security-audit

thedecipherist/security-audit

Security

294

2 installs

About

SKILL.md

security-audit

thedecipherist/security-audit

Security

294

2 installs

About

Audit code and dependencies for security vulnerabilities. Use when reviewing PRs, checking dependencies, preparing for deployment, or when user mentions security, vulnerabilities, or audit.

SKILL.md

Security Audit Skill

Perform comprehensive security audits on codebases to identify vulnerabilities before they reach production.

When to Use This Skill

User mentions "security", "audit", "vulnerability", "CVE"
Before deployment commands
During PR reviews
User asks about dependencies
Periodic security checks

Audit Checklist

1. Secrets Exposure

Check for hardcoded secrets:

# Search for common secret patterns
grep -rn "API_KEY\|SECRET\|TOKEN\|PASSWORD" --include="*.{js,ts,py,go,rb,java}" .
grep -rn "sk-\|pk_\|api_\|secret_" --include="*.{js,ts,py,go,rb,java}" .

Verify .gitignore:

# Ensure sensitive files are ignored
cat .gitignore | grep -E "\.env|secret|credential|\.pem|\.key"

Check git history for leaked secrets:

# Search recent commits (requires git-secrets or truffleHog)
git log -p --all -S "API_KEY" --since="30 days ago"

✅ Pass criteria:

No hardcoded API keys, tokens, or passwords
.env files in .gitignore
No secrets in git history

2. Dependency Vulnerabilities

Node.js:

npm audit
# or
yarn audit
# or  
pnpm audit

Python:

pip-audit
# or
safety check

Go:

govulncheck ./...

Rust:

cargo audit

✅ Pass criteria:

No critical vulnerabilities
No high vulnerabilities > 30 days old
Dependencies updated within last 90 days

3. Input Validation

Check for:

User inputs sanitized before use
SQL queries use parameterized statements
File paths validated and sandboxed
HTML content escaped before rendering
Command injection prevention

Common vulnerable patterns:

// BAD: SQL injection
db.query(`SELECT * FROM users WHERE id = ${userId}`)

// GOOD: Parameterized query
db.query('SELECT * FROM users WHERE id = ?', [userId])

# BAD: Command injection
os.system(f"convert {user_file}")

# GOOD: Use subprocess with list
subprocess.run(["convert", user_file], check=True)

4. Authentication & Authorization

Check for:

Passwords hashed with bcrypt/argon2 (not MD5/SHA1)
Session tokens are cryptographically random
Sessions expire appropriately
CSRF protection on state-changing endpoints
Rate limiting on auth endpoints
Account lockout after failed attempts

Look for:

// BAD: Weak hashing
crypto.createHash('md5').update(password)

// GOOD: Bcrypt
bcrypt.hash(password, 12)

5. HTTPS & Transport Security

Check for:

HTTPS enforced (HSTS header)
Secure cookie flags (Secure, HttpOnly, SameSite)
No mixed content warnings
TLS 1.2+ required

6. Error Handling

Check for:

Stack traces not exposed in production
Generic error messages for users
Detailed errors only in logs
Sensitive data not in error messages

// BAD: Exposes internals
res.status(500).send({ error: err.stack })

// GOOD: Generic message
res.status(500).send({ error: 'An unexpected error occurred' })

7. File Upload Security

If file uploads exist:

Validate file type server-side (not just extension)
Limit file size
Scan for malware
Store outside webroot
Rename uploaded files

8. API Security

Authentication required on all sensitive endpoints
Authorization checks per resource
Rate limiting implemented
CORS configured restrictively
API versioning in place

Severity Levels

Level	Description	Action Required
🔴 Critical	Actively exploitable	Block deployment
🟠 High	Exploitable with effort	Fix within 7 days
🟡 Medium	Requires conditions	Fix within 30 days
🟢 Low	Minimal impact	Fix when convenient

Output Format

## Security Audit Results

**Project:** [name]
**Date:** [date]
**Auditor:** Claude (automated)

### Summary

| Severity | Count |
|----------|-------|
| 🔴 Critical | 0 |
| 🟠 High | 1 |
| 🟡 Medium | 2 |
| 🟢 Low | 3 |

