Skip to content

feat: add Security Auditor agent#3

Open
unmalnickname wants to merge 3 commits intosandeco:mainfrom
unmalnickname:feat/security-auditor-agent
Open

feat: add Security Auditor agent#3
unmalnickname wants to merge 3 commits intosandeco:mainfrom
unmalnickname:feat/security-auditor-agent

Conversation

@unmalnickname
Copy link
Copy Markdown

@unmalnickname unmalnickname commented May 2, 2026

Summary

Adds a new Security Auditor agent persona to the Reversa framework. This is an independent agent (like Visor, Data Master, or Design System) that performs static security analysis of legacy codebases.

What it covers

Section Description
SCA (Software Composition Analysis) CVE scanning of dependencies from Scout's dependencies.md
Secrets scan Hardcoded API keys, passwords, tokens, private keys in source/config/git history
Auth audit Password storage, JWT/session handling, brute force protection, MFA, RBAC verification
Input validation SQL injection, XSS, command injection, path traversal, insecure deserialization, SSTI
Crypto review Algorithm choice, custom crypto (red flag), HTTPS/TLS, secret storage
Session management Token expiration/rotation, cookie flags, CSRF, session fixation
API security Auth coverage, rate limiting, CORS, mass assignment
OWASP Top 10 Map all findings to OWASP 2021 categories

Files changed

File Change
agents/reversa-security-auditor/SKILL.md New — full persona (156 lines, 8KB)
lib/installer/prompts.js +1 line — added to OPTIONAL_AGENTS (checked by default)
lib/commands/add-agent.js +1 line — added to AGENT_LABELS
templates/plan.md +1 line — added as Independent Agent

Design decisions

  • Phase: independente — runs after Scout (for dependencies) and Detective (for permissions matrix), but can execute at any time
  • Confidence scale uses the same 🟢/🟡/🔴 system as all other agents
  • Outputs go to _reversa_sdd/security/ — audit.md, secrets-scan.md, vulnerabilities.md (conditional by doc_level)
  • Static analysis only — never executes the system. All findings are code-based or inferred from patterns

Output structure

_reversa_sdd/security/
├── audit.md              # Full audit report per section (always)
├── secrets-scan.md       # Hardcoded secrets with file:line references (always)
└── vulnerabilities.md    # CVE analysis + prioritized remediation (completo/detalhado)

Testing

  • Verified agent directory structure matches existing pattern
  • Validated integration with npx reversa install and npx reversa add-agent
  • Confirmed SKILL.md frontmatter follows the existing metadata convention

Closes #new-agent-security-auditor

Nova Corp added 3 commits April 30, 2026 22:01
feat: add MCP server, non-interactive install, and auto-healing SKILL.md
fde6b90 
- New 'reversa mcp' command: stdio MCP server with 3 tools
  (reversa_status, reversa_analyze, reversa_confidence),
  2 resources (state, inventory), and 1 prompt (new-analysis)
- Non-interactive install: --yes flag with --project, --engines,
  --user, --chat-language, --doc-language, --output, --reinstall
- Auto-healing SKILL.md: when state.json is missing but skills
  exist, the orchestrator creates state programmatically
- Updated agent SKILL.md files with MCP context
- Updated CLI docs and help text in EN/PT/ES
- Dep: @modelcontextprotocol/sdk@1.29.0
Merge remote-tracking branch 'upstream/main'
ae745ab
feat: add Security Auditor agent
6680501 
New agent persona for vulnerability scanning, secrets detection,
auth/authorization auditing, input validation review, crypto review,
and OWASP Top 10 mapping.

- Added agents/reversa-security-auditor/SKILL.md with full persona
- Registered in lib/installer/prompts.js as optional agent
- Registered in lib/commands/add-agent.js for post-install addition
- Added to templates/plan.md as an Independent Agent

Closes: #new-agent-security-auditor
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@unmalnickname