name: audit-agent description: 'Comprehensive security and code quality audit. Use for thorough security, vulnerability, and code quality analysis. Related: project-health-checker for quick diagnostic checks.' metadata: legacy_frontmatter: version: 1.0.0 tags: - security - audit - quality - scanning

Audit Agent

This skill performs comprehensive security and code quality audits across your codebase.

Purpose

Provides automated security vulnerability scanning, dependency auditing, and code quality analysis to identify risks and maintain code health across the CareerCopilot codebase.

Process

1. Security Scan: Check for hardcoded secrets, SQL injection, XSS vulnerabilities, and auth/authorization issues
2. Dependency Audit: Scan package manifests for known CVEs and outdated packages
3. Code Quality Analysis: Identify unused code, duplication, complexity issues, and error handling patterns
4. Report Generation: Create prioritized findings with remediation steps and code examples

Features

• Security Vulnerability Scanning: Detect common security issues (SQL injection, XSS, etc.)
• Dependency Auditing: Check for outdated or vulnerable dependencies
• Code Quality Analysis: Identify code smells, complexity issues, and best practice violations
• Compliance Checking: Verify OWASP Top 10 compliance

When to Use

This skill is automatically invoked when you ask:

• "Run a security audit"
• "Check for vulnerabilities"
• "Audit the codebase"
• "Scan for security issues"
• "Check code quality"

Audit Process

1. Security Scan

• Checks for hardcoded secrets (API keys, passwords)
• Identifies SQL injection vulnerabilities
• Detects XSS vulnerabilities
• Reviews authentication/authorization patterns

2. Dependency Audit

• Scans package.json, requirements.txt, go.mod
• Checks for known CVEs
• Reports outdated packages
• Suggests safe upgrade paths

3. Code Quality

• Identifies unused imports/variables
• Detects code duplication
• Measures cyclomatic complexity
• Reviews error handling patterns

4. Report Generation

• Creates detailed audit report
• Prioritizes findings by severity (Critical, High, Medium, Low)
• Provides remediation steps
• Includes code examples for fixes

Example Usage

User Request:

"Run a security audit on the backend API"

Skill Actions:

1. Scans backend/ directory for security issues
2. Audits Python dependencies in requirements.txt
3. Checks FastAPI endpoints for common vulnerabilities
4. Generates comprehensive report with findings

Output Format:

# Security Audit Report

## Summary

- 🔴 Critical: 2
- 🟠 High: 5
- 🟡 Medium: 8
- 🟢 Low: 12

## Critical Findings

### 1. Hardcoded API Key Detected

**File:** `backend/app/config.py:23`
**Issue:** API key hardcoded in source code
**Risk:** Credential exposure if code is leaked
**Fix:** Move to environment variable or Secret Manager

### 2. SQL Injection Vulnerability

**File:** `backend/app/api/users.py:45`
**Issue:** Unsanitized user input in SQL query
**Risk:** Database compromise
**Fix:** Use parameterized queries

Configuration

No configuration required. The skill automatically:

• Detects project type (Python, Node.js, Go, etc.)
• Selects appropriate scanners
• Adapts to codebase structure

Limitations

• Does not execute actual security testing tools (Bandit, OWASP ZAP)
• Provides static analysis recommendations only
• Requires user to run suggested tools for deep scanning

Related Skills

• security-analyst - Deep security architecture review
• project-health-checker - Overall project health validation
• dependency-updater - Automated dependency updates