Security Audit Example
Comprehensive security analysis workflow that examines code, dependencies, and configurations for vulnerabilities and compliance issues.
Workflow Definition
name: security-auditdescription: | Comprehensive security audit workflow that analyzes code, dependencies, and configurations for vulnerabilities, compliance issues, and security best practices. Generates prioritized findings with remediation guidance.version: "1.0"
inputs: - name: code_path type: string required: false description: Path to code directory (for full audit)
- name: code_diff type: string required: false description: Git diff or code changes (for PR review)
- name: check_dependencies type: boolean default: true description: Include dependency vulnerability analysis
- name: compliance_framework type: string default: "OWASP" description: Compliance framework (OWASP, SOC2, PCI-DSS, HIPAA)
- name: language type: string required: false description: Primary programming language (auto-detected if not specified)
steps: # Step 1: Code vulnerability analysis - id: analyze_code_vulnerabilities name: Code Vulnerability Analysis type: llm model: balanced system: | You are a senior security engineer performing a code security audit.
Analyze code for these vulnerability categories:
**CRITICAL Vulnerabilities:** - SQL Injection (CWE-89) - Command Injection (CWE-78) - Path Traversal (CWE-22) - Arbitrary Code Execution (CWE-94) - Hardcoded Credentials (CWE-798) - Authentication Bypass (CWE-287)
**HIGH Severity:** - Cross-Site Scripting (XSS) (CWE-79) - Cross-Site Request Forgery (CSRF) (CWE-352) - Insecure Deserialization (CWE-502) - XML External Entity (XXE) (CWE-611) - Broken Access Control (CWE-284) - Sensitive Data Exposure (CWE-200)
**MEDIUM Severity:** - Insufficient Input Validation (CWE-20) - Insecure Random Values (CWE-330) - Missing Security Headers - Weak Cryptography (CWE-327) - Race Conditions (CWE-362)
**LOW Severity:** - Information Disclosure - Missing Error Handling - Logging of Sensitive Data - Deprecated Functions
For each finding, provide: 1. Severity (CRITICAL, HIGH, MEDIUM, LOW) 2. CWE reference 3. File and line number (if available) 4. Description of the vulnerability 5. Potential impact 6. Remediation steps 7. Example secure code
Format as structured JSON. prompt: | Perform security analysis on this code:
{{if .inputs.code_path}} **Code Path:** {{.inputs.code_path}} (Analyze files in this directory) {{end}}
{{if .inputs.code_diff}} **Code Changes:** ```diff {{.inputs.code_diff}} ``` {{end}}
{{if .inputs.language}} **Language:** {{.inputs.language}} {{end}}
Identify all security vulnerabilities with severity levels, CWE references, and specific remediation guidance.
Return findings as JSON: { "vulnerabilities": [ { "severity": "CRITICAL|HIGH|MEDIUM|LOW", "cwe": "CWE-###", "category": "SQL Injection|XSS|etc", "file": "path/to/file.js", "line": 42, "description": "...", "impact": "...", "remediation": "...", "example": "..." } ], "summary": { "critical": 0, "high": 0, "medium": 0, "low": 0 } } timeout: 45
# Step 2: Dependency vulnerability check (conditional) - id: check_dependency_security name: Dependency Security Analysis type: llm if: "{{.inputs.check_dependencies}}" model: fast system: | You are a security analyst reviewing project dependencies.
Check for: - Known CVEs in dependencies - Outdated packages with security patches - Vulnerable transitive dependencies - License compliance issues - Deprecated or unmaintained packages
Assess risk based on: - CVSS score (if CVE exists) - Exploitability - Attack surface - Availability of patches prompt: | Analyze dependencies for security vulnerabilities:
{{if .inputs.code_path}} Check dependency files in: {{.inputs.code_path}} (Look for package.json, requirements.txt, go.mod, Gemfile, etc.) {{end}}
Identify: 1. Vulnerable dependencies with CVE numbers 2. Outdated packages needing updates 3. Supply chain security risks 4. License compliance issues
Return findings as JSON: { "vulnerable_dependencies": [ { "package": "...", "version": "...", "vulnerability": "CVE-XXXX-XXXX", "cvss_score": 7.5, "severity": "HIGH", "description": "...", "fixed_in": "...", "remediation": "..." } ], "outdated_packages": [...], "supply_chain_risks": [...] } timeout: 30
# Step 3: Configuration security review (parallel) - id: review_configuration_security name: Configuration Security Review type: llm model: fast system: | You are a DevSecOps engineer reviewing security configurations.
Check for: - Exposed secrets in config files - Insecure default configurations - Missing security headers - Weak TLS/SSL settings - CORS misconfigurations - Insecure file permissions - Debug mode enabled in production - Verbose error messages
Evaluate environment-specific settings and infrastructure as code. prompt: | Review configuration security:
{{if .inputs.code_path}} Check configuration files in: {{.inputs.code_path}} (Config files: .env*, config.*, docker-compose.yml, etc.) {{end}}
{{if .inputs.code_diff}} Configuration changes: {{.inputs.code_diff}} {{end}}
Identify configuration security issues.
Return findings as JSON: { "config_issues": [ { "severity": "CRITICAL|HIGH|MEDIUM|LOW", "category": "...", "file": "...", "issue": "...", "risk": "...", "remediation": "..." } ] } timeout: 20
# Step 4: Compliance assessment - id: assess_compliance name: Compliance Assessment type: llm model: balanced system: | You are a compliance auditor assessing code against security frameworks.
