Stats
Actions
Tags
From sdlc-audit
Generate actionable BACKLOG.md from classified findings. Sorts by priority, creates fix prompts ready for /audit:fix command.
How this skill is triggered — by the user, by Claude, or both
Slash command
/sdlc-audit:backlog-generatorThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Преобразует classified findings в actionable BACKLOG.md.
Преобразует classified findings в actionable BACKLOG.md.
findings-classifier complete/audit:full/audit:fixdocs/audit/<TS>/_findings-classified.json от findings-classifierSort findings по composite score:
priority = severity_weight × business_impact / effort_cost
severity_weight:
BLOCKER: 1000
CRITICAL: 100
HIGH: 30
MEDIUM: 5
LOW: 1
INFO: 0
business_impact:
HIGH: 3
MEDIUM: 2
LOW: 1
effort_cost:
XS: 1
S: 2
M: 4
L: 8
XL: 16
Высший priority - fix first.
Sequential IDs per severity level:
BLOCKER-001, BLOCKER-002, ...
CRITICAL-001, CRITICAL-002, ...
HIGH-001, HIGH-002, ...
Структура:
# Audit Backlog
Generated: 2026-04-29 14:30
Audit: 2026-04-29-1430
Total findings: 78 (BLOCKER: 2, CRITICAL: 8, HIGH: 22, MEDIUM: 30, LOW: 16)
## How to use
- `/audit:fix next` - apply highest priority unfixed finding
- `/audit:fix BLOCKER-001` - apply specific finding
- `/audit:fix --severity=CRITICAL` - apply all CRITICAL findings
- `/audit:status` - check progress
---
## BLOCKER findings (immediate action required)
### [BLOCKER-001] Hardcoded production AWS access key in settings
**Status**: open
**Severity**: BLOCKER
**Phase**: security
**Category**: secrets
**Effort**: S (30 min - 2 hours)
**Risk if ignored**: HIGH (AWS account compromise)
#### Evidence
`settings/prod.py:23`:
\`\`\`python
AWS_ACCESS_KEY = 'AKIA...' (redacted)
\`\`\`
#### Impact
AWS account compromise possible if this code is leaked. Full S3/EC2 access available
to anyone with the key. Particularly dangerous because git history retains old commits
even after deletion from current code.
#### Fix prompt
> Move AWS credentials to your project's secret manager (e.g., Infisical,
> Vault, AWS Secrets Manager, Doppler). Replace `settings.py:23` with
> `os.environ['AWS_ACCESS_KEY']`. Add `AWS_ACCESS_KEY` and `AWS_SECRET_KEY`
> to the appropriate environment in the secret manager. After deployment is
> verified working with the new credentials, rotate the current key in AWS
> console immediately.
>
> CRITICAL: Also remove from git history through git-filter-repo or similar tool,
> not just by editing the file - retained history is a leak vector.
#### Verification
- [ ] AWS_ACCESS_KEY removed from settings.py
- [ ] Key added to project's secret manager (prod environment)
- [ ] Application starts and uses secret-manager-supplied credentials
- [ ] Old key rotated in AWS console
- [ ] Git history cleaned (no plaintext key in any commit)
- [ ] Verified through `gitleaks detect --no-git --redact` showing no findings
#### Related findings
- HIGH-007 (similar pattern with database URL hardcoded)
---
### [BLOCKER-002] Active CVE-2025-XXXXX in django dependency
...
## CRITICAL findings
### [CRITICAL-001] God class apps/sales/views.py (1247 LOC, 23 dependencies)
...
## HIGH findings
...
## MEDIUM findings
(Listed but with less detail to keep file size manageable)
### [MEDIUM-001] Magic number 0.85 in pricing calculation
**File**: apps/pricing/calculator.py:67
**Effort**: XS
**Fix**: Replace with named constant `DISCOUNT_THRESHOLD = 0.85`
...
## LOW findings
(One-liner per finding)
- LOW-001: `apps/utils/helpers.py:45` - Variable name `data` is uninformative
- LOW-002: ...
---
## Fix Progress
(Updated by /audit:fix command)
| ID | Status | Fixed at | Commit |
|----|--------|----------|--------|
| BLOCKER-001 | open | - | - |
| ... |
Каждый fix_prompt должен быть готов к копированию. Проверки:
Каждый verification step должен быть:
Параллельно создать одностраничный summary для не-разработчика:
# SDLC Audit: Executive Summary
**Date**: 2026-04-29
**Project**: <project name>
**Depth**: standard
## Health Score
Overall: 7.2/10 (Good)
| Area | Score | Trend |
|------|-------|-------|
| Architecture | 8.5/10 | Stable |
| Domain logic | 6.8/10 | Improving |
| Code quality | 7.0/10 | Stable |
| Tests | 5.5/10 | Concerning |
| Security | 6.0/10 | Needs attention |
| Documentation | 8.0/10 | Stable |
| Deployment | 8.5/10 | Stable |
## Critical issues requiring immediate attention
1. **Hardcoded production secret** in settings - rotate immediately
2. **Active CVE in core dependency** - upgrade required
3. **Test coverage 35% in core sales module** - high regression risk
## Top 3 recommended actions (next 2 weeks)
1. Address BLOCKER findings (2 issues, ~4 hours total)
2. Refactor `apps/sales/views.py` god class (1 issue, ~2 days)
3. Improve test coverage in core domain to >70% (3 issues, ~3 days)
## Investment summary
- Quick wins (XS+S effort): 23 findings, ~12 hours total
- Medium investments (M effort): 18 findings, ~80 hours
- Large refactors (L+XL): 7 findings, ~3 weeks
## Trends
- Test coverage **declining** over last 3 months
- Architecture **stable** (no major drift)
- Security findings **increased** (mostly due to dependency aging)
Numerical health snapshot:
# Audit Metrics
## Coverage
- Statement coverage: 67% (down from 72% in previous audit)
- Branch coverage: 54%
- Files with <50% coverage: 23
## Complexity
- Cyclomatic complexity P50: 4
- Cyclomatic complexity P95: 18
- Cyclomatic complexity P99: 35
- Functions with CC > 30: 4
## Code volume
- Total LOC: 24,567
- Test LOC: 8,234 (33% of total)
- Documentation: 1,847 lines
## Dependencies
- Total: 87 (Python: 54, JS/TS: 33)
- With known CVEs: 3 (1 critical, 2 medium)
- Outdated by >1 year: 12
## Test pyramid
- Unit: 234 (52%)
- Integration: 145 (32%)
- E2E: 71 (16%)
## Mutation score (deep mode only)
- Overall: 67%
- Modules covered: 12 of 38
После генерации в docs/audit/<TS>/:
BACKLOG.md (main)EXECUTIVE_SUMMARY.mdMETRICS.mdКогда /audit:fix обновляет finding'и:
Status field как fixed (in-place edit)Не перегенерировать весь backlog - только status обновляется. Полная регенерация только при новом /audit:full.
npx claudepluginhub shakhovskiya-create/shakhoff-claude-marketplace --plugin sdlc-auditProvides CDSS development patterns for drug interaction checking, dose validation, clinical scoring (NEWS2, qSOFA), and alert classification integrated into EMR workflows.