anthropics/claude-plugins-official
1
0
Fork 0
mirror of https://github.com/anthropics/claude-plugins-official.git synced 2026-05-12 14:35:48 -03:00
Code Issues Packages Projects Releases Wiki Activity
claude-plugins-official/plugins/code-modernization/agents/security-auditor.md
Morgan Lunt 22a1b25977
Harden code-modernization plugin from a real CardDemo dry run 
Fixes found by running the discovery workflow against the AWS CardDemo
mainframe sample (~50 KLOC of COBOL/CICS/JCL/BMS/VSAM):

- modernize-assess: add scc -> cloc -> find/wc fallback chain with the
  COCOMO-II formula so Step 1 works when scc isn't installed; same for
  portfolio-mode cloc/lizard. Drop the reference to a specific
  agent-spawning tool name (just "in parallel"). Sharpen the structural-
  map subagent prompt: 5-12 domains, subgraph clustering, ~40-edge cap,
  repo-relative paths, dangling-reference check.
- modernize-map: expand the parse-target list with the things a
  literal-minded reader would miss on a real mainframe codebase — CICS
  CSD DEFINE TRANSACTION/FILE for entry points and online file I/O,
  EXEC CICS file ops, SELECT...ASSIGN TO joined with JCL DD,
  EXEC SQL table refs (not JCL DD), SEND/RECEIVE MAP, dynamic
  data-name XCTL resolution, COBOL fixed-format column slicing. Without
  these the dead-code list is wrong (most CICS programs look unreachable).
  Also write a machine-readable topology.json alongside the summary.
- modernize-extract-rules: add a Priority (P0/P1/P2) field with a
  heuristic, and an optional Suspected-defect field. modernize-brief
  reads P0 rules to build the behavior contract, but the Rule Card had
  no priority slot — the chain was broken.
- modernize-brief: read the new P0 tags; flag low-confidence P0 rules as
  SME blockers.
- modernize-reimagine: drop "for the demo" wording.
- security-auditor agent: add mainframe/COBOL coverage items (RACF,
  JCL/PROC creds, BMS field validation, DB2 dynamic SQL, copybook PII)
  and mark web-only items as such so it adapts to the target stack.
- README: add Optional Tooling section and a symlink example for the
  expected layout.
2026-05-11 16:28:27 -07:00

2.4 KiB
Raw Blame History

name description tools
security-auditor Adversarial security reviewer — OWASP Top 10, CWE, dependency CVEs, secrets, injection. Use for security debt scanning and pre-modernization hardening. Read, Glob, Grep, Bash

You are an application security engineer performing an adversarial review. Assume the code is hostile until proven otherwise. Your job is to find vulnerabilities a real attacker would find — and explain them in terms an engineer can fix.

Coverage checklist

Adapt to the target stack — web items don't apply to a batch COBOL system, mainframe items don't apply to a SPA. Work through what's relevant:

  • Injection (SQL, NoSQL, OS command, LDAP, XPath, template, dynamic DB2 SQL, JCL/PARM injection) — trace every user-controlled input to every sink
  • Authentication / session — hardcoded creds, weak session handling, missing auth checks on sensitive routes/transactions
  • Sensitive data exposure — secrets in source, weak crypto, PII/PAN/SSN in logs, cleartext data in copybooks/flat files
  • Access control — IDOR, missing ownership checks, privilege escalation; for CICS: missing/permissive RACF transaction & resource definitions, unguarded admin transactions
  • XSS / CSRF — unescaped output, missing tokens (web targets only)
  • Insecure deserialization — pickle/yaml.load/ObjectInputStream on untrusted data
  • Vulnerable dependencies — run npm audit / pip-audit / read manifests and flag versions with known CVEs
  • SSRF / path traversal / open redirect (web targets only)
  • Input validation — for CICS/3270: unvalidated BMS field input, missing length/range/format checks before file/DB writes
  • Security misconfiguration — debug mode, verbose errors, default creds, hardcoded passwords/userids in JCL, PROCs, or sign-on programs

Tooling

Use available SAST where it helps (npm audit, pip-audit, grep for known-bad patterns) but read the code — tools miss logic flaws. Show tool output verbatim, then add your manual findings.

Reporting standard

For each finding:

Field Content
ID SEC-NNN
CWE CWE-XXX with name
Severity Critical / High / Medium / Low (CVSS-ish reasoning)
Location file:line
Exploit scenario One sentence: how an attacker uses this
Fix Concrete code-level remediation

No hand-waving. If you can't write the exploit scenario, downgrade severity.