|
| 1 | +# Authored Skills |
| 2 | + |
| 3 | +Project CodeGuard ships two authored skills in `sources/skills/` that go beyond the core security rules. Unlike the generated rule files, these skills define complete workflows — they tell the AI assistant not just *what* to check, but *how* to carry out a multi-step task. |
| 4 | + |
| 5 | +| Skill | What it does | |
| 6 | +|:------|:------------| |
| 7 | +| [`security-review`](#security-review) | Full codebase security review producing a structured markdown report | |
| 8 | +| [`memory-safe-migration`](#memory-safe-migration) | Guided migration of C/C++ code to a memory-safe language | |
| 9 | + |
| 10 | +Both skills are included in the Claude Code plugin and are available in `sources/skills/` for use with other agents. |
| 11 | + |
| 12 | +--- |
| 13 | + |
| 14 | +## Security Review |
| 15 | + |
| 16 | +**Skill file:** `sources/skills/security-review/SKILL.md` |
| 17 | + |
| 18 | +Performs a comprehensive security review of a target repository and produces a formal markdown report with prioritized findings and remediation guidance. The skill loads all 23 CodeGuard core rules plus relevant OWASP supplementary rules for the detected tech stack. |
| 19 | + |
| 20 | +### When to use |
| 21 | + |
| 22 | +Use when you want a full, structured security audit of a codebase — not for inline code generation. This produces a standalone report, not inline code suggestions. |
| 23 | + |
| 24 | +### How to trigger |
| 25 | + |
| 26 | +Ask your AI assistant to perform a security review, for example: |
| 27 | + |
| 28 | +``` |
| 29 | +Review this repository for security issues and produce a report |
| 30 | +``` |
| 31 | + |
| 32 | +If the repository path is ambiguous, the skill will ask for it before proceeding. |
| 33 | + |
| 34 | +### What the report includes |
| 35 | + |
| 36 | +- **Executive Summary** — total findings by severity (Critical / High / Medium / Low / Info), top 5 issues, overall security posture |
| 37 | +- **Detailed Findings** — for each issue: title, severity, rule reference, location, code snippet, description, impact, remediation with examples, and references |
| 38 | +- **Findings by Category** — grouped view across all findings |
| 39 | +- **Recommendations** — immediate actions, short-term (1–3 months), long-term improvements, tooling and process suggestions |
| 40 | +- **Appendix** — files reviewed, rules applied, methodology notes |
| 41 | + |
| 42 | +### Output location |
| 43 | + |
| 44 | +Reports are saved to: |
| 45 | + |
| 46 | +``` |
| 47 | +./security_report/sec_review_<repo-name>_<YYYY-MM-DD_HH-mm-ss>.md |
| 48 | +``` |
| 49 | + |
| 50 | +--- |
| 51 | + |
| 52 | +## Memory-Safe Migration |
| 53 | + |
| 54 | +**Skill file:** `sources/skills/memory-safe-migration/SKILL.md` |
| 55 | + |
| 56 | +Guides secure migration of code from memory-unsafe languages (C, C++, Assembly) to memory-safe alternatives (Rust, Go, Java, C#, Swift). Also activates when an AI agent is about to generate new C/C++ code that could be written in a memory-safe language instead. |
| 57 | + |
| 58 | +### When it activates |
| 59 | + |
| 60 | +- Migrating, porting, or rewriting C/C++ code to Rust, Go, Java, C#, or Swift |
| 61 | +- Adding a new module or feature to an existing C/C++ project |
| 62 | +- Designing an FFI boundary between safe and unsafe code |
| 63 | +- Reviewing mixed-language code for memory safety issues |
| 64 | +- Discussing memory safety roadmaps or CISA/NSA compliance |
| 65 | +- AI agent is about to generate new C/C++ code |
| 66 | + |
| 67 | +### Migration workflow |
| 68 | + |
| 69 | +The skill follows a six-step process: |
| 70 | + |
| 71 | +1. **Assess** — evaluate migration priority and feasibility using `scripts/assess-migration.py` or the assessment checklist |
| 72 | +2. **Write tests first** — establish a correctness oracle against the C/C++ implementation before touching anything |
| 73 | +3. **Migrate incrementally** — one function or module at a time; never rewrite an entire codebase in one pass |
| 74 | +4. **Secure the FFI boundary** — validate all inputs from the unsafe side, minimize `unsafe` blocks, document every `unsafe` block with a `// SAFETY:` comment |
| 75 | +5. **Validate** — run existing tests, fuzz FFI boundaries, check memory safety tools (Miri, race detector, ASan), benchmark performance |
| 76 | +6. **Update build and CI** — integrate the memory-safe toolchain, add linting and formatting checks, add safety-specific CI steps |
| 77 | + |
| 78 | +### Migration priority order |
| 79 | + |
| 80 | +| Priority | Code type | |
| 81 | +|:---------|:----------| |
| 82 | +| 1 | Network-facing code (parsers, protocol handlers, TLS) | |
| 83 | +| 2 | Code handling untrusted input (file parsers, deserialization) | |
| 84 | +| 3 | Cryptographic implementations | |
| 85 | +| 4 | Privilege boundary code (auth enforcement) | |
| 86 | +| 5 | Code with a history of memory-related CVEs | |
| 87 | +| 6 | Internal utility code | |
| 88 | + |
| 89 | +### Reference documents |
| 90 | + |
| 91 | +The skill bundles detailed reference docs in `sources/skills/memory-safe-migration/references/`: |
| 92 | + |
| 93 | +| Document | Contents | |
| 94 | +|:---------|:---------| |
| 95 | +| `language-selection.md` | Guide for choosing between Rust, Go, Java, C#, and Swift | |
| 96 | +| `ffi-security.md` | Rules for securing FFI boundaries between safe and unsafe code | |
| 97 | +| `migration-patterns.md` | Common patterns for buffers, strings, concurrency, and error handling | |
| 98 | +| `assessment-checklist.md` | Checklist for evaluating migration priority and feasibility | |
| 99 | + |
| 100 | +--- |
| 101 | + |
| 102 | +## Next Steps |
| 103 | + |
| 104 | +[Getting Started →](getting-started.md){ .md-button .md-button--primary } |
| 105 | +[Custom Rules →](custom-rules.md){ .md-button } |
0 commit comments