Code Security Auditor
Comprehensive code security audit with AI-powered vulnerability detection. Covers OWASP Top 10, dependency scanning, secret detection, SAST, and provides act...
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 0 · 275 · 2 current installs · 3 all-time installs
MIT-0
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description align with the code and docs: auditor.py, rules, secret-detection, dependency scans and an LLM verification stage all implement a code-audit tool. However the SKILL metadata declares no required env vars or binaries while the code/docs clearly reference external tools (pip-audit, npm audit, trufflehog, gitleaks, detect-secrets) and LLM providers/APIs—this omission is a mismatch that reduces transparency about runtime needs.
Instruction Scope
SKILL.md and the code instruct the agent to run wide-reaching scans over a project (traverse files, run trufflehog/gitleaks, run dependency audits) and to perform AI-driven verification. Those actions are expected for an auditor, but the LLM verification stage implies sending code/context to models (README and IMPROVEMENT_REPORT discuss cloud/local LLM providers). The instructions do not clearly warn that using remote LLM APIs will transmit code/extracted context externally, nor do they limit what gets sent. iterate.sh and the auditor write into the workspace (/root/.openclaw/...), which is normal for skill-local state but is global to the agent environment.
Install Mechanism
No install spec (instruction-only + bundled code) — lower risk because nothing is downloaded automatically. But the code expects many third-party CLI tools and LLM runtimes to be present; those are not declared in the skill manifest. The lack of an install spec means the skill will attempt to invoke external tools already on PATH, which may fail or behave unexpectedly if absent or different versions.
Credentials
Manifest lists no required environment variables, yet README/IMPROVEMENT_REPORT/llm_integration mention integration options for cloud LLM providers (APIs for Qwen, Aliyun, ChatGLM, CodeLlama/Ollama). If a user configures cloud LLMs, API keys/credentials will be needed. The skill also scans for many secret patterns (including OpenAI keys) and could surface secrets; absence of declared primaryEnv or recommended safe configuration is an omission. Overall requested/used env access is under-declared relative to functionality.
Persistence & Privilege
always:false (good). The skill writes reports and learning files into the agent workspace (iterate.sh writes to /root/.openclaw/workspace and .learnings). Writing its own reports is expected for an auditor, but the paths target a global workspace area—users should be aware the skill will create/append files in the agent environment.
What to consider before installing
This skill appears to implement a legitimate local code-auditor, but take precautions before installing or running it: 1) Expect it to invoke many external CLI tools (pip-audit, npm audit, trufflehog, gitleaks, detect-secrets, cargo audit, mvn, etc.). Ensure you run it in an isolated environment or CI job with minimal privileges. 2) The skill supports LLM-driven verification; if you enable cloud LLM providers, your project code/context may be sent off-host—review llm_integration.py and configuration first and prefer local LLMs if you must keep code private. 3) The skill manifest does not declare required binaries or API keys even though code and docs reference them—prepare required tooling and credentials and audit the code (especially llm_integration.py) before use. 4) Review where it writes files (/root/.openclaw/workspace/*) and any network calls; run initial scans on non-sensitive sample projects to observe behavior. If you need, ask the skill author for explicit documentation of required environment variables and a safe default configuration that disables remote LLM calls.Like a lobster shell, security has layers — review code before you run it.
