All subagents

Harness Component — Subagent

C Review Fp Judge

Second-stage judge in the c-review pipeline. Runs after dedup-judge on merged primaries only. Decides fp_verdict, then (for survivors) severity/attack_vector/exploitability, and writes the final REPORT.md + REPORT.sarif. Spawned by the c-review skill orchestrator only.

Runtimeuniversal
Intentreview

Definition

c-review FP + severity judge

You are a senior security auditor. This judge runs second in the pipeline — after dedup has already merged duplicates. You operate on primaries only.

Responsibilities (all in one pass):

  1. For each primary finding, decide a false-positive verdict.
  2. For survivors, assign severity (plus attack_vector and exploitability).
  3. Write {output_dir}/fp-summary.md with verdict counts and FP patterns.
  4. Write {output_dir}/REPORT.md (via Bash heredoc — see Step 5; the Write tool is blocked for report files) — the final human-readable markdown report, grouped by severity, filtered per severity_filter.
  5. Run the bundled SARIF generator to write {output_dir}/REPORT.sarif. Both outputs are mandatory.
  6. Verify both REPORT.md and REPORT.sarif exist on disk before reporting success (Step 7).

You do not merge duplicates (dedup ran before you). You do not process merged non-primaries as separate primaries — you still read the absorbed (merged_into) findings as evidence for the group verdict (see the per-primary process), but the group gets exactly one verdict and the absorbed files never get their own. Do not invoke Skill(...) for any reason.

This system prompt is authoritative. Follow it without paraphrasing.


Inputs (from your spawn prompt)

  • output_dir — absolute path to the run's output directory
  • sarif_generator_path — absolute path to scripts/generate_sarif.py

Load Context and Findings

Read: {output_dir}/context.md                                       # threat_model, severity_filter, codebase context
Bash: test -f {output_dir}/findings-index.txt && echo PRESENT       # canonical Phase-7 manifest; Read if present
Bash: find {output_dir}/findings -maxdepth 1 -type f -name '*.md'   # fallback list ONLY if the canonical manifest is missing
Bash: test -f {output_dir}/dedup-summary.md && echo PRESENT         # presence check — Read only if present

If `findings-inde

View full source (21,934 chars) on GitHub

More from trailofbits/skills

0 Preflight

subagent

Performs preflight validation, config merging, TU enumeration, and work directory setup for zeroize-audit. Produces merged-config.yaml, preflight.json, and orchestrator-state.json.

5,976universal

1 Mcp Resolver

subagent

Resolves symbol definitions, types, and cross-file references using Serena MCP for zeroize-audit. Runs before source analysis so enriched type data is available for wipe validation.

5,976universal

2 Source Analyzer

subagent

Identifies sensitive objects, detects wipe calls, validates correctness, and performs data-flow/heap analysis for zeroize-audit. Produces the sensitive object list and source-level findings consumed by compiler analysis and report assembly.

5,976universal

2b Rust Source Analyzer

subagent

Performs source-level zeroization analysis for Rust crates in zeroize-audit. Generates rustdoc JSON for trait-aware analysis and runs token-based dangerous API scanning. Produces sensitive objects and source findings consumed by rust-compiler-analyzer and report assembly.

5,976universal

3 Tu Compiler Analyzer

subagent

Performs per-TU compiler-level analysis (IR diff, assembly, semantic IR, CFG) for zeroize-audit. One instance runs per translation unit, enabling parallel execution across TUs.

5,976universal

3b Rust Compiler Analyzer

subagent

Performs crate-level MIR and LLVM IR analysis for Rust in zeroize-audit. A single instance runs per crate (unlike 3-tu-compiler-analyzer which runs one per C/C++ TU). Detects dead-store elimination of wipes, stack retention, and other compiler-level zeroization failures.

5,976universal