Can I customize what is included in the full audit?

Yes, you can use flags such as --skip-redteam or --skip-frameworks to bypass specific phases while maintaining the depth of the remaining analysis.

Which security frameworks are included in the audit?

The audit includes OWASP Top 10, STRIDE (threat modeling), LINDDUN (privacy), PASTA (risk-centric threat modeling), SANS/CWE Top 25, and MITRE mapping.

Does this skill require third-party scanners?

Yes, it detects and orchestrates locally installed tools like Semgrep, Gitleaks, npm-audit, and Trivy to gather technical vulnerability data.

What is the difference between /appsec:run and full-audit?

While /appsec:run selects tools based on your detected stack, full-audit runs every available tool and framework regardless of the stack and preserves all raw output for maximum coverage.

How long does a full audit typically take?

Because it executes multiple parallel subagents and a sequential 7-stage PASTA pipeline, a full audit can take several minutes depending on the size and complexity of the codebase.

AppSec Full Audit

Name: AppSec Full Audit
Author: florianbuetow

byflorianbuetow

•

Security & Testing

Conducts exhaustive, multi-framework security audits and generates comprehensive, compliance-ready reports.

The AppSec Full Audit skill provides the most thorough security analysis available for Claude Code, designed for teams that require a 'leave no stone unturned' approach. It bypasses selective scanning to run every available framework—including OWASP Top 10, STRIDE, LINDDUN, and SANS/CWE Top 25—alongside automated scanners and specialized red team agents. By executing a rigorous five-phase workflow that includes a full seven-stage PASTA threat modeling process, it identifies deep-seated vulnerabilities, architectural flaws, and privacy risks. The result is a professional, dated Markdown report that preserves raw agent evidence and provides expert-level remediation guidance.

Key Features

01Red Team Agents: Simulates advanced attack chains to find complex logic vulnerabilities.

02Multi-Framework Analysis: Executes OWASP, STRIDE, LINDDUN, and MITRE assessments simultaneously.

03Verbatim Reporting: Generates a comprehensive Markdown report preserving all raw subagent findings.

047-Stage PASTA Pipeline: Performs a sequential Process for Attack Simulation and Threat Analysis.

056 GitHub stars

06Automated Scanner Orchestration: Parallelizes tools like Semgrep, Gitleaks, and Trivy for rapid detection.

Use Cases

01Automating exhaustive security documentation for audit trails and stakeholder reporting.

02Preparing for a major production release or security compliance milestone.

03Conducting deep-dive threat modeling and architectural reviews on legacy codebases.

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add florianbuetow/claude-code full-audit

For use in Claude.ai and ChatGPT

Download Skill