workflows.fit
Back to exploration
HardContributed by Community

Adversarial Codebase Security Audit

Deploys one group of agents to scan for vulnerabilities (XSS, SQL Injection, Dependency issues) and another group of adversarial agents trying to exploit the findings to confirm exploits.

SecurityAuditDevOps
254 stars1240 pulls

Orchestration Logic

Workflow Graph Visualizer
Generating visual workflow graph...

How to Use Today

1.Start Claude Code in the repository root and ask for a workflow to audit a narrow surface first, such as src/routes or src/auth.
2.Use /workflows to inspect the scanner and verifier phases while the run is active.
3.If the result is useful, save the workflow and invoke it in future sessions as /security-audit.

Workflow Script Code

.claude/workflows/security-audit.js
// .claude/workflows/security-audit.js
import { orchestrator, agent } from 'claude';

export async function run(context) {
  console.log("Initializing Security Audit Workflow...");
  
  // Phase 1: Security Scan
  const scanner = await agent.create({
    role: 'Security Scanner',
    instructions: 'Scan current repository for hardcoded API keys, JWT validation issues, and open CORS policies.'
  });
  const scanResult = await scanner.run();
  
  // Phase 2: Adversarial Exploitation Test
  const hacker = await agent.create({
    role: 'Whitehat Penetration Tester',
    instructions: `Given these issues:\n${scanResult.findings}\nTry to write a proof-of-concept exploit for each. Refute false positives.`
  });
  const hackerResult = await hacker.run();
  
  console.log("Audit complete. Final verified vulnerabilities compiled.");
}

Saved Slash Command

Claude Code currently runs workflows from the interactive session. After a run is saved from /workflows, invoke it as a slash command.

$/security-audit
There is no current `claude workflow run` CLI command.

Specifications

Concurrency MaxRuntime bounded
Verification LoopsAdversarial Checks
Platform SupportClaude Code surfaces

Review Before Running

Treat community workflows as patterns. Review the raw script, planned phases, and allowed tools before approving a run in your own project.