๐ Security & Compliance Skills Suite
Skill by ara.so โ Security Skills collection.
A comprehensive security and compliance skill suite derived from hesreallyhim/awesome-claude-code, providing specialized commands and workflows for security audits, vulnerability management, GDPR/SOC2/ISO27001 compliance, and incident response.
What This Project Does
This skill suite provides 10 specialized security commands and 5 multi-step compliance workflows with structured output UI for:
- Vulnerability Scanning: OWASP Top-10 analysis, dependency CVE detection
- Compliance Auditing: GDPR, SOC2, ISO27001 gap analysis
- Security Operations: Threat modeling, penetration testing, IAM audits
- Incident Response: Breach response playbooks and investigation workflows
- Policy Generation: Privacy policies, security documentation
All commands use consistent structured output with progress tracking, findings tables, and prioritized action plans.
Installation
Quick Install (Local Skills Directory)
# Create Claude skills directory if it doesn't exist
mkdir -p ~/.claude/skills
# Clone the skill suite
git clone https://github.com/sparkfinderoven/r01-hesreallyhim-awesome-claude-code-security.git \
~/.claude/skills/awesome-claude-code-security
# Activate in Claude Code session
# In your IDE with Claude Code, run:
/read ~/.claude/skills/awesome-claude-code-security/SKILL.mdManual Installation
# Clone the repository
git clone https://github.com/sparkfinderoven/r01-hesreallyhim-awesome-claude-code-security.git
# Navigate to project directory
cd r01-hesreallyhim-awesome-claude-code-security
# Read the skill documentation
cat SKILL.mdVerification
Verify installation by checking available commands:
# List all security commands
ls -la ~/.claude/skills/awesome-claude-code-security/
# Expected output:
# - SKILL.md (this file)
# - README.md (documentation)
# - commands/ (individual command definitions)
# - workflows/ (multi-step workflow definitions)Core Commands
1. OWASP Top-10 Security Scan
Scans code for OWASP Top-10 vulnerabilities with CVSS scores and remediation guidance.
/owasp-scan <target_directory>
# Options
/owasp-scan src/ --format json
/owasp-scan . --severity critical,high
/owasp-scan api/ --output report.mdExample Output Structure:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ OWASP Security Scan โ ./src/api โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฃ
โ Files scanned โ 47 โ
โ OWASP checks โ 14 โ
โ Findings โ 8 issues โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
FINDINGS (severity: desc)
โโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโฌโโโโโโโโโโโโโโโ
โ Sev โ Vulnerability โ CVSS โ File โ
โโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโผโโโโโโโโโโโโโโโค
โ ๐ด โ SQL Injection โ 9.8 โ users.js:42 โ
โ ๐ด โ JWT None Algorithm โ 9.1 โ auth.js:18 โ
โ ๐ โ CORS Misconfiguration โ 6.5 โ server.js:12 โ
โโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโดโโโโโโโโโโโโโโโ
REMEDIATION
โข SQL Injection: Use parameterized queries or ORM
โข JWT None: Validate algorithm in token verification
โข CORS: Restrict origins to known domains2. Dependency CVE Scanner
Scans project dependencies for known CVEs with exploitability scores.
/dep-cve
# Options
/dep-cve --scope production
/dep-cve --output json > cve-report.json
/dep-cve --min-cvss 7.0
/dep-cve --show-pathsExample for Node.js project:
# Scans package.json and package-lock.json
/dep-cve --scope full
# Output includes:
# - CVE IDs with CVSS scores
# - Affected package versions
# - Upgrade paths
# - Exploitability assessmentExpected Output:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ CVE Dependency Scan โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฃ
โ Dependencies checked โ 234 โ
โ CVEs found โ 12 โ
โ Critical โ 3 โ
โ High โ 5 โ
โ Medium โ 4 โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโฌโโโโโโโโโโโฌโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโ
โ Package โ CVE โ CVSS โ Installed โ Fixed In โ
โโโโโโโโโโโโโโโผโโโโโโโโโโโผโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโค
โ lodash โ CVE-2021 โ 9.8 ๐ด โ 4.17.15 โ 4.17.21 โ
โ axios โ CVE-2022 โ 8.1 ๐ด โ 0.21.0 โ 0.21.4 โ
โ express โ CVE-2022 โ 7.5 ๐ โ 4.17.1 โ 4.18.2 โ
โโโโโโโโโโโโโโโดโโโโโโโโโโโดโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโ
UPGRADE COMMANDS
npm install lodash@4.17.21
npm install axios@0.21.4
npm install express@4.18.23. GDPR Compliance Audit
Maps data flows, identifies consent gaps, and generates DPA checklist.