Current versionv1.3.0
Download zipcode-auditlatestowaspsecurity
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
Code Security Auditor
综合代码安全审计工具,结合 AI 推理能力与专业安全扫描工具,提供高可信度漏洞发现、可执行修复方案和持续学习优化。
🎯 核心能力
| 能力 | 说明 | 对标 Codex Security |
|---|---|---|
| OWASP Top 10 检测 | SQL 注入、XSS、CSRF、SSRF 等 | ✅ |
| 依赖漏洞扫描 | npm/pip/cargo/maven 依赖安全检查 | ✅ |
| 密钥泄露检测 | API Key、密码、Token 硬编码检测 | ✅ |
| SAST 静态分析 | 代码流分析、污点追踪 | ✅ |
| 配置安全审计 | CORS、CSP、SSL/TLS 配置检查 | ✅ |
| 修复方案生成 | 提供可执行的安全修复代码 | ✅ |
| 误报率优化 | AI 上下文理解降低误报 | ✅ |
🚀 快速开始
# 完整安全审计
code-security-auditor audit <project_path>
# 快速扫描(仅高危漏洞)
code-security-auditor quick <project_path>
# 针对特定漏洞类型
code-security-auditor scan --type sql-injection <project_path>
code-security-auditor scan --type xss <project_path>
code-security-auditor scan --type ssrf <project_path>
# 生成修复建议
code-security-auditor fix <vulnerability_id>
# 与基线对比
code-security-auditor compare --baseline .security-baseline.json
📋 审计阶段(8 阶段深度审计)
Phase 1: 依赖安全扫描
扫描项目依赖中的已知漏洞。
# Python
pip-audit
safety check
pipx run pip-audit --format json
# Node.js
npm audit --json
npx audit-ci --config audit-ci.jsonc
# Rust
cargo audit --json
# Java/Maven
mvn org.owasp:dependency-check-maven:check -Dformat=JSON
输出示例:
{
"phase": "dependency_scan",
"verdict": "WARN",
"findings": [
{
"id": "DEP-001",
"severity": "HIGH",
"package": "requests",
"version": "2.28.0",
"vulnerability": "CVE-2023-32681",
"description": "信息泄露风险",
"fix": "升级到 2.31.0+",
"cvss": 7.5
}
]
}
Phase 2: 密钥泄露检测
检测硬编码的敏感信息。
检测模式:
# API Keys
r'(api[_-]?key|apikey)\s*[:=]\s*["\'][a-zA-Z0-9]{20,}["\']'
# Passwords
r'(password|passwd|pwd)\s*[:=]\s*["\'].+["\']'
# Tokens
r'(token|secret|auth)\s*[:=]\s*["\'][a-zA-Z0-9_-]{20,}["\']'
# Private Keys
r'-----BEGIN (RSA |EC )?PRIVATE KEY-----'
# Cloud Credentials
r'AKIA[0-9A-Z]{16}' # AWS Access Key
r'ghp_[a-zA-Z0-9]{36}' # GitHub Token
工具集成:
# truffleHog
trufflehog filesystem <path> --json
# gitleaks
gitleaks detect --source <path> --report-format json
# detect-secrets
detect-secrets scan --all-files > .secrets.baseline
Phase 3: OWASP Top 10 漏洞扫描
3.1 SQL 注入检测
检测模式:
# 危险模式
cursor.execute(f"SELECT * FROM users WHERE id = {user_id}") # ❌
cursor.execute("SELECT * FROM users WHERE id = " + user_id) # ❌
# 安全模式
cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,)) # ✅
扫描规则:
- 字符串拼接 SQL 语句
- 未使用参数化查询
- 用户输入直接进入查询
- ORM 的 raw query 未转义
3.2 XSS(跨站脚本)检测
检测模式:
# 危险模式
return f"<div>{user_input}</div>" # ❌
html = "<span>" + request.args.get('name') + "</span>" # ❌
# 安全模式
from markupsafe import escape
return f"<div>{escape(user_input)}</div>" # ✅
扫描规则:
- 用户输入直接渲染到 HTML
- 未使用模板引擎的自动转义
- innerHTML 直接赋值
- dangerouslySetInnerHTML 使用
3.3 SSRF(服务器端请求伪造)检测
检测模式:
# 危险模式
requests.get(user_url) # ❌ 无 URL 验证
urllib.request.urlopen(user_input) # ❌
# 安全模式
def safe_request(url: str) -> Response:
parsed = urlparse(url)
if not is_safe_url(parsed):
raise ValueError("Unsafe URL")
return requests.get(url)
扫描规则:
- requests/urllib 直接使用用户输入
- 未验证 URL 协议(http/https only)
- 未检查内网 IP(169.254.169.254 等)
- 未限制重定向
3.4 其他 OWASP Top 10
| 漏洞类型 | 检测重点 |
|---|---|
| A01 权限控制失效 | 未授权访问、IDOR、水平/垂直越权 |
| A02 加密失败 | 弱加密算法、硬编码密钥、明文存储 |
| A03 注入 | SQL、NoSQL、命令注入、LDAP 注入 |
| A04 不安全设计 | 缺少速率限制、无审计日志 |
| A05 配置错误 | 默认配置、详细错误信息、开放端口 |
| A06 脆弱组件 | 过期依赖、已知漏洞 |
| A07 认证失败 | 弱密码、无 MFA、会话固定 |
| A08 数据完整性 | 无签名验证、反序列化漏洞 |
| A09 日志失败 | 敏感信息入日志、无审计追踪 |
| A10 SSRF | 见上方详细检测 |
Phase 4: 代码流分析(污点追踪)
追踪用户输入从源头到敏感操作的路径。
# 污点源(Source)
user_input = request.args.get('id') # tainted
# 污点传播
data = process(user_input) # still tainted
query = build_query(data) # still tainted
# 污点汇(Sink)
cursor.execute(query) # VULNERABLE!
