📦
監査履歴
dast-zap - 6 監査
監査バージョン 6
最新 中リスクJun 28, 2026, 05:27 AM
Static analysis produced many command, network, filesystem, and secret-related matches, but most are documented OWASP ZAP examples and CI templates. No prompt injection or confirmed malicious exfiltration was found. The real risk is that the skill enables active security scanning and executable automation, so users need authorization and review before use.
10
スキャンされたファイル
2,903
解析された行数
9
検出結果
codex
監査者
中リスクの問題 (2)
Authorized Active DAST Traffic Required
The skill provides active OWASP ZAP scan guidance and an automation job that can send attack traffic to target applications. This is legitimate security testing, but it can disrupt systems or violate policy if run without written authorization.
Executable CI and Docker Templates Need Review
The bundled CI templates run Docker-based ZAP scans and install parsing tools in pipeline environments. The commands are expected for this skill, but marketplace users should review targets, mounts, and permissions before use.
低リスクの問題 (3)
Secret References Are Environment Placeholders
The analyzer flagged API key and credential references. The reviewed files use environment-variable placeholders for ZAP and test authentication rather than hardcoded secret values.
Sensitive File Paths Appear in Test Payload Documentation
The sensitive file detections are examples for XXE and path traversal verification. They do not show the skill reading local files or collecting host credentials.
Hardcoded URLs Are Example Targets
Hardcoded URL findings use example.com, target-app.com, staging hosts, or official documentation links. These are examples and references, not hidden outbound endpoints.
リスク要因
⚙️ 外部コマンド (258)
assets/github_action.yml:180 assets/github_action.yml:181 assets/github_action.yml:177 assets/github_action.yml:177 assets/gitlab_ci.yml:23 assets/gitlab_ci.yml:56 assets/gitlab_ci.yml:57 assets/gitlab_ci.yml:69 assets/gitlab_ci.yml:99 assets/gitlab_ci.yml:100 assets/gitlab_ci.yml:160 assets/gitlab_ci.yml:161 assets/gitlab_ci.yml:202 references/api_testing_guide.md:23-30 references/api_testing_guide.md:30-36 references/api_testing_guide.md:36-42 references/api_testing_guide.md:42-48 references/api_testing_guide.md:48-61 references/api_testing_guide.md:61-65 references/api_testing_guide.md:65-78 references/api_testing_guide.md:78-87 references/api_testing_guide.md:87-94 references/api_testing_guide.md:94-104 references/api_testing_guide.md:104-111 references/api_testing_guide.md:111-117 references/api_testing_guide.md:117-122 references/api_testing_guide.md:122-130 references/api_testing_guide.md:130-137 references/api_testing_guide.md:137-143 references/api_testing_guide.md:143-147 references/api_testing_guide.md:147-156 references/api_testing_guide.md:156-174 references/api_testing_guide.md:174-181 references/api_testing_guide.md:181-188 references/api_testing_guide.md:188-196 references/api_testing_guide.md:196-202 references/api_testing_guide.md:202-208 references/api_testing_guide.md:208-215 references/api_testing_guide.md:215-222 references/api_testing_guide.md:222-232 references/api_testing_guide.md:232-237 references/api_testing_guide.md:237-239 references/api_testing_guide.md:239-309 references/api_testing_guide.md:309-311 references/api_testing_guide.md:311-347 references/api_testing_guide.md:347-351 references/api_testing_guide.md:351-355 references/api_testing_guide.md:355-367 references/api_testing_guide.md:367-375 references/api_testing_guide.md:375-378 references/api_testing_guide.md:378-382 references/api_testing_guide.md:382-390 references/api_testing_guide.md:390-408 references/api_testing_guide.md:408-414 references/api_testing_guide.md:414-424 references/api_testing_guide.md:424-430 references/api_testing_guide.md:430-438 references/api_testing_guide.md:438-446 references/api_testing_guide.md:446-449 references/api_testing_guide.md:449-455 references/api_testing_guide.md:455-458 references/api_testing_guide.md:458-464 references/api_testing_guide.md:464-468 references/api_testing_guide.md:25 references/api_testing_guide.md:38 references/api_testing_guide.md:50-53 references/api_testing_guide.md:132 references/api_testing_guide.md:210 references/api_testing_guide.md:353 references/api_testing_guide.md:23-30 references/api_testing_guide.md:36-42 references/api_testing_guide.md:48-61 references/api_testing_guide.md:130-137 