### Findings

#### 1. [🟠 High] Hardcoded API Key

**Location:** `src/config.js:15`
**Description:** API key for payment provider is hardcoded
**Risk:** If source code is leaked, attackers gain API access
**Recommendation:** Move to environment variable

```diff
- const STRIPE_KEY = 'sk_live_abc123...'
+ const STRIPE_KEY = process.env.STRIPE_SECRET_KEY

2. [🟡 Medium] Missing Rate Limiting

Location: src/routes/auth.js Description: Login endpoint has no rate limiting Risk: Enables brute force attacks Recommendation: Add rate limiting middleware

Recommendations

Fix critical and high issues before next deployment
Schedule medium issues for next sprint
Add low issues to backlog
Re-run audit after fixes


## Commands to Run

After completing the audit, provide the user with:

1. Summary of findings
2. Prioritized fix list
3. Commands to address each issue
4. Timeline recommendation

About

SKILL.md

About

Audit code and dependencies for security vulnerabilities. Use when reviewing PRs, checking dependencies, preparing for deployment, or when user mentions security, vulnerabilities, or audit.

SKILL.md

Security Audit Skill

Perform comprehensive security audits on codebases to identify vulnerabilities before they reach production.

When to Use This Skill

User mentions "security", "audit", "vulnerability", "CVE"
Before deployment commands
During PR reviews
User asks about dependencies
Periodic security checks

Audit Checklist

1. Secrets Exposure

Check for hardcoded secrets:

# Search for common secret patterns
grep -rn "API_KEY\|SECRET\|TOKEN\|PASSWORD" --include="*.{js,ts,py,go,rb,java}" .
grep -rn "sk-\|pk_\|api_\|secret_" --include="*.{js,ts,py,go,rb,java}" .

Verify .gitignore:

# Ensure sensitive files are ignored
cat .gitignore | grep -E "\.env|secret|credential|\.pem|\.key"

Check git history for leaked secrets:

# Search recent commits (requires git-secrets or truffleHog)
git log -p --all -S "API_KEY" --since="30 days ago"

✅ Pass criteria:

No hardcoded API keys, tokens, or passwords
.env files in .gitignore
No secrets in git history

2. Dependency Vulnerabilities

Node.js:

npm audit
# or
yarn audit
# or  
pnpm audit

Python:

pip-audit
# or
safety check

Go:

govulncheck ./...

Rust:

cargo audit

✅ Pass criteria:

No critical vulnerabilities
No high vulnerabilities > 30 days old
Dependencies updated within last 90 days

3. Input Validation

Check for:

User inputs sanitized before use
SQL queries use parameterized statements
File paths validated and sandboxed
HTML content escaped before rendering
Command injection prevention

Common vulnerable patterns:

// BAD: SQL injection
db.query(`SELECT * FROM users WHERE id = ${userId}`)

// GOOD: Parameterized query
db.query('SELECT * FROM users WHERE id = ?', [userId])

# BAD: Command injection
os.system(f"convert {user_file}")

# GOOD: Use subprocess with list
subprocess.run(["convert", user_file], check=True)

4. Authentication & Authorization

Check for:

Passwords hashed with bcrypt/argon2 (not MD5/SHA1)
Session tokens are cryptographically random
Sessions expire appropriately
CSRF protection on state-changing endpoints
Rate limiting on auth endpoints
Account lockout after failed attempts

Look for:

// BAD: Weak hashing
crypto.createHash('md5').update(password)

// GOOD: Bcrypt
bcrypt.hash(password, 12)

5. HTTPS & Transport Security

Check for:

HTTPS enforced (HSTS header)
Secure cookie flags (Secure, HttpOnly, SameSite)
No mixed content warnings
TLS 1.2+ required

6. Error Handling

Check for:

Stack traces not exposed in production
Generic error messages for users
Detailed errors only in logs
Sensitive data not in error messages

// BAD: Exposes internals
res.status(500).send({ error: err.stack })

// GOOD: Generic message
res.status(500).send({ error: 'An unexpected error occurred' })

7. File Upload Security

If file uploads exist:

Validate file type server-side (not just extension)
Limit file size
Scan for malware
Store outside webroot
Rename uploaded files

8. API Security

Authentication required on all sensitive endpoints
Authorization checks per resource
Rate limiting implemented
CORS configured restrictively
API versioning in place

Severity Levels

Level	Description	Action Required
🔴 Critical	Actively exploitable	Block deployment
🟠 High	Exploitable with effort	Fix within 7 days
🟡 Medium	Requires conditions	Fix within 30 days
🟢 Low	Minimal impact	Fix when convenient

Output Format

## Security Audit Results

**Project:** [name]
**Date:** [date]
**Auditor:** Claude (automated)

### Summary

| Severity | Count |
|----------|-------|
| 🔴 Critical | 0 |
| 🟠 High | 1 |
| 🟡 Medium | 2 |
| 🟢 Low | 3 |

### Findings

#### 1. [🟠 High] Hardcoded API Key

**Location:** `src/config.js:15`
**Description:** API key for payment provider is hardcoded
**Risk:** If source code is leaked, attackers gain API access
**Recommendation:** Move to environment variable

```diff
- const STRIPE_KEY = 'sk_live_abc123...'
+ const STRIPE_KEY = process.env.STRIPE_SECRET_KEY

2. [🟡 Medium] Missing Rate Limiting

Location: src/routes/auth.js Description: Login endpoint has no rate limiting Risk: Enables brute force attacks Recommendation: Add rate limiting middleware

Recommendations

Fix critical and high issues before next deployment
Schedule medium issues for next sprint
Add low issues to backlog
Re-run audit after fixes


## Commands to Run

After completing the audit, provide the user with:

1. Summary of findings
2. Prioritized fix list
3. Commands to address each issue
4. Timeline recommendation