Plugin
security-audit
Dedicated security audit producing a severity-ranked findings report with exact citations, attack narratives, and concrete fixes.
Eight-dimension sweep:
- Dependencies / known CVEs (reachability-checked)
- Authentication and authorization (incl. IDOR)
- Input validation and injection (SQL/command/template/path)
- SSRF and outbound trust
- Secrets in code, config, and logs
- Crypto misuse and data protection
- Insecure configuration and defaults
Fans dimensions out to parallel agents; every lead is verified against real code before it becomes a finding. Report-only — proof-of-concept never goes beyond harmless reads.