sec-audit-remediate

Generate targeted security fixes from detect-dev SARIF findings with regression tests.

Context Files

$JAAN_LEARN_DIR/jaan-to-sec-audit-remediate.learn.md - Past lessons (loaded in Pre-Execution)
$JAAN_TEMPLATES_DIR/jaan-to-sec-audit-remediate.template.md - Output template
$JAAN_CONTEXT_DIR/tech.md - Tech stack (optional, auto-imported if exists)
- Uses sections: #current-stack, #frameworks, #constraints, #patterns
${CLAUDE_PLUGIN_ROOT}/docs/extending/language-protocol.md - Language resolution protocol
${CLAUDE_PLUGIN_ROOT}/docs/research/73-dev-sarif-security-remediation-automation.md - SARIF 2.1.0 parsing, CWE-to-fix mapping, remediation patterns
${CLAUDE_PLUGIN_ROOT}/docs/research/72-dev-secure-backend-scaffold-hardening.md - jose JWT, httpOnly cookies, CSRF, rate limiting, OWASP Top 10

Output path: $JAAN_OUTPUTS_DIR/sec/remediate/{id}-{slug}/

DAG position: detect-dev + backend-scaffold + frontend-scaffold --> sec-audit-remediate --> devops-infra-scaffold (security in CI)

Input

Arguments: $ARGUMENTS

Parse arguments to identify:

detect-dev output path -- Path to detect-dev SARIF/findings output (e.g., $JAAN_OUTPUTS_DIR/detect/dev/security.md or a .sarif file)
scaffold type -- backend-scaffold or frontend-scaffold (determines which code to cross-reference for fixes)

If no arguments provided, search for detect-dev outputs:

Glob: $JAAN_OUTPUTS_DIR/detect/dev/security*.md
Glob: $JAAN_OUTPUTS_DIR/detect/dev/summary*.md
If not found, ask user for the path.

Pre-Execution Protocol

MANDATORY — Read and execute ALL steps in: ${CLAUDE_PLUGIN_ROOT}/docs/extending/pre-execution-protocol.md Skill name: sec-audit-remediate Execute: Step 0 (Init Guard) → A (Load Lessons) → B (Resolve Template) → C (Offer Template Seeding)

Language Settings

Read and apply language protocol: ${CLAUDE_PLUGIN_ROOT}/docs/extending/language-protocol.md Override field for this skill: language_sec-audit-remediate

Language exception: Generated code output (fix files, test files, code blocks, schemas) is NOT affected by this setting and remains in the project's programming language.

PHASE 1: Analysis (Read-Only)

Thinking Mode

ultrathink

Use extended reasoning for:

Parsing SARIF findings and mapping to CWE categories
Determining root cause analysis for each finding
Planning fix strategies by vulnerability type
Assessing fix complexity and regression risk

Step 1: Parse Detect-Dev Output

Read the detect-dev output file(s) provided in $ARGUMENTS.

1.1: Extract Findings

For each finding, extract:

Rule ID / Finding ID (e.g., E-DEV-001)
Severity: Critical / High / Medium / Low / Info
Confidence: Confirmed / Firm / Tentative / Uncertain
CWE ID(s): e.g., CWE-79, CWE-89, CWE-352
File path and line range: Where the vulnerability exists
Description: What the vulnerability is
Evidence block: SARIF evidence or detect-dev evidence
OWASP Top 10 mapping: Which OWASP category it falls under

1.2: Sort by Severity

Sort all findings by severity (Critical first, then High, Medium, Low):

FINDINGS PARSED
---------------
Critical: {n}  |  High: {n}  |  Medium: {n}  |  Low: {n}

ID          Severity    CWE         File                    Description
E-DEV-001   Critical    CWE-89      src/api/users.ts:42     SQL injection in query
E-DEV-003   High        CWE-79      src/views/profile.tsx:18 XSS in user content
...

