feat(claude-skills): add complyos-security-review skill#1
Open
dkramer-sevenbelow wants to merge 6 commits into
Open
feat(claude-skills): add complyos-security-review skill#1dkramer-sevenbelow wants to merge 6 commits into
dkramer-sevenbelow wants to merge 6 commits into
Conversation
Evidence-backed security review skill for Claude Code targeting multi-tenant SaaS compliance platforms. Coverage: - OWASP Top 10:2021 - OWASP ASVS Level 2 - OWASP API Security Top 10:2023 - OWASP LLM Top 10:2025 + Agentic AI 2026 - Tenant isolation (RLS, GUC propagation, BYPASSRLS, BOLA, BFLA, support elevation) - Evidence/document storage (signed URLs, malware scan, retention) - CI/CD + supply chain (lockfiles, SCA, secret scan, branch protection) - Cloud / IaC (IAM, SAs, env separation, Secret Manager, audit logs) Drives a 15-phase review producing 14-15 artifacts with file/line evidence on every finding. Tenant-isolation breaches default to Critical. PASS verdicts require implementation evidence; spec text alone is rejected. Status separation: CONFIRMED / LIKELY / STATIC-ONLY / NEEDS-RUNTIME-TEST / BLOCKED. Layout: - SKILL.md — operating contract (phases, rules, evidence, severity) - checklists/ — 10 domain checklists (OWASP suites, tenant isolation, AuthN/Z, data/evidence, CI/CD, cloud, AI/RAG) - templates/ — 6 artifact templates (finding, register, scope, threat model, remediation plan, test plan) - examples/ — invocation prompts and command reference Branded README documents install (user-scope, project-scope, symlink, sparse clone), trigger phrases, invocation patterns, output structure, severity model, refusal modes, and contributing guidelines. Public-repo safe: scrubbed of internal hostnames, repo names, role IDs, Jira project keys, and any vault references. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…o OWASP checklists Self-test caught 4 OWASP-suite checklists missing a "Required regression tests" section. Added per-category mapping pointing each checklist item at the matching test category in templates/test-plan-template.md. Affected: - checklists/owasp-top-10.md (A01..A10 → test categories 4-21) - checklists/owasp-asvs-l2.md (V2..V14 → test categories + ad-hoc tests) - checklists/owasp-api-security.md (API1..API10 → test categories) - checklists/owasp-llm-security.md (LLM01..LLM10 + Agentic → test categories) Closes the test-traceability gap so every checklist contributes a concrete regression-test recommendation to 13-test-gap-report.md. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…lidate-finding, aggregate-counts, scrub-check) Skill was previously pure Markdown. Adding deterministic helpers so operating rules are enforced mechanically rather than relying on Claude's self-discipline. Scripts: - init-review.sh — bootstrap the 14-15 artifact skeleton from templates; idempotent (re-run skips existing files); --with-ai flag for Phase 8 inclusion; --force to overwrite. - validate-finding.py — lint each FINDING block against finding-template.md. Checks 19 required fields, severity enum, status enum, evidence subfields, line-number presence on File: evidence, banned evidence phrases. Tolerates both `- Severity: X` and `- **Severity:** X` markdown styles. Exits 1 on any violation (CI-gateable). - aggregate-counts.py — emit Markdown tables for findings register Aggregate Counts and Findings By Category sections. Counts severity, status, category per controlled vocabularies. - scrub-check.sh — pre-publish scan for JWT/API-key/private-key patterns. Default deny-set: eyJ JWTs, sk_/pk_ Stripe, ghp_/ghs_/gho_ GitHub, AKIA/ASIA AWS, AIza Google, xox[abps]- Slack, BEGIN PRIVATE KEY headers, .pem/.key file refs. PLACEHOLDER_* literals explicitly allowed (workspace convention). Custom patterns via --config <file>. Exit 1 on any match. All scripts tested: - init-review.sh: creates 16 artifacts (with --with-ai); idempotent re-run skips all. - validate-finding.py: VALID input -> 0 errors / exit 0; BAD input -> 20 errors caught. - aggregate-counts.py: correctly counts High=1, CONFIRMED=1, BOLA=1. - scrub-check.sh: clean dir -> exit 0; planted sk_test_ key -> exit 1. SKILL.md now mentions scripts as pre-completion gates. README adds full usage docs + suggested CI integration block. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…verwrite Prior commit synced SKILL.md from local source which had not been re-scrubbed post-edit; restored 5 references to internal paths/hostnames into the public copy (library-reading-room/specs/INDEX.md, library-reading-room/research/..., int-api.sevenbelow.com). This commit re-applies the scrub pass to keep the public copy free of internal infrastructure names. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…thon
Drops Bash variants (init-review.sh, scrub-check.sh) in favor of Python
equivalents. Skill now ships 4 Python 3.10+ helpers (stdlib only, no
third-party deps).
Why:
- Cross-platform: bash/zsh/sh divergence eliminated
- Testability: argparse + structured stdout
- Consistent surface: all 4 scripts invoked the same way
- Easier extension (single language, single test harness)
Conversions:
- init-review.sh -> init-review.py
- argparse-driven (--with-ai, --force)
- reads templates/ via Path resolution from script location
- returns exit codes per Unix convention
- scrub-check.sh -> scrub-check.py
- 12 default patterns (JWT, sk_live/test, pk_*, ghp_/ghs_/gho_,
AKIA/ASIA, AIza, xox[abps]-, BEGIN PRIVATE KEY, .pem/.key file refs)
- --config <patterns-file> for operator-curated regex (one per line, # comments)
- per-match output: [label] file:line: snippet (truncated at 120 chars)
- exit 0 clean, exit 1 matches, exit 2 misuse
All 4 scripts re-tested:
- init-review.py: 16 artifacts created (with --with-ai); idempotent skip;
--force overwrites
- validate-finding.py: VALID -> 0 errors; BAD -> 20 errors caught; exit 1
- aggregate-counts.py: counts severity/status/category correctly
- scrub-check.py: clean -> exit 0; planted sk_test_* + JWT -> exit 1 with
per-match labels; --config layered patterns work
README + SKILL.md updated to drop bash refs and document Python invocation.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
complyos-security-reviewClaude Skill underclaude-setups/claude-skills/What it does
Drives Claude through 15 phases (scope → threat model → AuthN → AuthZ → tenant isolation → API → data/evidence → AI/RAG → secrets → CI/CD → cloud → logging → test gaps → findings register → remediation plan), producing structured artifacts with file/line evidence on every claim.
Hard rules enforced by the skill:
Layout
Public-repo safety
Scrubbed before commit:
<api-domain>/<ui-domain>placeholders)<api-service>/<agent-service>/<ui-service>/<iac-root>/<iac-metadata>/<library-tools>)PLATFORM_ADMIN)JIRA-NNN)docs/specs/.../docs/security-review/...)Test plan
cp -r claude-setups/claude-skills/complyos-security-review ~/.claude/skills//reload-pluginsthen check slash-command picker/complyos-security-review— confirm skill loads, requests scope inputsNotes
complyos.appandsevenbelow.comas branded references; no internal infra URLs.examples/usage-prompt.md(compliance-os-api-standard, hard-isolation-migration-checklist, owasp-security, precheck) are private to internal workspace; not shipped here.🤖 Generated with Claude Code