Add security plugin (vulnerability audit)#3
Draft
jage wants to merge 7 commits into
Draft
Conversation
White-box, dynamically-verified security audit. /security:audit recons a target repo, hunts OWASP Top 10:2025 vulnerabilities, proves them with live PoCs in isolated git worktrees, and writes a high-signal senior-engineer report (proven findings with a high-level proposed fix, not speculative noise).
jage
force-pushed
the
add-vuln-audit-plugin
branch
from
92aa54d to
dd230c7
Compare
Add a flag-reference table explaining --no-dynamic, --classes, --ref, and --out, which were previously listed only as usage examples.
Resolve the ref to a concrete commit and print a terse startup line (target, pinned SHA, output dir), naming the ref only when it isn't HEAD — instead of echoing the literal "HEAD"/"default".
Document that the full report.md lives in a collapsed <details> comment on the scan epic — never a VM-local bundle path — and that the courier upserts that comment via a hidden marker so re-runs stay idempotent.
Severity, class, and verification status already live in the issue title, display ID, and body, so sev:/vuln:/status: labels just duplicated that text. Keep fp:<hash> (the dedup key the reconcile step searches on) and security/security-scan.
…red prompts Replace 14 finder files and 10 playbook files with one parameterized finder method (prompts/finder.md) and one stack-agnostic repro playbook (prompts/playbook.md). The workflow's new CLASS_META table is the single source of truth for the OWASP/CWE/ASVS mapping and per-class focus, injected into the shared finder prompt. Trim recon's per-class relevance encyclopedia to a source-and-sink test; stack is now a label, not a file selector. Strict pipeline, signal/FP contract, and repro safety invariants are unchanged. Net: ~8400 fewer lines.
Surface the resolved commit in the report header (**Commit:** {{commit}})
and instruct the synth agent to render it bare — no backticks — so the
embedded epic comment and issue bodies auto-link the SHA to its commit
page. Backticks rendered it as inert code.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
White-box, dynamically-verified security audit. /security:audit recons a target repo, hunts OWASP Top 10:2025 vulnerabilities, proves them with live PoCs in isolated git worktrees, and writes a high-signal senior-engineer report (proven findings with a high-level proposed fix, not speculative noise).