AI 增强分析:
- 跨函数污点追踪
- 识别净化函数(sanitizer)
- 上下文敏感分析
- 降低误报率
Phase 5: 配置安全审计
5.1 Web 服务器配置
# CORS 检查
cors:
allowed_origins: ["*"] # ❌ 生产环境禁止
allowed_methods: ["GET", "POST"]
credentials: true # ⚠️ 与 * 冲突
# CSP 检查
content_security_policy:
default_src: ["'self'"] # ✅
script_src: ["'self'", "'unsafe-inline'"] # ⚠️ 避免 unsafe-inline
5.2 SSL/TLS 配置
ssl:
min_version: "TLSv1.2" # ✅ 禁止 TLSv1.0/1.1
ciphers: # ✅ 使用强加密套件
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-RSA-AES128-GCM-SHA256
hsts: true # ✅ 启用 HSTS
5.3 文件权限
# 检查敏感文件权限
chmod 600 .env # ✅
chmod 644 config.yaml # ✅
chmod 755 scripts/ # ✅
chmod 777 anything # ❌ 禁止
Phase 6: 认证与会话安全
检查项:
| 检查点 | 要求 |
|---|---|
| 密码存储 | bcrypt/argon2,禁止明文/MD5/SHA1 |
| 会话管理 | HttpOnly + Secure + SameSite |
| Token 安全 | JWT 签名验证、合理过期时间 |
| MFA 支持 | 关键操作要求多因素认证 |
| 速率限制 | 登录/注册接口防暴力破解 |
| 账户锁定 | 多次失败后临时锁定 |
Phase 7: 安全日志与监控
检查项:
# ✅ 正确的日志
logger.info(f"User {user_id} logged in from {ip}")
# ❌ 错误的日志(泄露敏感信息)
logger.info(f"Login attempt: user={username}, password={password}")
要求:
- 敏感信息不入日志
- 安全事件完整记录
- 日志完整性保护
- 告警阈值配置
Phase 8: AI 驱动漏洞验证
使用 AI 模型验证潜在漏洞的真实性,降低误报。
# AI 验证流程
def ai_verify_vulnerability(finding: Finding) -> VerificationResult:
# 1. 分析代码上下文
context = extract_context(finding.location)
# 2. 检查是否有防护措施
has_sanitizer = check_sanitizer(context)
has_validation = check_input_validation(context)
# 3. 生成利用路径
exploit_path = generate_exploit_path(finding)
# 4. 评估真实风险
if has_sanitizer and not exploit_path:
return VerificationResult.FALSE_POSITIVE
return VerificationResult.CONFIRMED
效果(对标 Codex Security):
- 误报率 ↓ 50%
- 噪声 ↓ 84%
- 真实漏洞检出率 ↑
📊 风险评级系统
CVSS 3.1 评分
| 等级 | 分数范围 | 颜色 |
|---|---|---|
| 严重 (Critical) | 9.0 - 10.0 | 🔴 |
| 高危 (High) | 7.0 - 8.9 | 🟠 |
| 中危 (Medium) | 4.0 - 6.9 | 🟡 |
| 低危 (Low) | 0.1 - 3.9 | 🟢 |
| 无风险 (None) | 0.0 | ⚪ |
综合 verdict
def calculate_verdict(findings: List[Finding]) -> str:
critical_count = sum(1 for f in findings if f.severity == "CRITICAL")
high_count = sum(1 for f in findings if f.severity == "HIGH")
if critical_count > 0:
return "FAIL - CRITICAL VULNERABILITIES FOUND"
elif high_count > 0:
return "FAIL - HIGH SEVERITY VULNERABILITIES FOUND"
elif any(f.severity == "MEDIUM" for f in findings):
return "WARN - MEDIUM SEVERITY ISSUES FOUND"
elif findings:
return "PASS WITH INFO - LOW SEVERITY ISSUES FOUND"
else:
return "PASS - NO SECURITY ISSUES FOUND"
🔧 修复方案生成
自动修复示例
SQL 注入修复
修复前:
def get_user(user_id: str):
query = f"SELECT * FROM users WHERE id = '{user_id}'"
return cursor.execute(query)
修复后:
def get_user(user_id: str):
query = "SELECT * FROM users WHERE id = %s"
return cursor.execute(query, (user_id,))
XSS 修复
修复前:
@app.route('/greet')
def greet():
name = request.args.get('name')
return f"<h1>Hello, {name}!</h1>"
修复后:
from markupsafe import escape
@app.route('/greet')
def greet():
