Stats
Actions
Tags
From security-audit
Runs SAST tools and AI skills, generates security reports. Works with Claude Code and OpenCode.
How this skill is triggered — by the user, by Claude, or both
Slash command
/security-audit:security-auditThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
This skill delegates to `pipeline.py`, a deterministic Python
ai-skills.yamlreference/dedup-rules.mdreference/finding-schema.mdscanner/configs/osv-scanner.tomlscanner/configs/security-scan-config.yamlscanner/configs/semgrep.yamlscanner/configs/semgrep/custom-rules.yamlscanner/configs/semgrep/rhoai-bff-security.yamlscanner/configs/semgrep/rhoai-core.yamlscanner/configs/semgrep/rhoai-external-api.yamlscanner/configs/semgrep/rhoai-ml-pipelines.yamlscanner/configs/semgrep/rhoai-operators.yamlscanner/configs/semgrep/rhoai-supply-chain.yamlscanner/configs/semgrep/rhoai-webhooks.yamlscanner/configs/semgrep/semgrep-generic.yamlscanner/configs/semgrep/semgrep-kubernetes-operator.yamlscanner/configs/semgrep/semgrep-python.yamlscanner/configs/semgrep/semgrep-rhoai-auth-patterns.yamlscanner/configs/semgrep/semgrep-typescript.yamlscanner/configs/semgrep/semgrep-unified.yamlThis skill delegates to pipeline.py, a deterministic Python
orchestrator. Do not orchestrate steps yourself.
Run the pipeline in the background, then poll the output for progress:
python3 ${CLAUDE_SKILL_DIR:-.}/scripts/pipeline.py $ARGUMENTS
Use run_in_background: true for the Bash tool, then poll the output
file every 60 seconds using tail -5 <output_file> to relay progress
to the user. Key lines to watch for:
Step 2: SAST scan complete (SAST done, usually ~30s)Invoking adversarial-reviewing... (AI review started)adversarial-reviewing complete (AI review done, usually 15-30min)semantic-scan complete (semantic scan done, usually 5-10min)Pipeline complete (all done, present results)When the pipeline completes, present the results summary and report file locations to the user.
| Flag | Effect |
|---|---|
--skip-ai | Skip AI skills, SAST only |
--no-cache | Clear AI skill caches, force fresh review |
--no-sandbox | Run AI skills without container isolation |
--reports-only | Regenerate reports from existing scan data |
--scan-dir <path> | Specify scan directory for --reports-only |
--branch <name> | Branch to scan (default: main) |
--arch-context <path> | Path or GitHub repo for architecture context |
--model <model> | LLM model (e.g. openai/gpt-4o). Default: harness config |
Do not orchestrate steps yourself. Do not add your own security analysis. Do not invoke AI skills directly. Let pipeline.py handle everything. If it fails, report the error to the user.
Guides creation, editing, and verification of skills for AI coding agents using test-driven development with subagent scenarios. Use when authoring or debugging skills.
npx claudepluginhub ugiordan/security-audit --plugin security-audit