Security Scan & Audit FAQs

Question 1

Does this skill modify my code to fix vulnerabilities?

Accepted Answer

No, the skill is designed to be 'audit-only' to prevent unintended changes. It provides concrete fix recommendations and action items for the developer to review and implement manually.

Question 2

Can it detect leaked secrets in historical commits?

Accepted Answer

The skill primarily focuses on the current state of the source files in your working directory, identifying hardcoded credentials, tokens, and private keys before they are deployed.

Question 3

When is the best time to run a security-scan?

Accepted Answer

It is highly recommended to run this skill before any production deployment, after merging major features, or during periodic security reviews to maintain a high security posture.

Question 4

How does the agent-based security review work?

Accepted Answer

It launches a specialized security-reviewer agent that evaluates the codebase against eight specific security categories, providing a numerical score and detailed qualitative feedback for each.

Question 5

What specifically does the security-scan skill audit?

Accepted Answer

It performs a multi-layered audit including npm dependency checks, scans for hardcoded secrets like Stripe or AWS keys, validates environment variable handling, and uses an AI agent to review code logic for security flaws.

Security Scan & Audit

主要功能

使用场景

Security Scan & Audit

主要功能

使用场景