d48cda4081
CI / Test (ubuntu-latest, Node 18.x, bun) (push) Failing after 15m1s
CI / Test (ubuntu-latest, Node 18.x, npm) (push) Failing after 15m1s
CI / Test (ubuntu-latest, Node 18.x, pnpm) (push) Failing after 15m1s
CI / Test (ubuntu-latest, Node 18.x, yarn) (push) Failing after 15m1s
CI / Test (ubuntu-latest, Node 20.x, bun) (push) Failing after 17m13s
CI / Test (ubuntu-latest, Node 20.x, npm) (push) Failing after 18m42s
CI / Test (ubuntu-latest, Node 20.x, pnpm) (push) Failing after 15m0s
CI / Test (ubuntu-latest, Node 20.x, yarn) (push) Failing after 49m44s
CI / Test (ubuntu-latest, Node 22.x, bun) (push) Failing after 51m55s
CI / Test (ubuntu-latest, Node 22.x, pnpm) (push) Failing after 21m57s
CI / Test (ubuntu-latest, Node 22.x, npm) (push) Failing after 37m39s
CI / Test (ubuntu-latest, Node 22.x, yarn) (push) Failing after 34m7s
CI / Validate Components (push) Failing after 37m15s
CI / Python Tests (push) Failing after 10m1s
CI / Security Scan (push) Failing after 10m1s
CI / Lint (push) Failing after 17m12s
CI / Coverage (push) Failing after 20m19s
CI / Test (macos-latest, Node 18.x, bun) (push) Has been cancelled
CI / Test (macos-latest, Node 18.x, npm) (push) Has been cancelled
CI / Test (macos-latest, Node 18.x, pnpm) (push) Has been cancelled
CI / Test (macos-latest, Node 18.x, yarn) (push) Has been cancelled
CI / Test (windows-latest, Node 18.x, npm) (push) Has been cancelled
CI / Test (windows-latest, Node 18.x, pnpm) (push) Has been cancelled
CI / Test (windows-latest, Node 18.x, yarn) (push) Has been cancelled
CI / Test (macos-latest, Node 20.x, bun) (push) Has been cancelled
CI / Test (macos-latest, Node 20.x, npm) (push) Has been cancelled
CI / Test (macos-latest, Node 20.x, pnpm) (push) Has been cancelled
CI / Test (macos-latest, Node 20.x, yarn) (push) Has been cancelled
CI / Test (windows-latest, Node 20.x, npm) (push) Has been cancelled
CI / Test (windows-latest, Node 20.x, pnpm) (push) Has been cancelled
CI / Test (windows-latest, Node 20.x, yarn) (push) Has been cancelled
CI / Test (macos-latest, Node 22.x, bun) (push) Has been cancelled
CI / Test (macos-latest, Node 22.x, npm) (push) Has been cancelled
CI / Test (macos-latest, Node 22.x, pnpm) (push) Has been cancelled
CI / Test (macos-latest, Node 22.x, yarn) (push) Has been cancelled
CI / Test (windows-latest, Node 22.x, npm) (push) Has been cancelled
CI / Test (windows-latest, Node 22.x, pnpm) (push) Has been cancelled
CI / Test (windows-latest, Node 22.x, yarn) (push) Has been cancelled
2.6 KiB
2.6 KiB
description, agent, subtask
| description | agent | subtask |
|---|---|---|
| Run AgentShield against agent, hook, MCP, permission, and secret surfaces. | ecc:security-reviewer | true |
Security Scan Command
Run AgentShield against the current project or a target path, then turn the findings into a prioritized remediation plan.
Usage
/security-scan [path] [--format text|json|markdown|html] [--min-severity low|medium|high|critical] [--fix]
path(optional): defaults to the current project. Use a.claude/path, a repo root, or a checked-in template directory.--format: output format. Usejsonfor CI,markdownfor handoffs, andhtmlfor standalone review reports.--min-severity: filters lower-priority findings.--fix: applies only AgentShield fixes explicitly marked as safe and auto-fixable.
Deterministic Engine
Prefer the packaged scanner:
npx ecc-agentshield scan --path "${TARGET_PATH:-.}" --format text
For local AgentShield development, run from the AgentShield checkout:
npm run scan -- --path "${TARGET_PATH:-.}" --format text
Do not invent findings. Use AgentShield output as the source of truth and separate scanner facts from follow-up judgment.
Review Checklist
- Identify active runtime findings first:
- hardcoded secrets
- broad permissions
- executable hooks
- MCP servers with shell, filesystem, remote transport, or unpinned
npx - agent prompts that handle untrusted content without defenses
- Separate lower-confidence inventory:
- docs examples
- template examples
- plugin manifests
- project-local optional settings
- For each critical or high finding, return:
- file path
- severity
- runtime confidence
- why it matters
- exact remediation
- whether it is safe to auto-fix
- If
--fixis requested, state the planned edits before applying fixes. - Re-run the scan after fixes and report the before/after score.
Output Contract
Return:
- Security grade and score.
- Counts by severity and runtime confidence.
- Critical/high findings with exact paths.
- Lower-confidence findings grouped separately.
- A remediation order.
- Commands run and whether the scan was local, CI, or npx-backed.
CI Pattern
Use AgentShield in GitHub Actions for enforced gates:
- uses: affaan-m/agentshield@v1
with:
path: "."
min-severity: "medium"
fail-on-findings: true
Links
- Skill:
skills/security-scan/SKILL.md - Agent:
agents/security-reviewer.md - Scanner: https://github.com/affaan-m/agentshield
Arguments
$ARGUMENTS:
- optional target path
- optional AgentShield flags