What's New in v1.0.3
/autoresearch:security — Autonomous Security Audit
Turn Claude into an autonomous security auditor combining STRIDE threat modeling, OWASP Top 10 sweeps (70+ checks), and red-team adversarial analysis (4 hostile personas) into a single iterative loop.
Commands Added
| Command | Description |
|---|---|
| `/autoresearch:security` | Autonomous STRIDE + OWASP + red-team security audit |
| `/loop N /autoresearch:security` | Bounded security audit (N iterations) |
| `/autoresearch:security --diff` | Delta mode — only audit files changed since last audit |
| `/autoresearch:security --fix` | Auto-fix confirmed Critical/High findings after audit |
| `/autoresearch:security --fail-on critical` | Exit non-zero for CI/CD pipeline blocking |
Flags combine: `/loop 15 /autoresearch:security --diff --fix --fail-on critical`
Core Security Audit
Setup Phase (once):
| Step | What Happens |
|---|---|
| 1. Codebase Recon | Scans tech stack, dependencies, configs, API routes |
| 2. Asset Inventory | Catalogs data stores, auth systems, APIs, external services, user inputs |
| 3. Trust Boundaries | Maps browser↔server, public↔auth, user↔admin, CI/CD↔prod |
| 4. STRIDE Threat Model | Full 6-category threat analysis per asset+boundary combination |
| 5. Attack Surface Map | Entry points, data flows, abuse paths |
| 6. Baseline | Runs existing security tools (npm audit, etc.) |
Autonomous Loop: Each iteration selects an untested attack vector, deep-dives into target code, validates with proof (file:line + attack scenario), classifies by severity + OWASP + STRIDE, and logs the result.
STRIDE Threat Model
| Threat | Question | Example Findings |
|---|---|---|
| Spoofing | Can attacker impersonate user/service? | Weak auth, missing CSRF, forged JWTs |
| Tampering | Can data be modified? | Missing validation, SQL injection |
| Repudiation | Can actions be denied? | Missing audit logs |
| Info Disclosure | Can data leak? | PII in logs, verbose errors |
| Denial of Service | Can service be disrupted? | Missing rate limits, regex DoS |
| Elevation of Privilege | Can user gain access? | IDOR, broken access control |
OWASP Top 10 Coverage
70+ specific checks across all 10 categories (A01-A10). Coverage tracked per iteration with matrix in final report.
Red-Team Adversarial Personas
4 hostile perspectives adapted from `/plan red-team`:
| Persona | Mindset | Focus |
|---|---|---|
| Security Adversary | "I'm a hacker breaching this system" | Auth bypass, injection, data exposure, privilege escalation |
| Supply Chain Attacker | "I'm compromising deps or CI/CD" | Known CVEs, typosquatting, unsigned artifacts, build pipeline |
| Insider Threat | "I'm a malicious employee" | Privilege escalation, data exfiltration, bulk export, audit trail gaps |
| Infrastructure Attacker | "I'm attacking deployment, not code" | Container escape, env vars, exposed services, Docker misconfig |
Each persona drives which attack vectors get tested during loop iterations.
Proof-of-Concept Validation (Strix-Inspired)
Every finding requires code evidence — no theoretical fluff:
- Exact code location (file:line)
- Step-by-step attack scenario
- Concrete exploit input
- Impact assessment
- Confidence level (Confirmed / Likely / Possible)
- Mitigation with code fix snippet
Structured Report Folder
Each run creates a timestamped folder with 7 structured reports:
```
security/260315-0945-stride-owasp-full-audit/
├── overview.md ← Executive summary + links
├── threat-model.md ← STRIDE analysis, assets, trust boundaries
├── attack-surface-map.md ← Entry points, data flows, abuse paths
├── findings.md ← Severity-ranked findings with code evidence
├── owasp-coverage.md ← Coverage matrix per OWASP category
├── dependency-audit.md ← npm/pip/go audit with CVEs
├── recommendations.md ← Prioritized mitigations with code fixes
└── security-audit-results.tsv
```
Delta Mode (`--diff`)
Only audits files changed since last audit. Tags findings as 🆕 New / 🔄 Recurring / ✅ Fixed. Falls back to full audit if no previous run exists.
Auto-Fix Mode (`--fix`)
After audit, uses autoresearch loop to fix confirmed Critical/High findings. Commits each fix, verifies vulnerability gone, reverts if tests break. Max 3 attempts per finding. Creates `fix-log.md`.
CI/CD Gate (`--fail-on`)
Exits non-zero at severity threshold (`critical`, `high`, or `medium`) for pipeline blocking.
CI/CD GitHub Action Template
Auto-generates `.github/workflows/security-audit.yml` with:
- PRs: delta mode + fail-on critical
- Weekly: full audit + fail-on high
- Uploads report as artifact + comments PR with summary
Historical Comparison
Auto-compares with previous audit runs: trend table, finding status tags (new/recurring/fixed), regression alerts.
Commands Reference Table
Added centralized Commands Reference at top of README with all commands, flags, combinations, and a Quick Decision Guide.
Pull Requests
| PR | Title |
|---|---|
| #3 | Core security audit — STRIDE, OWASP, red-team, structured folder |
| #4 | Flags: --diff, --fix, --fail-on + CI/CD template + historical comparison |
| #5 | Commands Reference table at top of README |
| #6 | Surface red-team personas in commands reference and decision guide |
Files Changed (Total across all PRs)
| File | Lines Added | Description |
|---|---|---|
| `references/security-workflow.md` | 975 | Full audit protocol: STRIDE, OWASP, red-team, flags, CI/CD, historical, folder output |
| `SKILL.md` | +71 | Security sub-command, flags, triggers, v1.0.3 |
| `README.md` | +648 | Security section, flags, CI/CD, historical, commands table, red-team, examples, FAQ |
Inspirations
- Strix — AI-powered security testing with proof-of-concept validation
- `/plan red-team` — Adversarial review with hostile reviewer personas
- OWASP Top 10 (2021) — Industry-standard vulnerability taxonomy
- STRIDE — Microsoft's threat modeling framework
- Karpathy's autoresearch — Constraint-driven autonomous iteration
Installation
```bash
git clone https://github.com/uditgoenka/autoresearch.git
cp -r autoresearch/skills/autoresearch ~/.claude/skills/autoresearch
```
Full Changelog: v1.0.2...v1.0.3