auditing-security_skill

This skill audits code changes for secrets and security issues, guiding safe commits and comprehensive vulnerability checks across projects.
  • Python

1

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill git-fg/thecattoolkit --skill auditing-security

  • SKILL.md2.4 KB

Overview

This skill scans code and files for exposed secrets and performs comprehensive security audits focused on code changes and file safety. It combines automated secret detection and file-protection checks with a manual audit protocol to produce structured, actionable reports. Use it to verify security before merging changes or publishing artifacts.

How this skill works

On edit or write actions it runs pre-commit style hooks that detect API keys, bearer tokens, private keys, GitHub tokens, and other sensitive strings. It also flags modifications to lock files, secrets directories, and Git internals to prevent accidental exposure. For deeper reviews, it follows a three-phase manual audit: discovery, targeted scanning (including OWASP Top 10 checks and anti-pattern detection), and structured reporting with prioritized remediation.

When to use it

  • Before merging pull requests that introduce code or configuration changes
  • When auditing a repository for accidental secret exposure
  • Prior to releasing packages or publishing builds
  • During code reviews for high-risk components (auth, crypto, file handling)
  • When onboarding new components or third-party dependencies

Best practices

  • Run automated secret scans on every edit or commit and block pushes with detected secrets
  • Treat lock files and .env/credentials directories as protected—review modifications manually
  • Combine pattern-based scanning with targeted OWASP-style checks for logical vulnerabilities
  • Prioritize remediation by severity and provide clear, stepwise recommendations
  • Rotate any discovered credentials immediately and replace with environment-managed secrets

Example use cases

  • Detecting an accidentally committed OpenAI or AWS API key in a feature branch
  • Auditing a repository before a production release to ensure no private keys are included
  • Flagging changes that modify package-lock.json or poetry.lock files for manual review
  • Performing a security review of authentication and input handling code against OWASP Top 10
  • Generating a structured security audit report to share with stakeholders

FAQ

The automated checks look for API keys (OpenAI, Anthropic, AWS), bearer tokens, GitHub tokens, and private key markers. Pattern rules cover common token and password formats as well as PEM private key headers.

What happens if a lock file or .env is modified?

The skill warns on modifications to lock files and secrets directories so reviewers can verify the change is intentional and safe before allowing commits or merges.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational