cc-audit 3.1.7

Security auditor for Claude Code skills, hooks, and MCP servers
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77

# Security Policy

## Supported Versions

| Version | Supported          |
| ------- | ------------------ |
| 0.4.x   | :white_check_mark: |
| 0.3.x   | :white_check_mark: |
| < 0.3   | :x:                |

## Reporting a Vulnerability

We take security vulnerabilities in cc-audit seriously. If you discover a security issue, please report it responsibly.

### How to Report

1. **Do NOT** create a public GitHub issue for security vulnerabilities
2. Report vulnerabilities via [GitHub Security Advisories](https://github.com/ryo-ebata/cc-audit/security/advisories/new)
3. Include the following information:
   - Description of the vulnerability
   - Steps to reproduce
   - Potential impact
   - Suggested fix (if any)

### What to Expect

- **Initial Response**: Within 48 hours
- **Status Update**: Within 7 days
- **Resolution Timeline**: Depends on severity
  - Critical: 7 days
  - High: 14 days
  - Medium: 30 days
  - Low: 90 days

### Disclosure Policy

- We follow responsible disclosure practices
- Security issues will be fixed before public disclosure
- Credit will be given to reporters (unless anonymity is requested)

## Security Considerations for Users

### Safe Usage

cc-audit is designed to analyze potentially malicious code. When using this tool:

1. **Isolated Environment**: Run in a sandboxed or isolated environment when scanning untrusted code
2. **Review Results**: Carefully review all findings before taking action
3. **Keep Updated**: Always use the latest version for the most up-to-date detection rules

### Known Limitations

- Static analysis cannot detect all malicious patterns
- False positives are possible; always verify findings
- Dynamic or obfuscated malware may evade detection

## Security Features

cc-audit includes several security-focused features:

- **No Code Execution**: Pure static analysis without executing scanned code
- **Sandboxed Parsing**: Safe parsing of configuration files
- **Input Validation**: Strict validation of all inputs
- **Minimal Dependencies**: Reduced attack surface through careful dependency management

## Dependency Security

We regularly audit dependencies for known vulnerabilities:

```bash
cargo audit
```

All dependencies are:
- Pinned to specific versions in Cargo.lock
- Regularly updated to address security issues
- Reviewed before inclusion