1.3: Map Findings to CWE Fix Categories

Group findings by CWE category and assign fix strategy:

Reference: See ${CLAUDE_PLUGIN_ROOT}/docs/extending/sec-audit-remediate-reference.md section "CWE-to-Fix Category Mapping" for CWE categories, fix strategies, complexity, and auto-fix eligibility.

Step 2: Cross-Reference with Scaffold Code

If scaffold output is provided (backend-scaffold or frontend-scaffold):

Read scaffold code files that correspond to finding locations
Identify vulnerable code patterns in the scaffold output
Map each finding to the specific scaffold file and code block that needs fixing
Note any findings that are NOT in scaffold code (pre-existing vulnerabilities vs scaffold-introduced)

If no scaffold reference, work directly with finding file paths.

Step 3: Generate Remediation Plan

For each finding, determine:

Field	Description
Finding ID	From detect-dev output
Fix Type	Code replacement / New middleware / Config change / Dependency update
Fix File	Path to the fix file to generate
Test File	Path to the regression test to generate
Dependencies	New packages needed (e.g., dompurify, csurf)
Breaking Changes	Whether the fix changes API behavior
Complexity	Low / Medium / High

Triage Matrix

Apply the severity/confidence triage matrix:

Reference: See ${CLAUDE_PLUGIN_ROOT}/docs/extending/sec-audit-remediate-reference.md section "Triage Matrix" for severity/confidence decision grid.

Step 4: Ask User Which Findings to Remediate

Present the remediation plan and ask:

REMEDIATION PLAN
----------------
Total findings: {n}
  Auto-fix eligible: {n} (Critical/High + Confirmed/Firm confidence)
  Manual review needed: {n} (Medium confidence or complex fixes)
  Skipped: {n} (Low confidence or informational)

FINDINGS TO REMEDIATE:

[x] E-DEV-001  Critical  CWE-89   SQL injection       -> parameterized query    [auto-fix]
[x] E-DEV-003  High      CWE-79   XSS vulnerability   -> DOMPurify sanitize     [auto-fix]
[x] E-DEV-007  High      CWE-352  Missing CSRF         -> csrf middleware        [auto-fix]
[x] E-DEV-012  High      CWE-327  Weak hash (MD5)     -> SHA-256 replacement    [auto-fix]
[ ] E-DEV-015  Medium    CWE-862  Missing auth check   -> RBAC guard            [needs design]
[ ] E-DEV-018  Low       CWE-798  Hardcoded API key   -> env variable           [manual]

New dependencies needed: dompurify, @types/dompurify, csurf
Estimated fix files: {n}
Estimated test files: {n}

"Which findings should I remediate? [all-auto / select / all]"

all-auto: Fix only auto-fix eligible findings (default)
select: Let user pick specific findings
all: Attempt all findings including manual-review ones

HARD STOP - Human Review Gate

Present complete remediation summary:

REMEDIATION SUMMARY
-------------------
Findings to fix: {n}
Fix files to generate: {n}
Test files to generate: {n}
New dependencies: {list}
Breaking changes: {yes/no, details}

OUTPUT STRUCTURE:
  $JAAN_OUTPUTS_DIR/sec/remediate/{id}-{slug}/
    {id}-{slug}.md                        <- Remediation report
    {id}-{slug}-readme.md                 <- Integration instructions
    fixes/
      auth-middleware.ts                   <- Fix: missing auth
      rate-limiter.ts                     <- Fix: rate limiting
      csrf-protection.ts                  <- Fix: CSRF
      sanitize-input.ts                   <- Fix: XSS/injection
      ...
    tests/
      auth-security.test.ts              <- Test: auth fixes
      rate-limit.test.ts                 <- Test: rate limiting
      csrf.test.ts                       <- Test: CSRF
      xss-prevention.test.ts             <- Test: XSS
      ...

