# Security Clean Report — {{TARGET}} **Date:** {{TIMESTAMP}} **Mode:** {{MODE}} (live / dry-run) **Backup:** {{BACKUP_PATH}} **Duration:** {{DURATION_MS}}ms --- ## Remediation Summary > [!{{VERDICT_TYPE}}] > **Pre-clean:** {{PRE_VERDICT}} ({{PRE_RISK_SCORE}}/100) — {{PRE_TOTAL_FINDINGS}} findings > **Post-clean:** {{POST_VERDICT}} ({{POST_RISK_SCORE}}/100) — {{POST_TOTAL_FINDINGS}} findings > **Risk reduction:** {{RISK_REDUCTION}}% | Metric | Before | After | Delta | |--------|--------|-------|-------| | Risk Score | {{PRE_RISK_SCORE}} | {{POST_RISK_SCORE}} | {{RISK_DELTA}} | | Total Findings | {{PRE_TOTAL_FINDINGS}} | {{POST_TOTAL_FINDINGS}} | {{FINDINGS_DELTA}} | | Critical | {{PRE_CRITICAL}} | {{POST_CRITICAL}} | {{CRITICAL_DELTA}} | | High | {{PRE_HIGH}} | {{POST_HIGH}} | {{HIGH_DELTA}} | | Medium | {{PRE_MEDIUM}} | {{POST_MEDIUM}} | {{MEDIUM_DELTA}} | | Low | {{PRE_LOW}} | {{POST_LOW}} | {{LOW_DELTA}} | | Info | {{PRE_INFO}} | {{POST_INFO}} | {{INFO_DELTA}} | --- ## Fix Summary | Category | Count | |----------|-------| | Auto-fixes applied | {{AUTO_APPLIED}} | | Semi-auto approved | {{SEMI_APPROVED}} | | Semi-auto skipped | {{SEMI_SKIPPED}} | | LLM-detected auto-fixes | {{LLM_AUTO_APPLIED}} | | LLM-detected semi-auto approved | {{LLM_SEMI_APPROVED}} | | Manual (reported only) | {{MANUAL_COUNT}} | | Skipped (historical) | {{HISTORICAL_COUNT}} | | Failed | {{FAILED_COUNT}} | | **Total processed** | **{{TOTAL_PROCESSED}}** | --- ## Auto-Fixes Applied | Finding ID | File | Operation | Description | |------------|------|-----------|-------------| {{AUTO_FIXES_ROWS}} > [!TIP] > Auto-fixes are lossless operations: stripping zero-width characters, removing known-malicious > strings, or replacing hardcoded secrets with placeholder tokens. --- ## Semi-Auto Fixes Applied | Finding ID | File | Change Description | Rationale | |------------|----|-------------------|-----------| {{SEMI_AUTO_APPLIED_ROWS}} --- ## Semi-Auto Fixes Skipped | Finding ID | Proposed Change | User Decision | |------------|----------------|---------------| {{SEMI_AUTO_SKIPPED_ROWS}} --- ## Remaining Manual Findings | Finding ID | Severity | File | Description | Recommendation | |------------|----------|------|-------------|----------------| {{MANUAL_FINDINGS_ROWS}} > [!CAUTION] > Manual findings are not reduced by re-running `/security clean`. Address them directly > in the codebase, then re-run `/security scan` to verify the fix. --- ## Skipped (Historical) | Finding ID | Severity | Commit | Description | |------------|----------|--------|-------------| {{HISTORICAL_ROWS}} > [!NOTE] > Historical findings in git history require `git filter-repo` or a force-push to remove. > Consult your team before rewriting shared history. These findings are listed for awareness only. --- ## File Modification Log | File Path | Operations | Validation | |-----------|-----------|------------| {{FILE_MOD_ROWS}} --- ## Validation Results Each modified file was validated after changes were applied. Any file that failed validation was automatically restored from the backup. | File | Check | Result | Detail | |------|-------|--------|--------| {{VALIDATION_ROWS}} **Validation rules:** - `.json` files: `JSON.parse()` succeeded - Frontmatter files (`.md`, `.yaml`): `^---\n` prefix present - `.mjs` / `.js` files: `node --check` passed - All other files: character encoding check only > [!WARNING] > Files marked `FAIL` in validation were **restored from backup**. The finding they targeted > is still present and has been moved back to the Manual Findings section above. --- ## Rollback To restore the original (pre-clean) state: ```bash rm -rf {{TARGET}} mv {{BACKUP_PATH}} {{TARGET}} ``` > [!WARNING] > The backup will be removed when you next run `/security clean` on this target. > Copy or rename it if you want to preserve it permanently. --- *Generated by llm-security clean v1.3.0*