Skip to main content

Audit Augmentation

Skill Verified Active
Part of:Trailmark Plugin

Augments Trailmark code graphs with external audit findings from SARIF static analysis results and weAudit annotation files. Maps findings to graph nodes by file and line overlap, creates severity-based subgraphs, and enables cross-referencing findings with pre-analysis data (blast radius, taint, etc.). Use when projecting SARIF results onto a code graph, overlaying weAudit annotations, cross-referencing Semgrep or CodeQL findings with call graph data, or visualizing audit findings in the context of code structure.

Purpose

To enhance code graph analysis by overlaying external security audit findings, enabling better understanding of vulnerabilities in context with code structure and pre-analysis data.

Features

  • Augment code graphs with SARIF findings
  • Overlay weAudit annotations onto code graphs
  • Map findings to graph nodes by file/line overlap
  • Create severity-based subgraphs
  • Cross-reference findings with blast radius and taint data

Use Cases

  • Projecting SARIF results onto a code graph
  • Importing weAudit annotations into a code graph
  • Cross-referencing static analysis findings with blast radius or taint data
  • Visualizing audit coverage alongside code structure

Non-Goals

  • Running static analysis tools (use Semgrep/CodeQL directly, then import)
  • Building the code graph itself (use the `trailmark` skill)
  • Generating diagrams (use the `diagramming-code` skill after augmenting)

Trust

  • info:Issues AttentionWith 13 issues opened and 4 closed in the last 90 days, the closure rate is below 50%, indicating slower-than-ideal maintenance responsiveness.

Installation

First, add the marketplace

/plugin marketplace add trailofbits/skills
/plugin install trailmark@trailofbits

Quality Score

Verified
95 /100
Analyzed about 14 hours ago

Trust Signals

Last commit3 days ago
GitHub owner trailofbits (opens in new tab)
Stars5.2k
LicenseCC-BY-SA-4.0
Status
View Source

Similar Extensions

SARIF Parsing

78

Parses and processes SARIF files from static analysis tools like CodeQL, Semgrep, or other scanners. Triggers on "parse sarif", "read scan results", "aggregate findings", "deduplicate alerts", or "process sarif output". Handles filtering, deduplication, format conversion, and CI/CD integration of SARIF data. Does NOT run scans — use the Semgrep or CodeQL skills for that.

Skill
trailofbits

Metal

100

Extract the conceptual essence of a repository as skills, agents, and teams — the project's roles, procedures, and coordination patterns expressed as agentskills.io-standard definitions. Reads an arbitrary codebase and produces generalized definitions that capture WHAT the project does and WHO operates it, without replicating HOW it does it. Use when onboarding to a new codebase and wanting to understand its conceptual architecture, when bootstrapping an agentic system from an existing project, when studying a project's organizational DNA for cross-pollination, or when creating a skill/agent/team library inspired by a reference implementation.

Skill
pjt222

Lean Ctx

100

Context Runtime for AI Agents — 59 MCP tools, 10 read modes, 95+ shell patterns, tree-sitter AST for 18 languages. Compresses LLM context by up to 99%. Use when reading files, running shell commands, searching code, or exploring directories. Auto-installs if not present.

Skill
yvgude

Pathfinder

100

Map a codebase into feature-grouped flowcharts, identify duplicated concerns across features, and propose a unified architecture. Use when asked to "find the ideal path," unify duplicated systems, or audit architecture before a refactor. Emits a proposed unified flowchart plus per-system /make-plan prompts.

Skill
thedotmack

Codacy Audit

100

Codacy Cloud workflow for this repository -- run Codacy's analyzers locally before `git push` (mirrors what Codacy CI runs), and fetch/cluster Codacy issues for any PR via the v3 API. Use when the user mentions Codacy, "codacy analysis", `codacy-analysis-cli`, "codacy issues on PR", "fix codacy CI", "codacy markdownlint findings", or any Codacy gate failing on a netdata-org PR. Ships scripts analyze-local.sh (docker/binary runner for codacy-analysis-cli) and pr-issues.sh (paginated v3 issue fetch + group-by tool/pattern/severity/file). Token-safe -- CODACY_TOKEN never reaches assistant-visible stdout. Read-only by design in the current SOW; write actions (mark FP, mark fixed) are deferred.

Skill
netdata

Domain Extract

100

Extract domain knowledge from existing project sources and generate domain rules. Also handles vault sync and domain listing.

Skill
luiseiman

© 2025 SkillRepo · Find the right skill, skip the noise.