Claude Skill
cloudflare/security-audit-skill
Cloudflare's security-audit-skill enables coding agents to perform multi-phase security audits with independently verified, machine-readable findings.
Overview
Repository
Install this Skill
npx skills add https://github.com/cloudflare/security-audit-skill \Registry
Summary
A coding-agent skill by Cloudflare for conducting multi-phase security audits that produce independently verified, machine-readable findings.
一种用于多阶段安全审计的编码代理技能,具备独立验证且机器可读的审计结果。
Key features
- Multi-phase audit workflow
- Independently verified findings
- Machine-readable output format
- Designed for coding agents
Use cases
- Automated security code review
- CI/CD pipeline security checks
- Third-party code audit verification
README excerpt
# security-audit A coding-agent skill that turns your agent into a security auditor. It orchestrates multiple parallel agents through a six-phase pipeline -- recon, hunting, validation, reporting, structured output, and independent verification -- to find exploitable vulnerabilities with real impact. This is the skill that seeded Cloudflare's vulnerability discovery harness, described in [Build your own vulnerability harness](https://blog.cloudflare.com/build-your-own-vulnerability-harness). The harness grew into a multi-stage, fleet-wide system; this skill is the single-repo starting point it evolved from. ## What it does The skill runs a structured audit in six phases: 1. **Recon** -- parallel research agents map the application's architecture, trust boundaries, and input surfaces. Produces `architecture.md`. 2. **Hunt** -- parallel general agents attack the codebase from different angles (injection, access control, business logic, cryptography, feature abuse, chained attacks, and a wildcard). Each agent can spawn sub-agents to dig deeper. 3. **Validate** -- separate agents try to *disprove* each finding. Adversarial review kills false positives. 4. **Report** -- produces `REPORT.md` (human-readable) and `FINDINGS-DETAIL.md` (detailed traces for MEDIUM+ findings). 5. **Structured output** -- writes `findings.json` conforming to `report-schema.json`, validated by `validate-findings.cjs`. 6. **Independent verification** -- fresh agents verify every factual claim in the structured output against the actual source code. Multiple runs against the same repo are additive. Each run explores different code paths; the skill reads prior `findings.json` files to skip known issues and target gaps. ## Files | File | Purpose | |------|---------| | `SKILL.md` | Setup, core pr
Topics
No topics yet.