**OWASP Top 10:** - A01: Broken Access Control - A02: Cryptographic Failures - A03: Injection - A04: Insecure Design - A05: Security Misconfiguration - A06: Vulnerable Components - A07: Authentication Failures - A08: Data Integrity Failures - A09: Logging Failures - A10: Server-Side Request Forgery
**SOC2 Trust Principles:** - Security - Availability - Processing Integrity - Confidentiality - Privacy
**PCI-DSS Requirements:** - Secure network - Protect cardholder data - Vulnerability management - Access controls - Monitoring and testing
Map findings to framework requirements and assess compliance gaps. prompt: | Assess compliance with {{.inputs.compliance_framework}} framework:
**Code Vulnerabilities:** {{.steps.analyze_code_vulnerabilities.response}}
{{if .inputs.check_dependencies}} **Dependency Issues:** {{.steps.check_dependency_security.response}} {{end}}
**Configuration Issues:** {{.steps.review_configuration_security.response}}
Map findings to {{.inputs.compliance_framework}} requirements. Identify compliance gaps and provide recommendations.
Return assessment as JSON: { "framework": "{{.inputs.compliance_framework}}", "compliance_gaps": [ { "requirement": "...", "status": "Non-Compliant|Partial|Compliant", "findings": [...], "recommendations": "..." } ], "compliance_score": 0-100, "summary": "..." } timeout: 40
# Step 5: Generate comprehensive report - id: generate_security_report name: Generate Security Report type: llm model: balanced system: | You are a security architect creating an executive security audit report.
Create a comprehensive report with:
**Executive Summary** - Overall security posture - Critical findings requiring immediate action - Risk assessment
**Findings by Severity** - CRITICAL (fix immediately) - HIGH (fix within 1 week) - MEDIUM (fix within 1 month) - LOW (address in backlog)
**Compliance Status** - Framework assessment results - Gaps and recommendations
**Remediation Roadmap** - Prioritized action items - Estimated effort - Dependencies
Format as clear, actionable markdown. prompt: | Generate a comprehensive security audit report:
**Code Vulnerabilities:** {{.steps.analyze_code_vulnerabilities.response}}
{{if .inputs.check_dependencies}} **Dependency Security:** {{.steps.check_dependency_security.response}} {{end}}
**Configuration Security:** {{.steps.review_configuration_security.response}}
**Compliance Assessment:** {{.steps.assess_compliance.response}}
Create an executive-ready security audit report with prioritized findings, compliance status, and a remediation roadmap. timeout: 45
outputs: - name: security_report type: string value: "{{.steps.generate_security_report.response}}" description: Comprehensive security audit report
- name: vulnerabilities type: object value: "{{.steps.analyze_code_vulnerabilities.response}}" description: Detailed vulnerability findings
- name: has_critical_issues type: boolean value: "{{.steps.analyze_code_vulnerabilities.response.summary.critical > 0}}" description: Whether critical security issues were found
- name: compliance_score type: number value: "{{.steps.assess_compliance.response.compliance_score}}" description: Compliance score (0-100)
- name: total_findings type: number value: "{{.steps.analyze_code_vulnerabilities.response.summary.critical + .steps.analyze_code_vulnerabilities.response.summary.high + .steps.analyze_code_vulnerabilities.response.summary.medium + .steps.analyze_code_vulnerabilities.response.summary.low}}" description: Total number of security findingsQuick Start
# Full codebase auditconductor run examples/security-audit \ --input code_path="./src" \ --input check_dependencies=true \ --input compliance_framework="OWASP" \ --output-json > security-audit.json
# PR security reviewgit diff main..feature > changes.diffconductor run examples/security-audit \ --input code_diff="$(cat changes.diff)" \ --input check_dependencies=false
# Block deployment on critical issuesAUDIT=$(conductor run examples/security-audit --input code_path="./src" --output-json)if [ $(echo "$AUDIT" | jq -r '.has_critical_issues') = "true" ]; then echo "Critical security issues found. Deployment blocked." exit 1fiPrerequisites
- Conductor CLI installed
- Anthropic API key configured:
export ANTHROPIC_API_KEY="your-key" - Code to audit (directory path or git diff)
Features
- Multi-aspect security analysis (code, dependencies, configuration)
- CWE/CVE vulnerability identification with severity ratings
- Compliance framework mapping (OWASP, SOC2, PCI-DSS, HIPAA)
- Prioritized remediation roadmap
- Executive-ready security reports
Use Cases
- Pre-deployment security checks
- Pull request security reviews
- Compliance audits and reporting
- Vulnerability assessments
- Security posture tracking
Expected Output
The workflow generates:
- Comprehensive security audit report (markdown)
- Detailed vulnerability findings (JSON)
- Compliance assessment and score
- Remediation roadmap with effort estimates
Sample Report Structure
# Security Audit Report
## Executive Summary- Overall security posture: MODERATE RISK- Critical findings: 2 (SQL injection, hardcoded credentials)- Compliance score: 73/100 (OWASP Top 10)
## CRITICAL Findings1. SQL Injection in login.js:42 - Fix: Use parameterized queries - Effort: 2 hours - Priority: P0
## Remediation RoadmapPhase 1 (This Week): Fix critical issues (9 hours, 70% risk reduction)Phase 2 (Next 2 Weeks): Address high priority (20 hours, 20% risk reduction)Compliance Frameworks
- OWASP Top 10 - Web application security
- SOC2 - Trust service principles
- PCI-DSS - Payment card security
- HIPAA - Healthcare data protection
Integration
CI/CD Pipeline
- name: Security Audit run: | conductor run examples/security-audit \ --input code_path="./src" \ --output-json > audit.json
if [ $(jq -r '.has_critical_issues' audit.json) = "true" ]; then exit 1 fiPre-commit Hook
#!/bin/bashgit diff --cached > /tmp/changes.diffconductor run examples/security-audit \ --input code_diff="$(cat /tmp/changes.diff)" \ --input check_dependencies=falseDocumentation
For detailed usage, customization options, and best practices, see: Security Audit Documentation