references/api_testing_guide.md:208-215 references/api_testing_guide.md:351-355 references/authentication_guide.md:26-36 references/authentication_guide.md:36-41 references/authentication_guide.md:41-42 references/authentication_guide.md:42-47 references/authentication_guide.md:47-49 references/authentication_guide.md:49-91 references/authentication_guide.md:91-95 references/authentication_guide.md:95-103 references/authentication_guide.md:103-111 references/authentication_guide.md:111-117 references/authentication_guide.md:117-123 references/authentication_guide.md:123-129 references/authentication_guide.md:129-133 references/authentication_guide.md:133-135 references/authentication_guide.md:135-159 references/authentication_guide.md:159-167 references/authentication_guide.md:167-190 references/authentication_guide.md:190-194 references/authentication_guide.md:194-210 references/authentication_guide.md:210-216 references/authentication_guide.md:216-226 references/authentication_guide.md:226-232 references/authentication_guide.md:232-240 references/authentication_guide.md:240-257 references/authentication_guide.md:257-284 references/authentication_guide.md:284-294 references/authentication_guide.md:294-296 references/authentication_guide.md:296-302 references/authentication_guide.md:302-308 references/authentication_guide.md:308-320 references/authentication_guide.md:320-324 references/authentication_guide.md:324-330 references/authentication_guide.md:330-343 references/authentication_guide.md:343-349 references/authentication_guide.md:349-353 references/authentication_guide.md:353-380 references/authentication_guide.md:380 references/authentication_guide.md:380-387 references/authentication_guide.md:387-396 references/authentication_guide.md:396-400 references/authentication_guide.md:400-408 references/authentication_guide.md:408-412 references/authentication_guide.md:412-425 references/authentication_guide.md:97 references/authentication_guide.md:113-116 references/authentication_guide.md:176-182 references/authentication_guide.md:196-201 references/authentication_guide.md:234 references/authentication_guide.md:304 references/authentication_guide.md:414-417 references/authentication_guide.md:95-103 references/authentication_guide.md:111-117 references/authentication_guide.md:167-190 references/authentication_guide.md:194-210 references/authentication_guide.md:232-240 references/authentication_guide.md:302-308 references/authentication_guide.md:412-425 references/false_positive_handling.md:26-29 references/false_positive_handling.md:29-37 references/false_positive_handling.md:37-39 references/false_positive_handling.md:39-51 references/false_positive_handling.md:51-55 references/false_positive_handling.md:55-63 references/false_positive_handling.md:63-65 references/false_positive_handling.md:65-77 references/false_positive_handling.md:77-82 references/false_positive_handling.md:82-90 references/false_positive_handling.md:90-92 references/false_positive_handling.md:92-104 references/false_positive_handling.md:104-109 references/false_positive_handling.md:109-117 references/false_positive_handling.md:117-119 references/false_positive_handling.md:119-131 references/false_positive_handling.md:131-134 references/false_positive_handling.md:134-142 references/false_positive_handling.md:142-144 references/false_positive_handling.md:144-160 references/false_positive_handling.md:160-172 references/false_positive_handling.md:172-185 references/false_positive_handling.md:185-200 references/false_positive_handling.md:200-208 references/false_positive_handling.md:208-210 references/false_positive_handling.md:210-220 references/false_positive_handling.md:220-222 references/false_positive_handling.md:222-237 references/false_positive_handling.md:237-241 references/false_positive_handling.md:241-253 references/false_positive_handling.md:253-269 references/false_positive_handling.md:269-281 references/false_positive_handling.md:281-326 references/false_positive_handling.md:326-332 references/false_positive_handling.md:332-338 references/false_positive_handling.md:338-343 references/false_positive_handling.md:343-349 references/false_positive_handling.md:349-358 references/false_positive_handling.md:358-366 references/false_positive_handling.md:366-369 references/false_positive_handling.md:369-375 references/false_positive_handling.md:375-382 references/false_positive_handling.md:382-388 references/false_positive_handling.md:388-391 references/false_positive_handling.md:391-397 references/false_positive_handling.md:397-413 references/false_positive_handling.md:413-417 references/false_positive_handling.md:417-421 references/false_positive_handling.md:249 references/false_positive_handling.md:241-253 SKILL.md:37-39 SKILL.md:39-45 SKILL.md:45-47 SKILL.md:47-53 SKILL.md:53-59 SKILL.md:59-67 SKILL.md:67-73 SKILL.md:73-84 SKILL.md:84-90 SKILL.md:90-103 SKILL.md:103-110 SKILL.md:110-127 SKILL.md:127-141 SKILL.md:141-143 SKILL.md:143-149 SKILL.md:149-158 SKILL.md:158-167 SKILL.md:167-173 SKILL.md:173-180 SKILL.md:180-188 SKILL.md:188-196 SKILL.md:196-215 SKILL.md:215-221 SKILL.md:221-225 SKILL.md:225-227 SKILL.md:227-242 SKILL.md:242-257 SKILL.md:257-259 SKILL.md:259-260 SKILL.md:260-261 SKILL.md:261-262 SKILL.md:262-263 SKILL.md:263-265 SKILL.md:265-267 SKILL.md:267-268 SKILL.md:268-269 SKILL.md:269-270 SKILL.md:270-271 SKILL.md:271-273 SKILL.md:273-275 SKILL.md:275-276 SKILL.md:276-277 SKILL.md:277-278 SKILL.md:278-279 SKILL.md:279-280 SKILL.md:280-288 SKILL.md:288-297 SKILL.md:297-303 SKILL.md:303-313 SKILL.md:313-319 SKILL.md:319-334 SKILL.md:334-340 SKILL.md:340-353 SKILL.md:353-370 SKILL.md:370-379 SKILL.md:379-385 SKILL.md:385-391 SKILL.md:391-399 SKILL.md:399-408 SKILL.md:408-414 SKILL.md:414-424 SKILL.md:424-430 SKILL.md:430-436 SKILL.md:54 SKILL.md:129 SKILL.md:136 SKILL.md:175 SKILL.md:223 SKILL.md:305 SKILL.md:373 SKILL.md:53-59 SKILL.md:127-141 SKILL.md:173-180 SKILL.md:221-225 SKILL.md:303-313 SKILL.md:370-379
🌐 ネットワークアクセス (132)
assets/gitlab_ci.yml:10 assets/zap_context.xml:17 assets/zap_context.xml:20 assets/zap_context.xml:21 assets/zap_context.xml:22 assets/zap_context.xml:49 assets/zap_context.xml:56 assets/zap_context.xml:85 assets/zap_context.xml:165 assets/zap_context.xml:172 assets/zap_context.xml:173 assets/zap_context.xml:174 assets/zap_context.xml:175 references/api_testing_guide.md:26 references/api_testing_guide.md:39 references/api_testing_guide.md:50 references/api_testing_guide.md:57 references/api_testing_guide.md:68 references/api_testing_guide.md:75 references/api_testing_guide.md:90 references/api_testing_guide.md:93 references/api_testing_guide.md:120 references/api_testing_guide.md:133 references/api_testing_guide.md:144 references/api_testing_guide.md:211 references/api_testing_guide.md:316 references/api_testing_guide.md:318 references/api_testing_guide.md:329 references/api_testing_guide.md:330 references/api_testing_guide.md:392 references/api_testing_guide.md:397 references/api_testing_guide.md:401 references/api_testing_guide.md:406 references/api_testing_guide.md:417 references/api_testing_guide.md:422 references/api_testing_guide.md:432 references/api_testing_guide.md:436 references/api_testing_guide.md:456 references/api_testing_guide.md:466 references/api_testing_guide.md:472 references/api_testing_guide.md:473 references/api_testing_guide.md:474 references/api_testing_guide.md:475 references/authentication_guide.md:29 references/authentication_guide.md:31 references/authentication_guide.md:34 references/authentication_guide.md:56 references/authentication_guide.md:61 references/authentication_guide.md:63 references/authentication_guide.md:100 references/authentication_guide.md:113 references/authentication_guide.md:125 references/authentication_guide.md:140 references/authentication_guide.md:169 references/authentication_guide.md:171 references/authentication_guide.md:176 references/authentication_guide.md:181 references/authentication_guide.md:187 references/authentication_guide.md:196 references/authentication_guide.md:207 references/authentication_guide.md:222 references/authentication_guide.md:237 references/authentication_guide.md:268 references/authentication_guide.md:307 references/authentication_guide.md:351 references/authentication_guide.md:390 references/authentication_guide.md:392 references/authentication_guide.md:395 references/authentication_guide.md:403 references/authentication_guide.md:405 references/authentication_guide.md:414 references/authentication_guide.md:422 references/authentication_guide.md:429 references/authentication_guide.md:430 references/authentication_guide.md:431 references/false_positive_handling.md:27 references/false_positive_handling.md:38 references/false_positive_handling.md:52 