Files
wehub-resource-sync d48cda4081
CI / Test (ubuntu-latest, Node 18.x, bun) (push) Failing after 15m1s
CI / Test (ubuntu-latest, Node 18.x, npm) (push) Failing after 15m1s
CI / Test (ubuntu-latest, Node 18.x, pnpm) (push) Failing after 15m1s
CI / Test (ubuntu-latest, Node 18.x, yarn) (push) Failing after 15m1s
CI / Test (ubuntu-latest, Node 20.x, bun) (push) Failing after 17m13s
CI / Test (ubuntu-latest, Node 20.x, npm) (push) Failing after 18m42s
CI / Test (ubuntu-latest, Node 20.x, pnpm) (push) Failing after 15m0s
CI / Test (ubuntu-latest, Node 20.x, yarn) (push) Failing after 49m44s
CI / Test (ubuntu-latest, Node 22.x, bun) (push) Failing after 51m55s
CI / Test (ubuntu-latest, Node 22.x, pnpm) (push) Failing after 21m57s
CI / Test (ubuntu-latest, Node 22.x, npm) (push) Failing after 37m39s
CI / Test (ubuntu-latest, Node 22.x, yarn) (push) Failing after 34m7s
CI / Validate Components (push) Failing after 37m15s
CI / Python Tests (push) Failing after 10m1s
CI / Security Scan (push) Failing after 10m1s
CI / Lint (push) Failing after 17m12s
CI / Coverage (push) Failing after 20m19s
CI / Test (macos-latest, Node 18.x, bun) (push) Has been cancelled
CI / Test (macos-latest, Node 18.x, npm) (push) Has been cancelled
CI / Test (macos-latest, Node 18.x, pnpm) (push) Has been cancelled
CI / Test (macos-latest, Node 18.x, yarn) (push) Has been cancelled
CI / Test (windows-latest, Node 18.x, npm) (push) Has been cancelled
CI / Test (windows-latest, Node 18.x, pnpm) (push) Has been cancelled
CI / Test (windows-latest, Node 18.x, yarn) (push) Has been cancelled
CI / Test (macos-latest, Node 20.x, bun) (push) Has been cancelled
CI / Test (macos-latest, Node 20.x, npm) (push) Has been cancelled
CI / Test (macos-latest, Node 20.x, pnpm) (push) Has been cancelled
CI / Test (macos-latest, Node 20.x, yarn) (push) Has been cancelled
CI / Test (windows-latest, Node 20.x, npm) (push) Has been cancelled
CI / Test (windows-latest, Node 20.x, pnpm) (push) Has been cancelled
CI / Test (windows-latest, Node 20.x, yarn) (push) Has been cancelled
CI / Test (macos-latest, Node 22.x, bun) (push) Has been cancelled
CI / Test (macos-latest, Node 22.x, npm) (push) Has been cancelled
CI / Test (macos-latest, Node 22.x, pnpm) (push) Has been cancelled
CI / Test (macos-latest, Node 22.x, yarn) (push) Has been cancelled
CI / Test (windows-latest, Node 22.x, npm) (push) Has been cancelled
CI / Test (windows-latest, Node 22.x, pnpm) (push) Has been cancelled
CI / Test (windows-latest, Node 22.x, yarn) (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 11:55:55 +08:00

2.6 KiB

description, agent, subtask
description agent subtask
Run AgentShield against agent, hook, MCP, permission, and secret surfaces. ecc:security-reviewer true

Security Scan Command

Run AgentShield against the current project or a target path, then turn the findings into a prioritized remediation plan.

Usage

/security-scan [path] [--format text|json|markdown|html] [--min-severity low|medium|high|critical] [--fix]

  • path (optional): defaults to the current project. Use a .claude/ path, a repo root, or a checked-in template directory.
  • --format: output format. Use json for CI, markdown for handoffs, and html for standalone review reports.
  • --min-severity: filters lower-priority findings.
  • --fix: applies only AgentShield fixes explicitly marked as safe and auto-fixable.

Deterministic Engine

Prefer the packaged scanner:

npx ecc-agentshield scan --path "${TARGET_PATH:-.}" --format text

For local AgentShield development, run from the AgentShield checkout:

npm run scan -- --path "${TARGET_PATH:-.}" --format text

Do not invent findings. Use AgentShield output as the source of truth and separate scanner facts from follow-up judgment.

Review Checklist

  1. Identify active runtime findings first:
    • hardcoded secrets
    • broad permissions
    • executable hooks
    • MCP servers with shell, filesystem, remote transport, or unpinned npx
    • agent prompts that handle untrusted content without defenses
  2. Separate lower-confidence inventory:
    • docs examples
    • template examples
    • plugin manifests
    • project-local optional settings
  3. For each critical or high finding, return:
    • file path
    • severity
    • runtime confidence
    • why it matters
    • exact remediation
    • whether it is safe to auto-fix
  4. If --fix is requested, state the planned edits before applying fixes.
  5. Re-run the scan after fixes and report the before/after score.

Output Contract

Return:

  1. Security grade and score.
  2. Counts by severity and runtime confidence.
  3. Critical/high findings with exact paths.
  4. Lower-confidence findings grouped separately.
  5. A remediation order.
  6. Commands run and whether the scan was local, CI, or npx-backed.

CI Pattern

Use AgentShield in GitHub Actions for enforced gates:

- uses: affaan-m/agentshield@v1
  with:
    path: "."
    min-severity: "medium"
    fail-on-findings: true

Arguments

$ARGUMENTS:

  • optional target path
  • optional AgentShield flags