Security

Use when the user asks for a "SOC 2 gap analysis", "ISO 27001 readiness check", or evidence collection for an upcoming audit. Maps SOC 2 Trust Service Criteria (CC1-CC9) and ISO 27001 Annex A controls against collected evidence, identifies gaps, and produces a remediation ticket list with owner/priority.

Use when compliance-check has produced control gaps (SOC2, ISO 27001, HIPAA, PCI) and you need to close them. Classifies each gap as Design / Operating / Evidence, drafts or configures the missing policy / control / evidence artifact, maps the closure to the control ID, and assembles the auditor-ready evidence locker.

Use when container-scan has produced findings on a Docker/OCI image and you need to rebuild it clean. Rebases to a patched base image, upgrades OS packages, hardens the Dockerfile (non-root user, distroless or slim, multi-stage, HEALTHCHECK), strips secrets from layers using BuildKit mounts, and verifies closure by re-scanning with Trivy.

Use when the user asks to "scan this container", before a registry push, or as a release gate for a Docker/OCI image. Runs Trivy image + filesystem + secret scans, verifies distroless/non-root user, checks Dockerfile best practices, and blocks on Critical/High CVEs.

Use when the user asks to "audit dependencies", "check for CVEs", or before a release. Runs CVE scanning across every detected package manager (npm/yarn/pnpm, pip/poetry, Go modules, Cargo, Maven/Gradle), produces CVSS-scored findings with fix-version recommendations and explicit flags for transitive dependencies.

Use when dependency-audit has produced CVE findings and you need to close them. Triages each finding into upgrade / transitive override / patch / replace / accept-with-mitigation, applies the fix per ecosystem (npm, pip, go, cargo, maven), verifies with tests, updates SBOM and lockfiles, and writes the audit trail.

Use when the user asks to "write up a pentest report", "assemble a security assessment deliverable", or convert audit outputs into a client-ready document. Produces a structured report with executive summary, methodology, scope, findings (CVSS + CWE + remediation), risk matrix, and raw-evidence appendix from scanner JSON plus manual notes.

Use when secret-scanner has produced findings and leaked credentials need to be remediated. Rotates each credential at its provider, invalidates the old one, rewrites git history, updates allowlists for confirmed false positives, and installs prevention controls (pre-commit hook, CI gate, secret manager).

Use when the user asks to "scan for secrets", "check for leaked credentials", onboarding a new repo, or before open-sourcing. Performs deep git history scan with Gitleaks and TruffleHog, diffs against an allowlist, triages false positives, and guides credential-rotation-first remediation via git filter-repo or BFG.

Use when the user asks for a full security audit, pre-release security gate, or "scan this repo / service end-to-end". Orchestrates DAST (ZAP, Nuclei, Wapiti), SAST (Semgrep, SonarQube), and SCA (OSV-Scanner, npm audit, pip-audit, govulncheck, cargo-audit), deduplicates findings, classifies by severity, and emits a combined markdown report.

Use when security-audit has produced SAST or DAST findings and they need to be fixed in code or config. Applies category-specific remediation patterns (injection, XSS, broken access control, crypto, misconfig, SSRF, deserialization), adds a regression test per finding, and re-runs the originating scanner rule to verify closure.

Use when preparing for a release, a SOC2/PCI audit window, or any "sweep everything" security request. Chains secret-scanner, dependency-audit, security-audit, container-scan (if applicable), and pentest-report end-to-end and produces a single dated pentest report.

Use when full-security-audit has produced findings across secrets, dependencies, SAST/DAST, containers, and compliance, and you want to close them end-to-end. Dispatches each class of finding to the paired remediation skill, re-runs the originating scanner to verify closure, computes before/after deltas, and writes a consolidated remediation report with residuals, exceptions, and follow-up tickets.