name = request.args.get('name')
return f"<h1>Hello, {escape(name)}!</h1>"
SSRF 修复
修复前:
def fetch_url(url: str):
return requests.get(url)
修复后:
import socket
from urllib.parse import urlparse
import ipaddress
def is_safe_url(url: str) -> bool:
parsed = urlparse(url)
if parsed.scheme not in ['http', 'https']:
return False
try:
ip = socket.gethostbyname(parsed.hostname)
ip_obj = ipaddress.ip_address(ip)
# 禁止私有 IP、链路本地、云元数据
if ip_obj.is_private or ip_obj.is_loopback or ip_obj.is_link_local:
return False
if str(ip_obj) == '169.254.169.254': # AWS metadata
return False
return True
except:
return False
def fetch_url(url: str):
if not is_safe_url(url):
raise ValueError("Unsafe URL detected")
return requests.get(url, allow_redirects=False)
📁 配置文件 (.security-audit.yaml)
# 项目安全审计配置
# 扫描范围
scope:
include:
- "src/**/*"
- "app/**/*"
exclude:
- "**/test/**"
- "**/vendor/**"
- "**/node_modules/**"
- "**/*.min.js"
# 风险阈值
thresholds:
critical: 0 # 0 个严重漏洞
high: 0 # 0 个高危漏洞
medium: 10 # 最多 10 个中危
low: 50 # 最多 50 个低危
# 规则配置
rules:
sql_injection:
enabled: true
severity: CRITICAL
xss:
enabled: true
severity: HIGH
ssrf:
enabled: true
severity: CRITICAL
hardcoded_secrets:
enabled: true
severity: CRITICAL
dependency_vulnerabilities:
enabled: true
min_severity: HIGH # 只报告高危以上
# 修复建议
fix_suggestions:
enabled: true
auto_fix: false # 谨慎启用自动修复
review_required: true
# 报告配置
reporting:
formats:
- markdown
- json
- sarif # IDE 集成
include_code_snippets: true
include_fix_examples: true
📤 报告输出
终端摘要
🔒 Code Security Audit Report
═══════════════════════════════════════════════════
Project: my-app @ abc1234
Date: 2026-03-07 14:30:00
Duration: 45.2s
Verdict: ❌ FAIL - HIGH SEVERITY VULNERABILITIES FOUND
Summary:
┌─────────────┬───────┬──────────┐
│ Severity │ Count │ Status │
├─────────────┼───────┼──────────┤
│ 🔴 Critical │ 2 │ FAIL │
│ 🟠 High │ 5 │ FAIL │
│ 🟡 Medium │ 12 │ WARN │
│ 🟢 Low │ 23 │ INFO │
└─────────────┴───────┴──────────┘
Top Issues:
1. [CRITICAL] SQL Injection in user_controller.py:45
→ Use parameterized queries
2. [CRITICAL] Hardcoded AWS Key in config.py:12
→ Move to environment variables
3. [HIGH] XSS in template.html:78
→ Escape user input
4. [HIGH] SSRF in webhook_handler.py:34
→ Validate URL before request
5. [HIGH] Outdated dependency: requests@2.28.0
→ Upgrade to 2.31.0+
Next Steps:
• Run: code-security-auditor fix --all
• Review: .security-audit/report.md
• Compare: code-security-auditor compare --baseline
JSON 报告(机器可读)
{
"meta": {
"timestamp": "2026-03-07T14:30:00Z",
"commit": "abc1234",
"tool_version": "1.0.0"
},
"verdict": "FAIL",
"summary": {
"critical": 2,
"high": 5,
"medium": 12,
"low": 23,
"total": 42
},
"findings": [
{
"id": "SQL-INJ-001",
"type": "sql_injection",
"severity": "CRITICAL",
"cvss": 9.8,
"location": {
"file": "src/controllers/user_controller.py",
"line": 45,
