feat: initial open marketplace with llm-security, config-audit, ultraplan-local
This commit is contained in:
Kjell Tore Guttormsen
commit
f93d6abdae
380 changed files with 65935 additions and 0 deletions
98
plugins/llm-security/commands/diff.md
Normal file
98
plugins/llm-security/commands/diff.md
Normal file
|
|
@ -0,0 +1,98 @@
|
|||
---
|
||||
name: security:diff
|
||||
description: Compare scan results against a stored baseline — shows new, resolved, unchanged, and moved findings
|
||||
allowed-tools: Bash, Read, AskUserQuestion
|
||||
model: sonnet
|
||||
---
|
||||
|
||||
# /security diff [path]
|
||||
|
||||
Run a deterministic deep scan and compare results against a stored baseline. Shows what changed since the last saved scan.
|
||||
|
||||
## Step 1: Check for Existing Baseline
|
||||
|
||||
Determine plugin root (parent of this `commands/` folder) and target path from `$ARGUMENTS` (default `.`).
|
||||
|
||||
Check if a baseline already exists:
|
||||
|
||||
```bash
|
||||
ls -la <plugin-root>/reports/baselines/ 2>/dev/null
|
||||
```
|
||||
|
||||
If baseline files exist for the target, inform the user:
|
||||
|
||||
> A baseline already exists. Running `/security diff` will overwrite it with new results.
|
||||
|
||||
Use AskUserQuestion to ask: "Overwrite existing baseline and run diff? (The previous baseline will be replaced.)"
|
||||
|
||||
If the user declines, exit without scanning. If the user confirms (or no baseline exists yet), proceed to Step 2.
|
||||
|
||||
## Step 2: Run Scan with Baseline Comparison
|
||||
|
||||
```bash
|
||||
node <plugin-root>/scanners/scan-orchestrator.mjs "<target>" --baseline --save-baseline
|
||||
```
|
||||
|
||||
Parse stdout JSON. The scan runs all 9 scanners, diffs against any existing baseline, then saves the new results as the current baseline.
|
||||
|
||||
If no baseline exists yet (`diff` is `null` in output), this is a first run — report that a baseline has been created and show the current scan summary instead of a diff.
|
||||
|
||||
## Step 3: Display Results
|
||||
|
||||
### First run (no prior baseline)
|
||||
|
||||
```
|
||||
## Baseline Created
|
||||
|
||||
No prior baseline found. Current scan saved as baseline.
|
||||
|
||||
**Findings:** XC XH XM XL XI | **Risk Score:** X/100 | **Verdict:** ALLOW/WARNING/BLOCK
|
||||
|
||||
Run `/security diff` again after making changes to see the delta.
|
||||
```
|
||||
|
||||
### Subsequent runs (diff available)
|
||||
|
||||
```
|
||||
## Security Diff: <target>
|
||||
|
||||
**Baseline:** <baseline_timestamp> → **Current:** <now>
|
||||
|
||||
### Summary
|
||||
| Category | Count |
|
||||
|----------|-------|
|
||||
| New | X |
|
||||
| Resolved | X |
|
||||
| Moved | X |
|
||||
| Unchanged| X |
|
||||
```
|
||||
|
||||
For **New** findings (sorted critical → info):
|
||||
|
||||
```
|
||||
### New Findings (X)
|
||||
| # | Severity | Scanner | Title | File | OWASP |
|
||||
```
|
||||
|
||||
For **Resolved** findings:
|
||||
|
||||
```
|
||||
### Resolved Findings (X)
|
||||
| # | Severity | Scanner | Title | File | OWASP |
|
||||
```
|
||||
|
||||
For **Moved** findings (only if count > 0):
|
||||
|
||||
```
|
||||
### Moved Findings (X)
|
||||
| # | Severity | Scanner | Title | File | Previous Location |
|
||||
```
|
||||
|
||||
Omit Unchanged findings from the output — they add noise. Mention count in summary only.
|
||||
|
||||
## Step 4: Advisory
|
||||
|
||||
- If new CRITICAL/HIGH findings: "**Action required:** X new critical/high findings since baseline."
|
||||
- If resolved > new: "**Improving:** more findings resolved than introduced."
|
||||
- If new > 0 and resolved == 0: "**Regression:** X new findings, none resolved."
|
||||
- If new == 0 and resolved == 0: "**Stable:** no changes since baseline."
|
||||
Loading…
Add table
Add a link
Reference in a new issue