code-quality-audit

📁 camoa/claude-skills 📅 1 day ago

总安装量

周安装量

#42412

全站排名

安装命令

npx skills add https://github.com/camoa/claude-skills --skill code-quality-audit

Agent 安装分布

mcpjam 1

claude-code 1

windsurf 1

zencoder 1

crush 1

cline 1

Skill 文档

Code Quality Audit

Run quality and security audits for Drupal and Next.js projects with consistent tooling and reporting.

Quick Commands

For direct access, use these commands:

/code-quality:setup – First-time setup wizard (install and configure tools)
/code-quality:audit – Run full audit (all 22 operations)
/code-quality:coverage – Check test coverage
/code-quality:security – Security scan (10 layers for Drupal, 7 for Next.js)
/code-quality:lint – Code standards check
/code-quality:solid – Architecture and SOLID principles check
/code-quality:dry – Find code duplication
/code-quality:tdd – Start TDD workflow (test watcher mode)

For conversational workflows, continue reading…

When to Use

Drupal projects:

“Setup quality tools” / “Install PHPStan”
“Run code audit” / “Check code quality”
“Check coverage” / “What’s my coverage?”
“Find SOLID violations” / “Check complexity”
“Check duplication” / “DRY check”
“Lint code” / “Check coding standards”
“Fix deprecations” / “Run rector”
“Start TDD” / “RED-GREEN-REFACTOR”
“Check security” / “Find vulnerabilities” / “OWASP audit”

Next.js projects:

“Setup quality tools” / “Install ESLint”
“Run code audit” / “Check code quality”
“Check coverage” / “Run Jest coverage”
“Find SOLID violations” / “Check complexity” / “Check circular deps”
“Lint code” / “Run ESLint”
“Check duplication” / “DRY check”
“Start TDD” / “Jest watch mode”
“Check security” / “Find vulnerabilities” / “OWASP audit”

Quick Reference

Drupal Scripts

Task	Script	Details
Setup tools	`scripts/core/install-tools.sh`	See Drupal Setup
Full audit	`scripts/core/full-audit.sh`	See Full Audit
Coverage	`scripts/drupal/coverage-report.sh`	See Coverage Check
SOLID check	`scripts/drupal/solid-check.sh`	See SOLID Check
DRY check	`scripts/drupal/dry-check.sh`	See DRY Check
Lint check	`scripts/drupal/lint-check.sh`	See Lint Check
Fix deprecations	`scripts/drupal/rector-fix.sh`	See Rector Fix
TDD cycle	`scripts/drupal/tdd-workflow.sh`	See TDD Workflow
Security audit	`scripts/drupal/security-check.sh`	See Security Audit (10 layers)

Next.js Scripts

Task	Script	Details
Setup tools	`scripts/core/install-tools.sh`	See Next.js Setup
Full audit	`scripts/core/full-audit.sh`	See Full Audit
Coverage	`scripts/nextjs/coverage-report.sh`	See Coverage Check
SOLID check	`scripts/nextjs/solid-check.sh`	See SOLID Check
Lint check	`scripts/nextjs/lint-check.sh`	See Lint Check
DRY check	`scripts/nextjs/dry-check.sh`	See DRY Check
TDD cycle	`scripts/nextjs/tdd-workflow.sh`	See TDD Workflow
Security audit	`scripts/nextjs/security-check.sh`	See Security Audit (7 layers)

Before Any Operation

Drupal:

Locate Drupal root: check web/core/lib/Drupal.php or docroot/core/lib/Drupal.php
Verify DDEV: ddev describe
Create reports directory: mkdir -p .reports && echo ".reports/" >> .gitignore

Next.js:

Verify npm: npm --version
Create reports directory: mkdir -p .reports && echo ".reports/" >> .gitignore

When to Run What

Read decision-guides/quality-audit-checklist.md for detailed guidance.

Context	What to Run	Time
Pre-commit	`quality:cs` only	~5s
Pre-push	PHPStan + Unit/Kernel tests	~2min
Pre-merge	Full audit	~10min
Weekly	Full audit + HTML reports	~15min

Scope Targeting

To audit specific modules or components instead of the entire project:

See Scope Targeting for three approaches:

Change directory (recommended) – cd web/modules/custom/my_module
Environment variables – DRUPAL_MODULES_PATH=path/to/module
Full scan (default) – Run from project root

Intelligent detection: Claude detects current directory and user intent.

Operations

All detailed operation instructions have been moved to reference files for better organization.

Drupal Operations

Setup & Configuration

Operation 1: Setup Tools – Install PHPStan, PHPMD, PHPCPD, Coder
Operation 6: Module-Specific Audit – Scope audit to one module
Operation 7: Add Composer Scripts – Configure quality scripts
Operation 8: CI Integration – Setup GitHub Actions

Quality Audits

Operation 2: Full Audit – Run all quality checks
Operation 3: Coverage Check – Measure test coverage
Operation 4: SOLID Check – Find principle violations
Operation 5: DRY Check – Detect code duplication
Operation 11: Lint Check – Coding standards
Operation 12: Rector Fix – Auto-fix deprecations

Development Workflows

Operation 10: TDD Workflow – RED-GREEN-REFACTOR cycle

Security

Operation 20: Security Audit – 10 security layers (v2.0.0)
- Drush pm:security, Composer audit
- yousha/php-security-linter, Psalm taint analysis
- Custom Drupal patterns, Security Review module
- Semgrep SAST, Trivy scanner, Gitleaks (v1.8.0)
- Roave Security Advisories (v2.0.0)