references/false_positive_handling.md:64 references/false_positive_handling.md:79 references/false_positive_handling.md:91 references/false_positive_handling.md:91 references/false_positive_handling.md:118 references/false_positive_handling.md:132 references/false_positive_handling.md:143 references/false_positive_handling.md:162 references/false_positive_handling.md:166 references/false_positive_handling.md:170 references/false_positive_handling.md:224 references/false_positive_handling.md:227 references/false_positive_handling.md:230 references/false_positive_handling.md:233 references/false_positive_handling.md:233 references/false_positive_handling.md:236 references/false_positive_handling.md:244 references/false_positive_handling.md:250 references/false_positive_handling.md:377 references/false_positive_handling.md:381 references/false_positive_handling.md:390 references/false_positive_handling.md:425 references/false_positive_handling.md:426 references/false_positive_handling.md:427 references/owasp_mapping.md:252 references/owasp_mapping.md:253 references/owasp_mapping.md:254 references/owasp_mapping.md:255 SKILL.md:18 SKILL.md:19 SKILL.md:20 SKILL.md:38 SKILL.md:46 SKILL.md:55 SKILL.md:69 SKILL.md:130 SKILL.md:137 SKILL.md:154 SKILL.md:212 SKILL.md:306 SKILL.md:312 SKILL.md:325 SKILL.md:327 SKILL.md:330 SKILL.md:343 SKILL.md:374 SKILL.md:378 SKILL.md:405 SKILL.md:419 SKILL.md:440 SKILL.md:441 SKILL.md:442 SKILL.md:443 SKILL.md:444
📁 ファイルシステムへのアクセス (5)
検出されたパターン
External Command ExamplesNetwork Scanning Templates
監査バージョン 5
低リスクJan 16, 2026, 03:37 PM
Legitimate DAST security testing skill using official OWASP ZAP tooling. Contains documentation, configuration templates, and CI/CD workflows for vulnerability scanning. All 465 static findings are false positives - the patterns detected are expected behaviors for security testing documentation (shell commands for running scanners, URLs in documentation, and security terminology explaining vulnerabilities). No malicious intent detected.
11
スキャンされたファイル
3,191
解析された行数
3
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした
リスク要因
⚙️ 外部コマンド (1)
🌐 ネットワークアクセス (1)
📁 ファイルシステムへのアクセス (1)
監査バージョン 4
低リスクJan 16, 2026, 03:37 PM
Legitimate DAST security testing skill using official OWASP ZAP tooling. Contains documentation, configuration templates, and CI/CD workflows for vulnerability scanning. All 465 static findings are false positives - the patterns detected are expected behaviors for security testing documentation (shell commands for running scanners, URLs in documentation, and security terminology explaining vulnerabilities). No malicious intent detected.
11
スキャンされたファイル
3,191
解析された行数
3
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした
リスク要因
⚙️ 外部コマンド (1)
🌐 ネットワークアクセス (1)
📁 ファイルシステムへのアクセス (1)
監査バージョン 3
低リスクJan 10, 2026, 10:27 AM
Legitimate DAST security testing skill using official OWASP ZAP tooling. Contains only documentation, configuration templates, and CI/CD workflows. Purpose matches capabilities. All network calls are to target scanning domains. Credential handling uses secure patterns (environment variables). Includes explicit authorization warnings and legal compliance guidance.
10
スキャンされたファイル
2,903
解析された行数
4
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした
リスク要因
⚡ スクリプトを含む (1)
🌐 ネットワークアクセス (1)
📁 ファイルシステムへのアクセス (1)
⚙️ 外部コマンド (1)
監査バージョン 2
低リスクJan 10, 2026, 10:27 AM
Legitimate DAST security testing skill using official OWASP ZAP tooling. Contains only documentation, configuration templates, and CI/CD workflows. Purpose matches capabilities. All network calls are to target scanning domains. Credential handling uses secure patterns (environment variables). Includes explicit authorization warnings and legal compliance guidance.
10
スキャンされたファイル
2,903
解析された行数
4
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした
リスク要因
⚡ スクリプトを含む (1)
🌐 ネットワークアクセス (1)
📁 ファイルシステムへのアクセス (1)
⚙️ 外部コマンド (1)
監査バージョン 1
低リスクJan 10, 2026, 10:27 AM
Legitimate DAST security testing skill using official OWASP ZAP tooling. Contains only documentation, configuration templates, and CI/CD workflows. Purpose matches capabilities. All network calls are to target scanning domains. Credential handling uses secure patterns (environment variables). Includes explicit authorization warnings and legal compliance guidance.
10
スキャンされたファイル
2,903
解析された行数
4
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした