bdca23e8e4
Structured workflow (assess → map → extract-rules → reimagine → transform → harden) and specialist agents (legacy-analyst, business-rules-extractor, architecture-critic, security-auditor, test-engineer) for modernizing legacy codebases into current stacks.
1.5 KiB
description, argument-hint
| description | argument-hint |
|---|---|
| Security vulnerability scan + remediation — OWASP, CVE, secrets, injection | <system-dir> |
Run a security hardening pass on legacy/$1: find vulnerabilities, rank
them, and fix the critical ones.
Scan
Spawn the security-auditor subagent:
"Adversarially audit legacy/$1 for security vulnerabilities. Cover: OWASP Top 10 (injection, broken auth, XSS, SSRF, etc.), hardcoded secrets, vulnerable dependency versions (check package manifests against known CVEs), missing input validation, insecure deserialization, path traversal. For each finding return: CWE ID, severity (Critical/High/Med/Low), file:line, one-sentence exploit scenario, and recommended fix. Also run any available SAST tooling (npm audit, pip-audit, OWASP dependency-check) and include its raw output."
Triage
Write analysis/$1/SECURITY_FINDINGS.md:
- Summary scorecard (count by severity, top CWE categories)
- Findings table sorted by severity
- Dependency CVE table (package, installed version, CVE, fixed version)
Remediate
For each Critical and High finding, fix it directly in the source. Make minimal, targeted changes. After each fix, add a one-line entry under "Remediation Log" in SECURITY_FINDINGS.md: finding ID → commit-style summary of what changed.
Show the cumulative diff:
git -C legacy/$1 diff
Verify
Re-run the security-auditor against the patched code to confirm the Critical/High findings are resolved. Update the scorecard with before/after.
Suggest: glow -p analysis/$1/SECURITY_FINDINGS.md