/gdpr-audit <application_path>
# Options
/gdpr-audit . --data-map
/gdpr-audit src/ --consent-analysis
/gdpr-audit . --full-report --output gdpr-audit.pdfExample Analysis:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ GDPR Compliance Audit โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฃ
โ Data flows mapped โ 24 โ
โ Personal data types โ 8 โ
โ Consent gaps โ 5 โ
โ DPA requirements โ 12/15 met โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
DATA FLOW MAP
User Registration โ Database (PII: email, name, phone)
โณ Consent: โ Missing explicit opt-in
โณ Retention: โ No deletion policy defined
โณ Encryption: โ AES-256 at rest
Analytics Pipeline โ Third-party (IP address, user agent)
โณ Consent: โ No cookie banner
โณ DPA: โ No Data Processing Agreement on file
COMPLIANCE GAPS
๐ด Critical:
โข No cookie consent mechanism implemented
โข Missing data retention policies in privacy policy
โข No user data deletion endpoint
๐ High:
โข DPA missing for analytics provider
โข DSAR (data subject access request) workflow undefined4. SOC2 Readiness Assessment
Performs gap analysis across all 5 Trust Service Criteria.
/soc2-readiness
# Options
/soc2-readiness --criteria security,availability
/soc2-readiness --type type2
/soc2-readiness --output xlsxExample Output:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ SOC 2 Type II Readiness Assessment โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฃ
โ Security โ 65% ready โ
โ Availability โ 90% ready โ
โ Confidentiality โ 45% ready โ
โ Processing Integrity โ 70% ready โ
โ Privacy โ 50% ready โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
SECURITY GAPS
โ CC6.1: No background checks policy
โ CC6.6: Missing logical access reviews (quarterly)
โ CC7.2: Incomplete system monitoring
AVAILABILITY GAPS
โ A1.2: RTO/RPO not documented in DR plan
REMEDIATION TIMELINE
Quick Wins (1-2 weeks):
โข Document RTO/RPO targets
โข Implement access review schedule
Medium-term (1-3 months):
โข Establish background check policy
โข Deploy SIEM for continuous monitoring
Strategic (3-6 months):
โข Conduct third-party penetration test
โข Implement data classification framework5. Threat Modeling (STRIDE)
Generates STRIDE threat model for architecture diagrams.
/threat-model <architecture_file>
# Options
/threat-model architecture.png --framework stride
/threat-model system-design.md --risk-matrix
/threat-model . --auto-discoverExample for Web Application:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ STRIDE Threat Model โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฃ
โ Components analyzed โ 8 โ
โ Data flows โ 12 โ
โ Threats identified โ 18 โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
ARCHITECTURE COMPONENTS
โข Web Application (React SPA)
โข API Gateway (nginx)
โข Backend API (Node.js/Express)
โข Database (PostgreSQL)
โข Auth Service (OAuth2)
โข External Payment Gateway
THREAT ANALYSIS (STRIDE)
[S]poofing
๐ด API Gateway: No mutual TLS for backend communication
Impact: High | Likelihood: Medium
Mitigation: Implement mTLS between gateway and API
[T]ampering
๐ Database: SQL injection possible via user input
Impact: Critical | Likelihood: Low
Mitigation: Use parameterized queries
[R]epudiation
๐ก API: Insufficient audit logging for sensitive operations
Impact: Medium | Likelihood: Medium
Mitigation: Implement comprehensive audit trail
[I]nformation Disclosure
๐ด Payment Flow: PCI data logged in application logs
Impact: Critical | Likelihood: Medium
Mitigation: Implement PCI-compliant logging filters
[D]enial of Service
๐ API: No rate limiting on public endpoints
Impact: High | Likelihood: High
Mitigation: Implement rate limiting middleware
[E]levation of Privilege
๐ด Auth: JWT lacks role claims validation
Impact: Critical | Likelihood: Medium
Mitigation: Add RBAC middleware with role enforcement
RISK MATRIX
Impact โ
Likelihood โ Low Medium High Critical
โโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
High โ DoS
Medium โ Repud. Spoof InfoDisc, EoP
Low โ Tamper6. Penetration Test Report Generator
Structures penetration test findings with executive summary and remediation.