Next.js Operations

Setup & Configuration

Operation 13: Setup Tools – Install ESLint, Jest, security tools

Quality Audits

Operation 14: Full Audit – Run all quality checks
Operation 15: Lint Check – ESLint + TypeScript
Operation 16: Coverage Check – Jest coverage
Operation 17: DRY Check – Detect duplication
Operation 19: SOLID Check – Circular deps, complexity

Development Workflows

Operation 18: TDD Workflow – RED-GREEN-REFACTOR with Jest

Security

Operation 21: Security Audit – 7 security layers (v2.0.0)
- npm audit, ESLint security plugins
- Semgrep SAST, Trivy scanner, Gitleaks (v1.8.0)
- Custom React/Next.js patterns (XSS, eval, navigation)
- Socket CLI (v2.0.0)

Optional: DAST (Dynamic Testing)

Pre-production security testing for staging environments

Operation 22: DAST Tools – Dynamic security testing (v2.1.0)
- OWASP ZAP (full DAST scanner)
- Nuclei (template-based CVE scanning)
- Requires running application
- Use before releases on staging/pre-production

Saving Reports

All reports must follow schemas/audit-report.schema.json:

{
  "meta": {
    "project_type": "drupal|nextjs|monorepo",
    "timestamp": "2025-12-19T12:00:00Z",
    "thresholds": { "coverage_minimum": 70, "duplication_max": 5 }
  },
  "summary": {
    "overall_score": "pass|warning|fail",
    "coverage_score": "pass|warning|fail",
    "solid_score": "pass|warning|fail",
    "dry_score": "pass|warning|fail",
    "security_score": "pass|warning|fail"
  },
  "coverage": { "line_coverage": 75.5, "files_analyzed": 45 },
  "solid": { "violations": [] },
  "dry": { "duplication_percentage": 3.2, "clones": [] },
  "security": { "critical": 0, "high": 0, "medium": 3, "low": 5, "issues": [] },
  "recommendations": []
}

References

Core Guidance

references/tdd-workflow.md – RED-GREEN-REFACTOR patterns, test naming, cycle targets
references/coverage-metrics.md – Coverage targets by code type, PCOV vs Xdebug
references/dry-detection.md – Rule of Three, when duplication is OK
references/solid-detection.md – SOLID detection patterns and fixes
references/composer-scripts.md – Ready-to-use composer scripts
references/scope-targeting.md – Target specific modules/components (NEW in v1.8.0)

Operations

references/operations/drupal-setup.md – Drupal setup operations
references/operations/drupal-audits.md – Drupal quality audit operations
references/operations/drupal-security.md – Drupal security (10 layers, v2.0.0)
references/operations/drupal-tdd.md – Drupal TDD workflow
references/operations/nextjs-setup.md – Next.js setup operations
references/operations/nextjs-audits.md – Next.js quality audit operations
references/operations/nextjs-security.md – Next.js security (7 layers, v2.0.0)
references/operations/nextjs-tdd.md – Next.js TDD workflow

Decision Guides

decision-guides/test-type-selection.md – Unit vs Kernel vs Functional decision tree
decision-guides/quality-audit-checklist.md – When to run what (pre-commit vs pre-merge)

Templates

Drupal

templates/drupal/phpstan.neon – PHPStan 2.x config (extensions auto-load)
templates/drupal/phpmd.xml – PHPMD ruleset for Drupal
templates/drupal/phpunit.xml – PHPUnit config with testsuites
templates/ci/github-drupal.yml – GitHub Actions workflow with security tools

Next.js

templates/nextjs/eslint.config.js – ESLint v9 flat config with TypeScript + security
templates/nextjs/jest.config.js – Jest config with coverage thresholds
templates/nextjs/jest.setup.js – Jest setup with Testing Library
templates/nextjs/.prettierrc – Prettier config with Tailwind plugin

What’s New in v2.1.0

Phase 3 – Optional DAST Tools (NEW!):

â OWASP ZAP (full DAST scanner for pre-production)
â Nuclei (template-based CVE and misconfiguration scanning)
â Comprehensive documentation with usage examples
â CI/CD integration guides (GitHub Actions, GitLab)
â Pre-release checklist script

DAST Coverage:

Pre-production security testing
Runtime vulnerability detection
OWASP Top 10 dynamic testing
1000+ CVE templates (Nuclei)

See references/operations/dast-tools.md for full documentation.

What’s New in v2.0.0

Progressive Disclosure Refactoring:

â SKILL.md: 632 â 234 lines (63% reduction)
â 9 reference files created with full documentation
â Plugin-creation-tools compliance (16/16 criteria)

Phase 1 – Cross-Stack Security Tools:

â Semgrep SAST (20,000+ security rules for PHP, React, JS, TS)
â Trivy scanner (dependency/container/secret scanner)
â Gitleaks (secret detection with 800+ patterns)

Phase 2 – Enhancement Tools:

â Roave Security Advisories (Drupal – Composer prevention layer)
â Socket CLI (Next.js – supply chain attack detection)

Security Coverage:

Drupal: 40% â 90% (10 security layers)
Next.js: 0% â 85% (7 security layers)

See .work-in-progress-v2.0.0.md for full implementation details.

GitHub 仓库 ↗ ← 返回陌讯 Skills 聚合平台