anthropics/claude-plugins-official
1
0
Fork 0
mirror of https://github.com/anthropics/claude-plugins-official.git synced 2026-06-15 07:06:07 -03:00
Code Issues Packages Projects Releases Wiki Activity

code-modernization: never write discovered credential values into findings

Browse Source 
Legacy systems often contain live credentials, and assessment/findings
files get committed and shared. Previously the security-auditor agent
reported hardcoded secrets verbatim into ASSESSMENT.md and
SECURITY_FINDINGS.md.

- security-auditor: mandatory secret-handling rules — mask all credential
  values (file:line + 2-4 char preview), redact secrets from echoed tool
  output, recommend rotation for anything that looks live
- assess/harden: gitignore-verified SECRETS.local.md quarantine file for
  the per-credential inventory; findings files get masked entries and a
  pointer only
- new --show-secrets flag opts into raw values in the quarantine file
  (and only there)
- README: document the behavior and advise users of earlier versions to
  check for already-committed findings and rotate
This commit is contained in:
Morgan Lunt 2026-06-08 14:43:53 -07:00
parent bbbff6ab54
commit ff5feaeb7f
No known key found for this signature in database
4 changed files with 81 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
plugins/code-modernization/README.md
View File

@ -24,6 +24,10 @@ mkdir -p legacy && ln -s /path/to/your/legacy/codebase legacy/billing
`/modernize-assess` works best with [`scc`](https://github.com/boyter/scc) (LOC + complexity + COCOMO) or [`cloc`](https://github.com/AlDanial/cloc), and falls back to `find`/`wc` if neither is installed. Portfolio mode also benefits from [`lizard`](https://github.com/terryyin/lizard) (cyclomatic complexity). The commands degrade gracefully without them, but the metrics will be coarser. `/modernize-assess` works best with [`scc`](https://github.com/boyter/scc) (LOC + complexity + COCOMO) or [`cloc`](https://github.com/AlDanial/cloc), and falls back to `find`/`wc` if neither is installed. Portfolio mode also benefits from [`lizard`](https://github.com/terryyin/lizard) (cyclomatic complexity). The commands degrade gracefully without them, but the metrics will be coarser.
## Secret handling
Legacy systems routinely contain live credentials, and assessment artifacts get committed and shared. `/modernize-assess` and `/modernize-harden` therefore **never write discovered credential values into findings files** — findings cite `file:line` with a masked preview (`AKIA****`). When credentials are found, a per-credential inventory (type, location, blast radius, rotation recommendation) is written to `analysis/<system>/SECRETS.local.md`, which the commands gitignore before writing. Pass `--show-secrets` to include raw values in that quarantine file (and only there). If you ran an earlier version of this plugin on a real system, check whether `analysis/` artifacts containing credentials were committed or shared, and rotate anything that was.
## Commands ## Commands
The commands are designed to be run in order, but each produces a standalone artifact so you can stop, review, and resume. The commands are designed to be run in order, but each produces a standalone artifact so you can stop, review, and resume.

25
plugins/code-modernization/agents/security-auditor.md
View File

@ -39,7 +39,30 @@ terminal/screen items don't apply to a SPA. Work through what's relevant:
Use available SAST where it helps (npm audit, pip-audit, grep for known-bad Use available SAST where it helps (npm audit, pip-audit, grep for known-bad
patterns) but **read the code** — tools miss logic flaws. Show tool output patterns) but **read the code** — tools miss logic flaws. Show tool output
verbatim, then add your manual findings. verbatim — except secret values, which you redact (see below) — then add
your manual findings.
## Secret handling (mandatory)
Legacy codebases routinely contain live production credentials, and your
findings get pasted into decks, tickets, and committed markdown. Copying a
secret into a report multiplies the exposure you were hired to find.
When you discover a hardcoded credential, API key, token, connection
string, or private key:
- **Never write the secret's value into any output** — no finding table,
no report, no quoted code excerpt, no echoed tool output. Mask it to the
first 24 identifying characters plus `****` (`AKIA****`,
`postgres://app_user:****@db-prod…`). If a scanner prints a secret,
redact it before including the excerpt.
- Cite `file:line`. The source file is the canonical location — anyone who
legitimately needs the value can open it there.
- State what the credential appears to grant access to (database, queue,
cloud account, third-party API) and whether it looks like a production
or test credential.
- Recommend rotation for anything that looks live — exposure in source
means it is already compromised, independent of any modernization plan.
## Reporting standard ## Reporting standard

