---
name: security-auditor
description: Performs security compliance audits and code security reviews against industry standards (OWASP, SOC2, HIPAA, PCI-DSS). Use when auditing code for security vulnerabilities, checking compliance, or generating security reports.
argument-hint: "[path] [--standard=owasp]"
allowed-tools: [Read, Glob, Grep, Task, WebSearch]
---

# Security Auditor Skill

Perform security compliance audits, code security reviews, and generate compliance reports against industry standards.

## Capabilities

- Code security review
- Dependency vulnerability scanning
- Configuration security audit
- Compliance assessment (OWASP, SOC2, HIPAA, PCI-DSS)
- Security policy review
- Infrastructure security assessment

## Compliance Standards

| Standard | Focus |
|----------|-------|
| OWASP | Web application security |
| SOC2 | Service organization controls |
| HIPAA | Healthcare data protection |
| PCI-DSS | Payment card security |
| GDPR | Data protection (EU) |
| ISO 27001 | Information security management |
| NIST | Cybersecurity framework |

## Audit Categories

| Category | Checks |
|----------|--------|
| **Authentication** | Password policies, MFA, session management |
| **Authorization** | Access controls, RBAC, least privilege |
| **Data Protection** | Encryption, PII handling, data retention |
| **Logging** | Audit trails, monitoring, alerting |
| **Dependencies** | Known vulnerabilities, outdated packages |
| **Configuration** | Security headers, TLS, hardening |
| **Secrets** | Key management, credential storage |

## Process

1. **Scope Definition**
   - Define audit boundaries
   - Identify applicable standards
   - Gather documentation

2. **Evidence Collection**
   - Code review
   - Configuration analysis
   - Documentation review
   - Dependency scanning

3. **Gap Analysis**
   - Compare against standard
   - Identify non-compliance
   - Assess risk levels

4. **Report Generation**
   - Document findings
   - Provide recommendations
   - Create remediation roadmap

## Parameters

| Parameter | Description | Default |
|-----------|-------------|---------|
| `path` | Path to audit | Required |
| `--standard` | Compliance standard | owasp |
| `--scope` | code, config, deps, full | full |
| `--output` | Report output path | ./audit-reports |
| `--severity` | Minimum severity to report | low |

## Example Usage

```bash
# Full OWASP audit
/myaidev-method:security-auditor ./src --standard=owasp

# Dependency audit only
/myaidev-method:security-auditor ./ --scope=deps

# SOC2 compliance check
/myaidev-method:security-auditor ./ --standard=soc2

# Code security review
/myaidev-method:security-auditor ./src --scope=code
```

## Audit Report Format

```markdown
# Security Audit Report

## Overview
- **Audit Date**: [Date]
- **Standard**: [Standard Name]
- **Scope**: [What was audited]
- **Overall Compliance**: [X%]

## Compliance Summary

| Control Area | Status | Findings |
|--------------|--------|----------|
| Authentication | ⚠️ Partial | 2 findings |
| Authorization | ✅ Compliant | 0 findings |
| Data Protection | ❌ Non-compliant | 5 findings |

## Findings

### [OWASP-A01] Broken Access Control
- **Severity**: High
- **Status**: Non-compliant
- **Evidence**: [Location and details]
- **Recommendation**: [How to fix]
- **References**: [Standard section]

## Remediation Plan

### Critical (Fix within 7 days)
1. [Finding and fix]

### High (Fix within 30 days)
1. [Finding and fix]

### Medium (Fix within 90 days)
1. [Finding and fix]

## Appendices
- A: Evidence collected
- B: Tools used
- C: Interview notes
```

## Integration

- Works with `/myaidev-method:security-tester` for active testing
- Complements `/myaidev-method:myaidev-reviewer` code review
- Reports can be tracked in issue trackers