/pentest-report <findings_file>
# Options
/pentest-report findings.json --template executive
/pentest-report scan-results/ --format pdf
/pentest-report . --cvss-threshold 7.0Example Report Structure:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Penetration Test Report โ
โ Target: api.example.com โ
โ Date: 2024-01-15 โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฃ
โ Critical findings โ 4 โ
โ High findings โ 7 โ
โ Medium findings โ 12 โ
โ Low/Info โ 8 โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
EXECUTIVE SUMMARY
The penetration test identified 31 findings across the web application
and API infrastructure. 4 critical vulnerabilities require immediate
remediation, including SQL injection and authentication bypass issues.
CRITICAL FINDINGS
1. SQL Injection in User Search (CVSS 9.8)
Location: /api/v1/users/search?q=
Description:
User-supplied input in the 'q' parameter is directly concatenated
into SQL query without sanitization.
Proof of Concept:
GET /api/v1/users/search?q=' OR '1'='1
Remediation:
โข Implement parameterized queries
โข Add input validation and sanitization
โข Deploy WAF rules to detect SQL injection patterns
Timeline: Immediate (< 48 hours)
2. Authentication Bypass via JWT None Algorithm (CVSS 9.1)
Location: /api/v1/auth/verify
Description:
JWT library accepts 'none' algorithm, allowing unsigned tokens.
Proof of Concept:
eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiYWRtaW4ifQ.
Remediation:
โข Explicitly reject 'none' algorithm in JWT verification
โข Implement algorithm whitelist
โข Add token signature validation tests
Timeline: Immediate (< 48 hours)
REMEDIATION ROADMAP
Immediate (< 48 hours):
โ Fix SQL injection vulnerabilities
โ Patch JWT authentication bypass
โ Disable debug endpoints in production
Short-term (1-2 weeks):
โ Implement rate limiting
โ Add CSRF protection
โ Deploy Web Application Firewall
Medium-term (1 month):
โ Conduct security code review
โ Implement security headers (CSP, HSTS)
โ Add automated security scanning to CI/CD7. Secret Detection (Pre-commit Hook)
Configures pre-commit hooks for secret and credential detection.
/secret-detect init
# Options
/secret-detect scan <directory>
/secret-detect --entropy-threshold 4.5
/secret-detect --add-patterns custom-patterns.jsonExample Configuration:
# Initialize secret detection
/secret-detect init
# Creates .pre-commit-config.yamlGenerated .pre-commit-config.yaml:
repos:
- repo: https://github.com/Yelp/detect-secrets
rev: v1.4.0
hooks:
- id: detect-secrets
args:
- '--baseline'
- '.secrets.baseline'
- '--exclude-files'
- 'package-lock.json|.*\.min\.js'
- repo: https://github.com/gitleaks/gitleaks
rev: v8.18.0
hooks:
- id: gitleaks
args:
- '--verbose'
- '--redact'
# Custom entropy scanning
- repo: local
hooks:
- id: high-entropy-strings
name: Detect high-entropy strings
entry: python scripts/entropy-scan.py
language: python
args: ['--threshold', '4.5']Scan Example:
/secret-detect scan src/
# Output:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Secret Detection Scan โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฃ
โ Files scanned โ 156 โ
โ Secrets detected โ 8 โ
โ High entropy strings โ 3 โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
DETECTED SECRETS
โโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโ
โ Type โ File โ Line โ
โโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโค
โ AWS Access Key โ config.js โ 12 โ
โ Private Key โ certs/dev.key โ 1 โ
โ API Key (Generic) โ api-client.js โ 45 โ
โ High Entropy String โ utils.js โ 89 โ
โโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโ
REMEDIATION
โข Move secrets to environment variables
โข Add affected files to .gitignore
โข Rotate exposed credentials immediately
โข Review git history with: git log -p <file>8. IAM Least Privilege Audit
Audits IAM roles for over-permissions, stale access, and MFA gaps.
