Detection
await securityScanner.detectSecrets({
scope: ['.', 'config/', '.env*'],
patterns: [
'api-keys',
'passwords',
'tokens',
'private-keys',
'connection-strings'
],
exclude: ['*.test.ts', 'mocks/'],
action: {
onDetect: 'block',
notify: ['security-team']
}
});
OWASP Top 10 Coverage
owasp_2021:
A01_broken_access_control:
checks: [privilege-escalation, idor, cors-misconfiguration]
automated: true
A02_cryptographic_failures:
checks: [weak-encryption, missing-encryption, key-management]
automated: true
A03_injection:
checks: [sql, nosql, command, xss, ldap]
automated: true
A04_insecure_design:
checks: [threat-modeling, secure-patterns]
automated: partial
A05_security_misconfiguration:
checks: [default-credentials, unnecessary-features]
automated: true
A06_vulnerable_components:
checks: [outdated-deps, known-cves]
automated: true
A07_auth_failures:
checks: [weak-passwords, session-issues]
automated: true
A08_software_data_integrity:
checks: [insecure-deserialization, cicd-security]
automated: partial
A09_logging_monitoring:
checks: [insufficient-logging, missing-alerts]
automated: partial
A10_ssrf:
checks: [server-side-request-forgery]
automated: true
Security Report
interface SecurityReport {
summary: {
score: number; // 0-100
critical: number;
high: number;
medium: number;
low: number;
};
vulnerabilities: {
id: string;
type: string;
severity: 'critical' | 'high' | 'medium' | 'low';
location: string;
description: string;
remediation: string;
cwe: string;
owasp: string;
}[];
dependencies: {
vulnerable: number;
outdated: number;
details: DependencyVuln[];
};
compliance: {
standard: string;
status: 'compliant' | 'non-compliant' | 'partial';
gaps: ComplianceGap[];
evidence: Evidence[];
}[];
secrets: {
detected: number;
locations: SecretLocation[];
};
}
Security Gates
security_gates:
block_merge:
- critical_vulnerabilities > 0
- high_vulnerabilities > 2
- secrets_detected > 0
- compliance_failures > 0
warn:
- medium_vulnerabilities > 5
- outdated_dependencies > 10
enforce:
- signed_commits: required
- code_review: required
- security_scan: required
Compliance Standards
| Standard | Scope | Auto-Check |
|---|---|---|
| SOC2 | Security controls | Partial |
| GDPR | Data privacy | Partial |
| HIPAA | Health data | Partial |
| PCI-DSS | Payment data | Yes |
| ISO 27001 | InfoSec | Partial |
Coordination
Primary Agents: qe-security-auditor, qe-security-scanner, qe-compliance-checker
Coordinator: qe-security-coordinator
Related Skills: qe-quality-assessment, qe-contract-testing
# Related Skills
Security-first PR review checklist for this repo. Use when reviewing diffs/PRs, especially...
Master authentication and authorization patterns including JWT, OAuth2, session management, and...
You are a dependency security expert specializing in vulnerability scanning, license compliance,...
# Supported AI Coding Agents
This skill is compatible with the SKILL.md standard and works with all major AI coding agents:
Amp
Antigravity
Claude Code
Clawdbot
Codex
Cursor
Droid
Gemini CLI
GitHub Copilot
Goose
Kilo Code
Kiro CLI
OpenCode
Roo Code
Trae
Windsurf
Learn more about the SKILL.md standard and how to use these skills with your preferred AI coding agent.