HardContributed by Community
Adversarial Codebase Security Audit
Deploys one group of agents to scan for vulnerabilities (XSS, SQL Injection, Dependency issues) and another group of adversarial agents trying to exploit the findings to confirm exploits.
SecurityAuditDevOps
254 stars1240 pulls
Workflow fit
适用场景
- 多来源研究、代码审计、安全检查或需要独立验证的结论生成。
- 需要把探索、执行、复核拆成多个阶段的 Claude Code 工作流。
- 希望沉淀为团队可复用 slash command,而不是一次性长提示词。
不适用场景
- 单文件小改动、没有明确验收标准的开放式需求,或 token 成本不值得并行化的任务。
- 需要生产凭据、客户数据、付款操作或不可回滚外部副作用的自动执行。
- 无法用测试、引用、人工复核或对抗审查确认结果质量的任务。
Orchestration Logic
Workflow Graph Visualizer
Generating visual workflow graph...
How to Use Today
1.Start Claude Code in the repository root and ask for a workflow to audit a narrow surface first, such as
src/routes or src/auth.2.Use
/workflows to inspect the scanner and verifier phases while the run is active.3.If the result is useful, save the workflow and invoke it in future sessions as
/security-audit.Validation method
Citations
Adversarial review
Claim confidence levels
Workflow Script Code
.claude/workflows/security-audit.js
// .claude/workflows/security-audit.js
import { orchestrator, agent } from 'claude';
export async function run(context) {
console.log("Initializing Security Audit Workflow...");
// Phase 1: Security Scan
const scanner = await agent.create({
role: 'Security Scanner',
instructions: 'Scan current repository for hardcoded API keys, JWT validation issues, and open CORS policies.'
});
const scanResult = await scanner.run();
// Phase 2: Adversarial Exploitation Test
const hacker = await agent.create({
role: 'Whitehat Penetration Tester',
instructions: `Given these issues:\n${scanResult.findings}\nTry to write a proof-of-concept exploit for each. Refute false positives.`
});
const hackerResult = await hacker.run();
console.log("Audit complete. Final verified vulnerabilities compiled.");
}Save as Claude Code command
Claude Code currently runs workflows from the interactive session. After a run is saved from /workflows, invoke it as a slash command.
$/security-audit
There is no current `claude workflow run` CLI command.
Specifications
Cost / RiskHigh cost / high review
Concurrency MaxRuntime bounded
Verification LoopsAdversarial Checks
Platform SupportClaude Code surfaces
Tools / MCP / skills
Claude Code/workflowsJavaScript workflow runtimeSecurityAuditDevOps
Commercial fit
Free workflow pattern today; suitable for a paid pro bundle once examples, tests, and maintainer support are attached.
Risk level follows workflow complexity and external side effects.
Related recommendations
MCP connectorsAgent skillsSecurityAuditDevOps
Review Before Running
Treat community workflows as patterns. Review the raw script, planned phases, and allowed tools before approving a run in your own project.