/iam-audit
# Options
/iam-audit --provider aws
/iam-audit --check-mfa
/iam-audit --stale-days 90
/iam-audit --output csvExample AWS IAM Audit:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ IAM Least Privilege Audit (AWS) โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฃ
โ Users analyzed โ 24 โ
โ Roles analyzed โ 18 โ
โ Over-permissioned โ 7 โ
โ Stale access (90d) โ 5 โ
โ Missing MFA โ 3 โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
OVER-PERMISSIONED ROLES
โโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโ
โ Role/User โ Issue โ Last Used โ
โโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโค
โ DevOps-Role โ Admin policy โ 2 days ago โ
โ DataScience-Role โ S3 Full Access โ 15 days ago โ
โ CI-Pipeline โ IAM permissions โ 1 day ago โ
โโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโ
RECOMMENDATIONS
DevOps-Role:
Current: AdministratorAccess
Recommended: Custom policy with specific permissions
Unused services: RDS, Lambda, DynamoDB
Suggested Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:*",
"s3:GetObject",
"s3:PutObject",
"cloudwatch:PutMetricData"
],
"Resource": "*"
}
]
}
STALE ACCESS (>90 days)
โข jenkins-user (145 days) - Consider deactivating
โข legacy-integration (234 days) - Remove
โข contractor-temp (98 days) - Review and remove
MISSING MFA
๐ด admin-user (console access)
๐ด ops-team-lead (console access)
โ backup-operator (API only)
ACTION PLAN
Immediate:
โ Enable MFA for admin-user and ops-team-lead
โ Deactivate access for legacy-integration
Short-term:
โ Replace AdministratorAccess with scoped policies
โ Implement 90-day access review process
โ Add MFA enforcement policy9. Security Incident Playbook
Generates security incident response playbook following NIST framework.
/incident-playbook <incident_type>
# Options
/incident-playbook data-breach
/incident-playbook ransomware
/incident-playbook ddos-attack
/incident-playbook --format pdfExample Playbook:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Security Incident Playbook: Data Breach โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฃ
โ Framework: NIST SP 800-61 โ
โ Phases: 5 โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
PHASE 1: DETECTION & TRIAGE (0-1 hour)
Immediate Actions:
โ Confirm incident severity and scope
โ Notify Security Team Lead
โ Activate incident response team
โ Begin incident log (time, actions, findings)
Detection Checklist:
โ Review SIEM alerts and logs
โ Check data exfiltration indicators
โ Identify compromised systems/accounts
โ Determine data types affected
Key Questions:
โข What data was accessed/exfiltrated?
โข How many records affected?
โข When did the breach occur?
โข Is the breach ongoing?
PHASE 2: CONTAINMENT (1-4 hours)
Short-term Containment:
โ Isolate affected systems from network
โ Disable compromised user accounts
โ Block malicious IP addresses at firewall
โ Reset credentials for affected systems
โ Enable enhanced monitoring
Long-term Containment:
โ Apply security patches
โ Implement additional access controls
โ Deploy IDS/IPS rules
โ Segment network if not already done
Evidence Preservation:
โ Take disk/memory snapshots
โ Preserve logs (application, system, network)
โ Document all containment actions
โ Chain of custody for forensic evidence
PHASE 3: ERADICATION (4-24 hours)
โ Remove malware/backdoors from affected systems
โ Close vulnerability that enabled breach
โ Verify no persistence mechanisms remain
โ Conduct full system security scan
โ Review and update security configurations
Root Cause Analysis:
โข Entry point identification
โข Attack vector analysis
โข Timeline reconstruction
โข Identify control failures
PHASE 4: RECOVERY (1-7 days)
โ Restore systems from clean backups
โ Verify system integrity before reconnection
โ Gradually restore services (least critical first)
โ Enhanced monitoring for 30 days
โ User access verification
Validation:
โ Penetration testing of restored systems
โ Vulnerability scanning
โ Security control verification
PHASE 5: POST-INCIDENT (7-30 days)
Lessons Learned Meeting (within 48 hours):
โข What happened?
โข What was done well?
โข What could be improved?
โข What will we do differently?
Deliverables:
โ Incident report (technical)
โ Executive summary
โ Timeline of events
โ Financial impact assessment
โ Regulatory notification (if required)
Regulatory Obligations:
โข GDPR: 72-hour notification to supervisory authority
โข CCPA: Notification without unreasonable delay
โข HIPAA: 60-day notification to affected individuals
โข State breach notification laws (check jurisdictions)
Security Improvements:
โ Update incident response plan
โ Implement identified security controls
โ Conduct security awareness training
โ Schedule follow-up security assessment
CONTACTS
Security Team:
โข Security Lead: ENV:SECURITY_LEAD_CONTACT
โข On-Call SIEM: ENV:SIEM_ONCALL
โข Forensics Team: ENV:FORENSICS_CONTACT
External:
โข Legal Counsel: ENV:LEGAL_CONTACT
โข PR/Communications: ENV:PR_CONTACT
โข Cyber Insurance: ENV:INSURANCE_CONTACT
โข Law Enforcement (FBI IC3): https://www.ic3.gov
Regulatory:
โข GDPR DPA: ENV:DPA_CONTACT
โข State Attorney General: ENV:STATE_AG_CONTACT10. Privacy Policy Generator
Generates GDPR/CCPA-compliant privacy policy from data inventory.
