workflows.fit
Back to exploration
HardContributed by Community

Adversarial Codebase Security Audit

Deploys one group of agents to scan for vulnerabilities (XSS, SQL Injection, Dependency issues) and another group of adversarial agents trying to exploit the findings to confirm exploits.

SecurityAuditDevOps
254 stars1240 pulls

Workflow fit

适用场景

  • 多来源研究、代码审计、安全检查或需要独立验证的结论生成。
  • 需要把探索、执行、复核拆成多个阶段的 Claude Code 工作流。
  • 希望沉淀为团队可复用 slash command,而不是一次性长提示词。

不适用场景

  • 单文件小改动、没有明确验收标准的开放式需求,或 token 成本不值得并行化的任务。
  • 需要生产凭据、客户数据、付款操作或不可回滚外部副作用的自动执行。
  • 无法用测试、引用、人工复核或对抗审查确认结果质量的任务。

Orchestration Logic

Workflow Graph Visualizer
Generating visual workflow graph...

How to Use Today

1.Start Claude Code in the repository root and ask for a workflow to audit a narrow surface first, such as src/routes or src/auth.
2.Use /workflows to inspect the scanner and verifier phases while the run is active.
3.If the result is useful, save the workflow and invoke it in future sessions as /security-audit.

Validation method

Citations

Adversarial review

Claim confidence levels

Workflow Script Code

.claude/workflows/security-audit.js
// .claude/workflows/security-audit.js
import { orchestrator, agent } from 'claude';

export async function run(context) {
  console.log("Initializing Security Audit Workflow...");
  
  // Phase 1: Security Scan
  const scanner = await agent.create({
    role: 'Security Scanner',
    instructions: 'Scan current repository for hardcoded API keys, JWT validation issues, and open CORS policies.'
  });
  const scanResult = await scanner.run();
  
  // Phase 2: Adversarial Exploitation Test
  const hacker = await agent.create({
    role: 'Whitehat Penetration Tester',
    instructions: `Given these issues:\n${scanResult.findings}\nTry to write a proof-of-concept exploit for each. Refute false positives.`
  });
  const hackerResult = await hacker.run();
  
  console.log("Audit complete. Final verified vulnerabilities compiled.");
}

Save as Claude Code command

Claude Code currently runs workflows from the interactive session. After a run is saved from /workflows, invoke it as a slash command.

$/security-audit
There is no current `claude workflow run` CLI command.

Specifications

Cost / RiskHigh cost / high review
Concurrency MaxRuntime bounded
Verification LoopsAdversarial Checks
Platform SupportClaude Code surfaces

Tools / MCP / skills

Claude Code/workflowsJavaScript workflow runtimeSecurityAuditDevOps

Commercial fit

Free workflow pattern today; suitable for a paid pro bundle once examples, tests, and maintainer support are attached.

Risk level follows workflow complexity and external side effects.

Related recommendations

MCP connectorsAgent skillsSecurityAuditDevOps

Review Before Running

Treat community workflows as patterns. Review the raw script, planned phases, and allowed tools before approving a run in your own project.