A JavaScript MIT-licensed GitHub repo from Cloudflare, offering a multi-phase security-audit coding-agent skill with structured outputs and verification. It includes a six-phase workflow, validation tooling, and a zero-dependency findings validator.
What it is
A coding-agent skill that turns your agent into a security auditor. It orchestrates multiple parallel agents through a six-phase pipeline -- recon, hunting, validation, reporting, structured output, and independent verification -- to find exploitable vulnerabilities with real impact.
How it works
The skill runs a structured audit in six phases:
- Recon -- parallel research agents map the application's architecture, trust boundaries, and input surfaces. Produces
architecture.md. - Hunt -- parallel general agents attack the codebase from different angles (injection, access control, business logic, cryptography, feature abuse, chained attacks, and a wildcard). Each agent can spawn sub-agents to dig deeper.
- Validate -- separate agents try to disprove each finding. Adversarial review kills false positives.
- Report -- produces
REPORT.md(human-readable) andFINDINGS-DETAIL.md(detailed traces for MEDIUM+ findings). - Structured output -- writes
findings.jsonconforming toreport-schema.json, validated byvalidate-findings.cjs. - Independent verification -- fresh agents verify every factual claim in the structured output against the actual source code.
Multiple runs against the same repo are additive. Each run explores different code paths; the skill reads prior findings.json files to skip known issues and target gaps.
Getting started
Install the skill with the Skills CLI:
npx skills add https://github.com/cloudflare/security-audit-skill \
--skill security-audit
Use --global for a user-level installation:
npx skills add https://github.com/cloudflare/security-audit-skill \
--skill security-audit \
--global
Run npx skills --help for agent-selection and non-interactive options.
Usage examples:
security audit this codebase
find security vulnerabilities in ./src
do a security review, output to ~/audits/my-project
The skill activates automatically when the request matches its trigger (security audit, find vulnerabilities, pen-test the code, etc.). It will ask for an output directory if you don't specify one, defaulting to ~/security-audit-skill/<repo-name>/run-<N>.
Getting started requirements
- A coding agent with a model that supports tool use and parallel sub-agents
- Node.js (for
validate-findings.cjsschema validation in Phase 5)
Design principles
- Only report what you can exploit. Every finding needs a concrete attack scenario, not "an attacker could theoretically..."
- Adversarial validation. The agent that checks a finding is never the agent that found it.
- Severity requires impact. Likelihood x impact, not deviation from a checklist.
- Defense-in-depth gaps are not vulnerabilities. If Layer A prevents the attack, the absence of Layer B is a hardening note.
- Multiple runs improve coverage. Testing shows a single run finds roughly half the total vulnerabilities across multiple runs.
License
MIT -- see LICENSE.
