improve: enhance security-auditor with code-focused methodology and supply chain audit

[davila7]

Automated Component Improvement

Component: cli-tool/components/agents/security/security-auditor.md
Trending rank: #7 (4,416 downloads, 313/week)

Changes Applied

1. Removed all fabricated JSON blocks — Deleted fake communication protocol JSON at lines 133-141 and progress tracking JSON at lines 196-207 (hardcoded: 347 controls, 52 findings, 87% compliance score). Deleted hardcoded delivery notification with same fake metrics.

2. Added Bash to tools — Changed tools: Read, Grep, Glob to tools: Read, Bash, Grep, Glob to enable running npm audit, pip-audit, trivy, syft, and other security scanners.

3. Replaced generic invocation steps with 5-phase audit methodology — Removed the "query context manager" step (referencing a non-existent agent). Added Phase 1 Scoping, Phase 2 Automated Pattern Scanning, Phase 3 Dependency/Supply Chain Audit, Phase 4 Control Review, Phase 5 Finding Classification & Reporting.

4. Added concrete Grep regex patterns — Secrets/credentials, AWS access keys (AKIA[0-9A-Z]{16}), private keys (PEM headers), weak crypto (md5|sha1|des|rc4), SQL injection, OS command injection, XSS (innerHTML, dangerouslySetInnerHTML), container misconfigs (FROM :latest, USER root), unpinned CI/CD actions.

5. Added supply chain security section — npm audit --audit-level=high, pip-audit, trivy, syft SBOM generation, lock file verification, unpinned dependency detection, dependency confusion risk assessment.

6. Added CWE-referenced severity classification table — Critical (CWE-798, CWE-89, CWE-78), High (CWE-287, CWE-306, CWE-502), Medium (CWE-311, CWE-330, CWE-601), Low (CWE-200, CWE-693).

7. Updated compliance frameworks to current versions — PCI DSS v4.0.1 (June 2024), ISO 27001/27002:2022, NIST CSF 2.0 (Feb 2024), NIST SSDF SP 800-218 v1.1, OWASP Top 10 2025, OWASP API Security Top 10 2023, CIS Benchmarks (current), SLSA Level 1–4. Rendered as a table with version column and code-audit scope.

8. Converted noun-phrase checklists to verb-driven instructions — e.g. "Data classification" → "Verify data classified as sensitive is encrypted at rest (AES-256 or equivalent)".

9. Removed organizational audit content — Eliminated physical security, interview notes, vendor assessments, SLA validation, and other content irrelevant to a code-level auditor.

10. Rewrote description examples — Three focused examples with concrete assistant responses mentioning specific tools (npm audit, CWE references, PKCE, NIST SP 800-61).

11. No model: field added — Frontmatter remains clean.

Size Impact

Metric	Before	After
Lines	285	150
Actionable patterns	0	9 Grep patterns + 4 Bash commands
CWE references	0	8
Framework versions	outdated/missing	9 current versions

Research Summary

The original component was a generic security-audit template with heavy organizational audit language (physical security, vendor assessments, interview schedules) that does not apply to Claude Code's code-focused context. It contained fabricated metrics presented as live output, no scanning commands, outdated compliance versions (OWASP 2021 implied), and referenced a non-existent context manager agent. This improvement refocuses the agent on what it can actually do: grep source code, run CLI scanners, read config files, and classify findings against current standards.

Validation

• component-reviewer checks: PASSED (15/15)
• No hardcoded secrets
• kebab-case naming: security-auditor
• tools field: Read, Bash, Grep, Glob
• No model field
• No absolute paths
• Required fields: name, description, tools all present

---

Automated review cycle by Component Improvement Loop

---

Summary by cubic

Refocused the security-auditor component on code and supply chain analysis. Replaced vague checklists and fake metrics with a concrete 5-phase audit and runnable tools for real findings.

• Added runnable supply chain audit and SBOM steps via Bash: npm audit, npx better-npm-audit, pip-audit, trivy, syft.
• Added concrete Grep patterns for secrets, weak crypto, injection, XSS, and container/CI/CD misconfigs.
• Replaced generic template (and fake JSON/progress metrics) with a 5-phase code audit methodology, CWE-linked severity table, and verb-driven checks using current frameworks (PCI DSS v4.0.1, ISO 27001:2022, NIST CSF 2.0, OWASP 2025, SSDF 1.1, SLSA).
• Area: components (cli-tool/components/); no new components (no docs/components.json regeneration). No new environment variables or secrets.

^{Written for commit c580985. Summary will update on new commits.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
aitmpl-dashboard	Ready	Preview, Comment	Mar 30, 2026 1:15pm
claude-code-templates	Ready	Preview, Comment	Mar 30, 2026 1:15pm

[github-actions]

⚠️ Security Audit Report

Status: ❌ FAILED

Metric	Count
Total Components	755
✅ Passed	360
❌ Failed	395
⚠️ Warnings	999

❌ Failed Components (Top 5)

Component	Errors	Warnings	Score
vercel-edge-function	3	4	81/100
prompt-engineer	2	0	90/100
neon-expert	2	2	88/100
agent-overview	2	1	89/100
unused-code-cleaner	2	1	89/100

...and 390 more failed component(s)

---

📊 View Full Report for detailed error messages and all components

[cubic-dev-ai]

1 issue found across 1 file

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="cli-tool/components/agents/security/security-auditor.md">

<violation number="1" location="cli-tool/components/agents/security/security-auditor.md:15">
P2: The glob pattern does not actually match standard `Dockerfile` names, so container-related files can be missed during audit scoping.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P2: The glob pattern does not actually match standard Dockerfile names, so container-related files can be missed during audit scoping.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At cli-tool/components/agents/security/security-auditor.md, line 15:

<comment>The glob pattern does not actually match standard `Dockerfile` names, so container-related files can be missed during audit scoping.</comment>

<file context>
@@ -1,286 +1,150 @@
+
+### Phase 1: Scoping
+
+- Use Glob to map repository structure: `**/*.{js,ts,py,go,java,tf,yml,yaml,json,toml,Dockerfile}`
+- Read package manifests (`package.json`, `requirements.txt`, `go.mod`, `pom.xml`, `Cargo.toml`) to understand the dependency surface
+- Read existing security policies, threat models, and previous audit findings if present
</file context>

Suggested change

	- Use Glob to map repository structure: `**/*.{js,ts,py,go,java,tf,yml,yaml,json,toml,Dockerfile}`
	- Use Glob to map repository structure: `**/*.{js,ts,py,go,java,tf,yml,yaml,json,toml}`, `**/Dockerfile*`

[davila7]

Closing per maintainer decision. The security-auditor agent will be re-evaluated in a future automated review cycle if needed. Branch deleted.