/privacy-policy <data_inventory_file>
# Options
/privacy-policy inventory.json --jurisdiction eu,us,uk
/privacy-policy . --auto-discover
/privacy-policy data-map.yaml --format htmlExample Data Inventory:
{
"personal_data": [
{
"type": "contact",
"fields": ["email", "name", "phone"],
"purpose": "user_account",
"retention": "account_lifetime",
"third_parties": []
},
{
"type": "analytics",
"fields": ["ip_address", "user_agent", "session_id"],
"purpose": "service_improvement",
"retention": "90_days",
"third_parties": ["Google Analytics"]
}
]
}Generated Policy Excerpt:
# Privacy Policy
Last Updated: 2024-01-15
## 1. Information We Collect
### Contact Information
We collect your email address, name, and phone number when you:
- Create an account
- Contact customer support
- Subscribe to our newsletter
**Legal Basis (GDPR):** Contract performance, legitimate interest
**Retention:** Duration of account plus 30 days
### Analytics Data
We automatically collect:
- IP address
- Browser type and version
- Device information
- Pages visited and time spent
**Legal Basis (GDPR):** Legitimate interest (service improvement)
**Retention:** 90 days
## 2. How We Use Your Information
We use your information to:
- Provide and maintain our services
- Send account-related notifications
- Improve our products and services
- Comply with legal obligations
## 3. Third-Party Service Providers
We share your information with:
**Google Analytics**
- Purpose: Website analytics and usage patterns
- Data shared: IP address, user agent, page views
- Location: United States
- Privacy Policy: https://policies.google.com/privacy
- Data Processing Agreement: In place
## 4. Your Rights (GDPR)
You have the right to:
- **Access:** Request a copy of your personal data
- **Rectification:** Correct inaccurate data
- **Erasure:** Request deletion of your data
- **Restriction:** Limit processing of your data
- **Portability:** Receive your data in machine-readable format
- **Objection:** Object to processing based on legitimate interest
- **Withdraw Consent:** Where processing is based on consent
To exercise these rights, contact: ENV:PRIVACY_CONTACT_EMAIL
## 5. Your Rights (CCPA)
California residents have the right to:
- Know what personal information is collected
- Know whether personal information is sold or disclosed
- Say no to the sale of personal information
- Access your personal information
- Request deletion of personal information
- Equal service and price, even if you exercise your privacy rights
## 6. Data Security
We implement appropriate technical and organizational measures:
- Encryption in transit (TLS 1.3)
- Encryption at rest (AES-256)
- Access controls and authentication
- Regular security assessments
- Employee security training
## 7. International Data Transfers
Your data may be transferred to and processed in:
- United States (Standard Contractual Clauses)
- European Union (GDPR compliant)
We ensure appropriate safeguards are in place for all transfers.
## 8. Children's Privacy
Our services are not directed to individuals under 16. We do not
knowingly collect personal information from children.
## 9. Contact Information
Data Controller: [Company Name]
Email: ENV:PRIVACY_CONTACT_EMAIL
Address: [Company Address]
EU Representative: ENV:EU_REP_CONTACT
UK Representative: ENV:UK_REP_CONTACT
Supervisory Authority: [Relevant DPA]Multi-Step Workflows
Workflow 1: Secure SDLC (Shift-Left Security)
End-to-end secure development lifecycle implementation.
/workflow:secure-sdlc <project_path>
# Options
/workflow:secure-sdlc . --phase all
/workflow:secure-sdlc src/ --skip-dastWorkflow Steps:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Secure SDLC Workflow โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฃ
โ 1. Threat Model โณ In Progress โ
โ 2. SAST Scan โ Pending โ
โ 3. Dependency Check โ Pending โ
โ 4. DAST Scan โ Pending โ
โ 5. Penetration Test โ Pending โ
โ 6. Security Sign-off โ Pending โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
PHASE 1: THREAT MODELING
Running: /threat-model architecture.md
[Output from threat model command...]
PHASE 2: STATIC ANALYSIS
Running: /owasp-scan src/
[Output from OWASP scan...]
PHASE 3: DEPENDENCY CHECK
Running: /dep-cve --scope full
[Output from CVE scan...]
PHASE 4: DYNAMIC TESTING
Running DAST against staging environment...
[DAST results...]
PHASE 5: PENETRATION TEST
Generating penetration test checklist...
[Pentest scope and requirements...]
PHASE 6: SECURITY SIGN-OFF
Generating security release checklist...
RELEASE CRITERIA
โ All critical vulnerabilities resolved