"Proceed with generating {n} fix files and {n} test files? [y/n]"

Do NOT proceed to Phase 2 without explicit approval.

PHASE 2: Generation (Write Phase)

Step 5: Generate ID and Folder Structure

Source ID generator utility:

source "${CLAUDE_PLUGIN_ROOT}/scripts/lib/id-generator.sh"

Generate next ID and output paths:

SUBDOMAIN_DIR="$JAAN_OUTPUTS_DIR/sec/remediate"
mkdir -p "$SUBDOMAIN_DIR"

NEXT_ID=$(generate_next_id "$SUBDOMAIN_DIR")
OUTPUT_FOLDER="${SUBDOMAIN_DIR}/${NEXT_ID}-${slug}"
MAIN_FILE="${OUTPUT_FOLDER}/${NEXT_ID}-${slug}.md"

Create subdirectories:

mkdir -p "$OUTPUT_FOLDER/fixes"
mkdir -p "$OUTPUT_FOLDER/tests"

Preview for user:

Output Configuration

ID: {NEXT_ID}

Folder: $JAAN_OUTPUTS_DIR/sec/remediate/{NEXT_ID}-{slug}/

Main file: {NEXT_ID}-{slug}.md

Fixes dir: fixes/

Tests dir: tests/

Step 6: Generate Fix Files

For each finding selected for remediation, generate a targeted fix file in fixes/.

Fix Generation by CWE Category

Reference: See ${CLAUDE_PLUGIN_ROOT}/docs/extending/sec-audit-remediate-reference.md section "Per-CWE Fix Generation Patterns" for CWE-specific fix generation instructions (CWE-79 through CWE-862).

Fix File Naming Convention

Name fix files descriptively based on the vulnerability type:

{vulnerability-type}.ts (e.g., sql-injection-fix.ts, csrf-protection.ts, xss-sanitizer.ts)
If multiple findings share the same CWE, generate one consolidated fix file

Fix File Structure

Each fix file includes:

File header comment with finding ID(s) and CWE reference
Imports (including any new dependencies)
The fix code (replacement function, middleware, utility)
Usage example as JSDoc comment
Integration notes as comments

Step 7: Generate Regression Tests

For each Critical and High finding that was fixed, generate a regression test in tests/.

Test Generation Strategy

For each fix, generate tests covering:

Attack-replay tests -- Reproduce the original attack vector and verify it is blocked
Negative tests -- Verify malicious input is rejected or sanitized
Positive tests -- Verify legitimate input still works after the fix
Boundary tests -- Edge cases around input limits and encoding

Reference: ${CLAUDE_PLUGIN_ROOT}/docs/research/73-dev-sarif-security-remediation-automation.md section "Regression Test Generation for Security Fixes".

Test File Naming Convention

{vulnerability-type}.test.ts (e.g., sql-injection.test.ts, xss-prevention.test.ts)
Match test file name to corresponding fix file name

Test File Structure

Each test file includes:

Import from the fix file
Describe block referencing finding ID and CWE
Attack payload arrays (XSS payloads, SQL injection strings, SSRF URLs, etc.)
"should block malicious input" tests with payload iteration
"should allow legitimate input" tests with safe data
Comment linking back to finding ID for traceability

CWE-Specific Test Patterns

Reference: See ${CLAUDE_PLUGIN_ROOT}/docs/extending/sec-audit-remediate-reference.md section "CWE-Specific Test Patterns" for per-CWE test payloads and verification patterns.