23
plugins/code-modernization/commands/modernize-assess.md
View File

@ -1,6 +1,6 @@
--- ---
description: Full discovery & portfolio analysis of a legacy system — inventory, complexity, debt, effort estimation description: Full discovery & portfolio analysis of a legacy system — inventory, complexity, debt, effort estimation
argument-hint: <system-dir> | --portfolio <parent-dir> argument-hint: <system-dir> [--show-secrets] | --portfolio <parent-dir>
--- ---
**Mode select.** If `$ARGUMENTS` starts with `--portfolio`, run **Portfolio **Mode select.** If `$ARGUMENTS` starts with `--portfolio`, run **Portfolio
@ -113,7 +113,9 @@ Spawn three subagents **in parallel**:
3. **security-auditor** — "Scan legacy/$1 for security vulnerabilities: 3. **security-auditor** — "Scan legacy/$1 for security vulnerabilities:
injection, auth weaknesses, hardcoded secrets, vulnerable dependencies, injection, auth weaknesses, hardcoded secrets, vulnerable dependencies,
missing input validation. Return findings in CWE-tagged table form with missing input validation. Return findings in CWE-tagged table form with
file:line evidence and severity." file:line evidence and severity. Mask every discovered credential value
per your secret-handling rules — file:line plus a 24 character masked
preview, never the value itself."
Wait for all three. Synthesize their findings. Wait for all three. Synthesize their findings.
@ -141,6 +143,23 @@ need explained.
## Step 6 — Write the assessment ## Step 6 — Write the assessment
**Secrets quarantine first.** The assessment gets shared and committed —
discovered credential values must never appear in it. If the
security-auditor found any hardcoded credentials:
1. Ensure `analysis/.gitignore` exists and contains the line
`SECRETS.local.md` (create or append as needed). If the project is a
git repo, verify with `git check-ignore -q analysis/$1/SECRETS.local.md`
before writing any findings.
2. Write `analysis/$1/SECRETS.local.md`: one row per credential — masked
preview, `file:line`, credential type, what it grants access to,
production/test guess, rotation recommendation. Only if the user passed
`--show-secrets`, add the raw value column here — this file only, never
ASSESSMENT.md.
3. In ASSESSMENT.md, the Security Findings section lists credential
findings with masked values only, plus a one-line pointer:
"Credential inventory in SECRETS.local.md (gitignored; not for sharing)."
Create `analysis/$1/ASSESSMENT.md` with these sections: Create `analysis/$1/ASSESSMENT.md` with these sections:
- **Executive Summary** (3-4 sentences: what it is, how big, how risky, headline recommendation) - **Executive Summary** (3-4 sentences: what it is, how big, how risky, headline recommendation)
- **System Inventory** (the scc table + tech fingerprint) - **System Inventory** (the scc table + tech fingerprint)

34
plugins/code-modernization/commands/modernize-harden.md
View File

@ -1,6 +1,6 @@
--- ---
description: Security vulnerability scan with a reviewable remediation patch — OWASP, CWE, CVE, secrets, injection description: Security vulnerability scan with a reviewable remediation patch — OWASP, CWE, CVE, secrets, injection
argument-hint: <system-dir> argument-hint: <system-dir> [--show-secrets]
--- ---
Run a **security hardening pass** on `legacy/$1`: find vulnerabilities, rank Run a **security hardening pass** on `legacy/$1`: find vulnerabilities, rank
@ -9,6 +9,25 @@ them, and produce a reviewable patch for the critical ones.
This command never edits `legacy/` — it writes findings and a proposed patch This command never edits `legacy/` — it writes findings and a proposed patch
to `analysis/$1/`. The user reviews and applies (or not). to `analysis/$1/`. The user reviews and applies (or not).
## Step 0 — Secrets quarantine setup
Findings files get shared, committed, and pasted into decks — discovered
credential values must never land in them. Before any scanning:
1. Ensure `analysis/.gitignore` exists and contains the line
`SECRETS.local.md`. Create the file or append the line if missing.
2. If the project is a git repo, verify with
`git check-ignore -q analysis/$1/SECRETS.local.md` — if that exits
non-zero, fix the ignore rule before proceeding. Do not write any
findings until this check passes (skip the check only if there is no
git repo).
All secret values in every artifact this command produces are **masked**
(`AKIA****`, `password=****`) and cited by `file:line`. The one exception:
if the user passed `--show-secrets`, raw values may appear in
`analysis/$1/SECRETS.local.md` (gitignored above) and nowhere else —
never in SECURITY_FINDINGS.md or the patch commentary.
## Scan ## Scan
Spawn the **security-auditor** subagent: Spawn the **security-auditor** subagent:
@ -20,7 +39,9 @@ hardcoded secrets, vulnerable dependency versions, missing input validation,
path traversal. For each finding return: CWE ID, severity path traversal. For each finding return: CWE ID, severity
(Critical/High/Med/Low), file:line, one-sentence exploit scenario, and (Critical/High/Med/Low), file:line, one-sentence exploit scenario, and
recommended fix. Run any available SAST tooling (npm audit, pip-audit, recommended fix. Run any available SAST tooling (npm audit, pip-audit,
OWASP dependency-check) and include its raw output." OWASP dependency-check) and include its raw output. Mask every discovered
credential value per your secret-handling rules — file:line plus a 24
character masked preview, never the value itself."
## Triage ## Triage
@ -29,6 +50,15 @@ Write `analysis/$1/SECURITY_FINDINGS.md`:
- Findings table sorted by severity - Findings table sorted by severity
- Dependency CVE table (package, installed version, CVE, fixed version) - Dependency CVE table (package, installed version, CVE, fixed version)
If any hardcoded credentials were found, also write
`analysis/$1/SECRETS.local.md` (the gitignored quarantine file from Step 0):
one row per credential — masked preview, `file:line`, credential type, what
it appears to grant access to, production/test guess, and a rotation
recommendation. With `--show-secrets`, append the raw value column here —
this file only. SECURITY_FINDINGS.md gets a one-line pointer:
"N hardcoded credentials found — inventory in SECRETS.local.md (gitignored;
not for sharing)."
## Remediate ## Remediate
For each **Critical** and **High** finding, draft a minimal, targeted fix. For each **Critical** and **High** finding, draft a minimal, targeted fix.