Security audit workflow - vulnerability scan → verification
security-review
0
0
# Install this skill:
npx skills add alistaircroll/verbose-deployment --skill "security-review"
Install specific skill from multi-skill repository
# Description
Run security checks before code leaves the machine — secrets scanning (gitleaks), .gitignore hygiene, dependency audit, API key detection, and pre-commit hook installation. Use as Phase 6 of the deployment pipeline or as a standalone security audit.
# SKILL.md
name: security-review
description: "Run security checks before code leaves the machine — secrets scanning (gitleaks), .gitignore hygiene, dependency audit, API key detection, and pre-commit hook installation. Use as Phase 6 of the deployment pipeline or as a standalone security audit."
Security Review
Run security checks before any code leaves the machine.
Checks
Adapt to what's available in the project:
| Check | Command | Required? |
|---|---|---|
| Secrets in working tree | gitleaks detect --source . --no-git --redact |
Yes (install if missing) |
| Secrets in git history | gitleaks detect --redact |
Yes |
| .gitignore hygiene | git ls-files \| grep -iE '\.env$\|credentials\|\.pem$\|\.key$' |
Yes |
| Dependency vulnerabilities | npm audit / pip audit / cargo audit |
Yes |
| Hardcoded API keys | git grep -n 'sk-ant-api\|ANTHROPIC_API_KEY\|AIza' |
Yes |
| Pre-commit hook | Check .git/hooks/pre-commit exists and is executable |
Required — install if missing |
Pre-Commit Hook Installation
If no pre-commit hook exists, create one that runs gitleaks protect --staged --redact on every commit. This prevents secrets from ever entering git history.
cat > .git/hooks/pre-commit << 'HOOK'
#!/bin/sh
# Prevent secrets from being committed
if command -v gitleaks >/dev/null 2>&1; then
gitleaks protect --staged --redact
if [ $? -ne 0 ]; then
echo "gitleaks detected secrets in staged files. Commit blocked."
exit 1
fi
else
echo "WARNING: gitleaks not installed. Skipping secret scan."
echo "Install with: brew install gitleaks"
fi
HOOK
chmod +x .git/hooks/pre-commit
The hook warns (not blocks) if gitleaks is not installed, so it degrades gracefully on machines without gitleaks.
Collect
- Secret findings (count, type, file)
- Vulnerability counts by severity (before/after any fixes applied in the
dependenciesphase) - .gitignore gaps
- Pre-commit hook status (existed / installed / updated)
Stop Conditions
STOP if: Exposed secrets, hardcoded API keys, or critical vulnerabilities with available fixes. Fix and restart from Phase 1 (the project-inventory skill).
# Related Skills
Security-first PR review checklist for this repo. Use when reviewing diffs/PRs, especially...
Use this skill whenever the user wants to do anything with PDF files. This includes reading or...
Professional network reconnaissance and port scanning using nmap. Supports various scan types...
# Supported AI Coding Agents
This skill is compatible with the SKILL.md standard and works with all major AI coding agents:
Amp
Antigravity
Claude Code
Clawdbot
Codex
Cursor
Droid
Gemini CLI
GitHub Copilot
Goose
Kilo Code
Kiro CLI
OpenCode
Roo Code
Trae
Windsurf
Learn more about the SKILL.md standard and how to use these skills with your preferred AI coding agent.