"column": 12
},
"description": "用户输入直接进入 SQL 查询",
"evidence": "cursor.execute(f\"SELECT * FROM users WHERE id = '{user_id}'\")",
"remediation": {
"description": "使用参数化查询",
"code": "cursor.execute(\"SELECT * FROM users WHERE id = %s\", (user_id,))"
},
"references": [
"https://owasp.org/www-community/attacks/SQL_Injection",
"https://cwe.mitre.org/data/definitions/89.html"
]
}
]
}
SARIF 格式(IDE 集成)
{
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
"version": "2.1.0",
"runs": [
{
"tool": {
"driver": {
"name": "Code Security Auditor",
"version": "1.0.0"
}
},
"results": [
{
"ruleId": "SQL-INJ",
"level": "error",
"message": {
"text": "SQL Injection vulnerability detected"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "src/controllers/user_controller.py"
},
"region": {
"startLine": 45,
"startColumn": 12
}
}
}
]
}
]
}
]
}
🔄 CI/CD 集成
GitHub Actions
name: Security Audit
on:
push:
branches: [main, develop]
pull_request:
branches: [main]
jobs:
security-audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run Security Audit
run: |
code-security-auditor audit . \
--format sarif \
--output security-results.sarif \
--fail-on high
- name: Upload to GitHub Security
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: security-results.sarif
- name: Check Baseline
run: |
code-security-auditor compare \
--baseline .security-baseline.json \
--current security-results.json
GitLab CI
security-audit:
stage: test
image: python:3.11
script:
- pip install code-security-auditor
- code-security-auditor audit . --fail-on high
artifacts:
reports:
sast: security-results.sarif
📚 参考资源
OWASP Top 10 2021
CWE 通用弱点
安全编码规范
- Python: https://docs.python.org/3/library/security.html
- Node.js: https://nodejs.org/en/docs/guides/security/
漏洞数据库
- NVD: https://nvd.nist.gov/
- CVE: https://cve.mitre.org/
🎯 与 OpenAI Codex Security 对比
| 能力 | Codex Security | Code Security Auditor |
|---|---|---|
| OWASP Top 10 | ✅ | ✅ |
| 依赖扫描 | ✅ | ✅ |
| 密钥检测 | ✅ | ✅ (truffleHog/gitleaks) |
| SAST | ✅ AI 驱动 | ✅ AI + 规则混合 |
| 误报优化 | ✅ ↓50% | ✅ AI 验证阶段 |
| 修复建议 | ✅ 可执行代码 | ✅ 可执行代码 |
| 本地运行 | ❌ 需上传 OpenAI | ✅ 完全本地 |
| 数据隐私 | ⚠️ 代码出境 | ✅ 代码不出境 |
| 费用 | 付费(首月免费) | ✅ 开源免费 |
| 可扩展 | ❌ 封闭 | ✅ 自定义规则 |
⚠️ 风险声明
- 本工具不保证发现所有漏洞 — 安全审计应结合人工审查
- 自动修复需谨慎 — 建议 review 后再应用
- 生产环境前必须人工确认 — 自动化工具不能替代安全专家
- 定期更新规则库 — 新漏洞不断出现,保持工具更新
📝 使用示例
# 开发阶段快速检查
code-security-auditor quick ./src
# 发布前完整审计
code-security-auditor audit . --output report.md
# 针对 PR 的变更审计
code-security-auditor audit . --changed-only
# 生成修复补丁
code-security-auditor fix --all --review
# 与基线对比(检测回归)
code-security-auditor compare --baseline last-release.json
# 导出 SARIF 供 IDE 使用
code-security-auditor audit . --format sarif --output results.sarif
持续学习优化:每次审计结果可反馈到 AI 模型,持续降低误报率、提高检出率。
Files
19 totalSelect a file
Select a file to preview.
Comments
Loading comments…