5e4a45001d
- modernize-harden: never edits legacy/ anymore. Writes findings plus a reviewed unified diff to analysis/<system>/security_remediation.patch. A second security-auditor pass reviews each hunk (RESOLVES / PARTIAL / INTRODUCES-RISK) before presenting. The user reviews and applies the patch deliberately, then re-runs to verify. This makes every command consistent with the recommended deny Edit(legacy/**) workspace setting, so the README's exception note is gone. - modernize-map: restructure the parse-target list around three stack- agnostic principles (dispatcher targets are variables; code-storage joins live in config; entry points live in deployment descriptors), with COBOL/Java/web/CLI examples on equal footing rather than COBOL-dominant. Same protections against false dead-code findings, less stack-specific. - security-auditor agent: rephrase coverage items in stack-neutral terms (record layouts/temp datasets, resource ACLs, deployment scripts/job definitions, batch input records) so the checklist reads naturally for COBOL, Java EE, .NET, and web targets alike. - README: drop the harden exception note; describe the patch workflow.
2.6 KiB
| description | argument-hint |
|---|---|
| Security vulnerability scan with a reviewable remediation patch — OWASP, CWE, CVE, secrets, injection | <system-dir> |
Run a security hardening pass on legacy/$1: find vulnerabilities, rank
them, and produce a reviewable patch for the critical ones.
This command never edits legacy/ — it writes findings and a proposed patch
to analysis/$1/. The user reviews and applies (or not).
Scan
Spawn the security-auditor subagent:
"Adversarially audit legacy/$1 for security vulnerabilities. Cover what's relevant to the stack: injection (SQL/NoSQL/OS command/template), broken auth, sensitive data exposure, access control gaps, insecure deserialization, hardcoded secrets, vulnerable dependency versions, missing input validation, path traversal. For each finding return: CWE ID, severity (Critical/High/Med/Low), file:line, one-sentence exploit scenario, and recommended fix. Run any available SAST tooling (npm audit, pip-audit, OWASP dependency-check) and include its raw output."
Triage
Write analysis/$1/SECURITY_FINDINGS.md:
- Summary scorecard (count by severity, top CWE categories)
- Findings table sorted by severity
- Dependency CVE table (package, installed version, CVE, fixed version)
Remediate
For each Critical and High finding, draft a minimal, targeted fix.
Do not edit legacy/ — write all fixes as a single unified diff to
analysis/$1/security_remediation.patch, with a comment line above each
hunk citing the finding ID it addresses (# SEC-001: parameterize the query).
Add a Remediation Log section to SECURITY_FINDINGS.md mapping each finding ID → one-line summary of the proposed fix and the patch hunk that implements it.
Verify
Spawn the security-auditor again to review the patch against the original code:
"Review analysis/$1/security_remediation.patch against legacy/$1. For each hunk: does it fully remediate the cited finding? Does it introduce new vulnerabilities or change behavior beyond the fix? Return one verdict per hunk: RESOLVES / PARTIAL / INTRODUCES-RISK, with a one-line reason."
Add a Patch Review section to SECURITY_FINDINGS.md with the verdicts. If any hunk is PARTIAL or INTRODUCES-RISK, revise the patch and re-review.
Present
Tell the user the artifacts are ready:
analysis/$1/SECURITY_FINDINGS.md— findings, remediation log, patch reviewanalysis/$1/security_remediation.patch— review, then apply if appropriate withgit -C legacy/$1 apply ../../analysis/$1/security_remediation.patch- Re-run
/modernize-harden $1after applying to confirm resolution
Suggest: glow -p analysis/$1/SECURITY_FINDINGS.md