Step 8: Generate Remediation Report

Write the main report file: {id}-{slug}.md

Use template from: $JAAN_TEMPLATES_DIR/jaan-to-sec-audit-remediate.template.md

Fill template variables:

{{title}} - "Security Remediation Report" + project name
{{date}} - Current date (YYYY-MM-DD)
{{executive_summary}} - BLUF of findings fixed, risk reduction estimate
{{findings_table}} - All findings with status (fixed/pending/skipped)
{{fixes_generated}} - List of fix files with descriptions
{{tests_generated}} - List of test files with descriptions
{{new_dependencies}} - Dependencies to install
{{risk_reduction}} - Estimated risk reduction percentage
{{remaining_findings}} - Findings not addressed and why

Step 9: Generate Integration Instructions

Write the readme file: {id}-{slug}-readme.md

Include:

Prerequisites -- Dependencies to install
Fix Application Order -- Which fixes to apply first (auth before route-level)
Per-Fix Instructions -- For each fix file:
- What it does
- Where to integrate it (which file/module)
- Code snippet showing integration point
- Before/after comparison
Test Execution -- How to run the regression tests
CI Integration -- How to add security tests to CI pipeline
Verification Checklist -- Steps to verify each fix is working
Rollback Plan -- How to revert each fix if issues arise

Step 10: Quality Check

Before writing, verify:

Coverage:

Every Critical finding has a fix file AND a test file
Every High finding has a fix file AND a test file
Medium findings have fix files (tests optional)
No finding is left without a status (fixed/pending/skipped with reason)

Fix Quality:

Fix files compile (valid TypeScript/JavaScript syntax)
No hardcoded credentials or secrets in fix files
Fixes use the project's tech stack (from tech.md if available)
Fixes follow the project's coding patterns (from scaffold if available)
Fix files include proper imports

Test Quality:

Tests include both positive (safe input) and negative (attack payload) cases
Test file names match fix file names
Tests reference finding IDs for traceability
Attack payloads cover OWASP test vectors

Report Quality:

Executive Summary present
All findings listed with status
Risk reduction estimate provided
Integration instructions are actionable

Output Structure:

ID generated using scripts/lib/id-generator.sh
Folder created: sec/remediate/{id}-{slug}/
Main file named: {id}-{slug}.md
Subdirectories: fixes/, tests/
Index updated

If any check fails, revise before preview.

Step 11: Preview and Write

Show file listing with sizes:

OUTPUT FILES
------------
$JAAN_OUTPUTS_DIR/sec/remediate/{id}-{slug}/
  {id}-{slug}.md                    (remediation report)
  {id}-{slug}-readme.md             (integration instructions)
  fixes/
    {fix-file-1}.ts                 (CWE-89: SQL injection fix)
    {fix-file-2}.ts                 (CWE-79: XSS sanitization)
    ...
  tests/
    {test-file-1}.test.ts           (SQL injection regression)
    {test-file-2}.test.ts           (XSS prevention regression)
    ...

Total: {n} files

"Write all {n} files to $JAAN_OUTPUTS_DIR/sec/remediate/{id}-{slug}/? [y/n]"

If approved:

Create output folder and subdirectories
Write all fix files to fixes/
Write all test files to tests/
Write remediation report
Write integration instructions
Update subdomain index:

source "${CLAUDE_PLUGIN_ROOT}/scripts/lib/index-updater.sh"
add_to_index \
  "$SUBDOMAIN_DIR/README.md" \
  "$NEXT_ID" \
  "${NEXT_ID}-${slug}" \
  "{Title}" \
  "{Executive summary text}"

Confirm:

Output written to: $JAAN_OUTPUTS_DIR/sec/remediate/{NEXT_ID}-{slug}/ Index updated: $JAAN_OUTPUTS_DIR/sec/remediate/README.md Fix files: {n} | Test files: {n} | Report: 1 | Readme: 1

Step 12: Capture Feedback

"Any feedback on the security remediation? [y/n]"

If yes:

"[1] Fix now [2] Learn for future [3] Both"

Option 1: Update output, re-preview, re-write
Option 2: Run /jaan-to:learn-add sec-audit-remediate "{feedback}"
Option 3: Do both

Skill Alignment

Two-phase workflow with HARD STOP for human approval
Single source of truth (no duplication)
Plugin-internal automation
Maintains human control over changes