Skills
skills/ar4mirez/samuel/security-audit

security-audit

SKILL.md

Security Audit Skill

Proactive security assessment covering OWASP Top 10, dependency vulnerabilities, secrets detection, and security best practices.

When to Use

Trigger Priority Description
Pre-Production Critical Before any production deployment
Monthly Review High Regular security hygiene
Auth Changes Critical After adding/modifying authentication
External Integration High When adding third-party services
Dependency Updates Medium After major dependency changes
Security Incident Critical Post-incident review

Audit Scope

Full Audit

Complete security review across all categories. Time: 2-4 hours.

Focused Audit

Target specific area (e.g., authentication only). Time: 30-60 minutes.

Quick Scan

Automated checks only (dependencies, secrets). Time: 5-10 minutes.

Prerequisites

Before starting audit:

  • Access to codebase and dependencies
  • Access to environment configuration (sanitized)
  • List of external services/APIs used
  • Authentication flow documentation (if exists)
  • Previous audit reports (if available)

Audit Process

Phase 1: OWASP Top 10 Review
Phase 2: Dependency Vulnerability Scan
Phase 3: Secrets Detection
Phase 4: Input Validation Audit
Phase 5: Authentication & Authorization
Phase 6: API Security
Phase 7: Report & Remediation

Phase 1: OWASP Top 10 Review

Quick Reference

ID Category Key Check
A01 Broken Access Control Authorization on all endpoints
A02 Cryptographic Failures TLS, password hashing, encryption
A03 Injection Parameterized queries, input escaping
A04 Insecure Design Defense in depth, trust boundaries
A05 Security Misconfiguration Headers, defaults, error messages
A06 Vulnerable Components Dependency scanning
A07 Authentication Failures Password policy, session security
A08 Data Integrity Checksums, secure CI/CD
A09 Logging Failures Security event logging
A10 SSRF URL validation, network restrictions

For detailed patterns and examples: See references/process.md

Critical Checks

A01 - Broken Access Control:

- [ ] All endpoints have authorization checks
- [ ] RBAC implemented
- [ ] No direct object reference vulnerabilities
- [ ] Privilege escalation prevented

A02 - Cryptographic Failures:

- [ ] Passwords hashed with bcrypt/argon2 (cost 10+)
- [ ] TLS 1.2+ enforced
- [ ] Sensitive data encrypted at rest
- [ ] Cryptographically random tokens

A03 - Injection:

- [ ] SQL queries use parameterized statements
- [ ] Template engines auto-escape output
- [ ] No shell command execution with user input
- [ ] NoSQL queries sanitized

A05 - Security Misconfiguration:

Required Headers:
- X-Content-Type-Options: nosniff
- X-Frame-Options: DENY
- Content-Security-Policy: default-src 'self'
- Strict-Transport-Security: max-age=31536000

Phase 2: Dependency Vulnerability Scan

Run Audit Commands

# Node.js
npm audit
npm audit --audit-level=moderate

# Python
pip-audit
# Or: safety check --json > audit-report.json

# Go
govulncheck ./...

# Rust
cargo audit

# Ruby
bundle audit check

Severity Response

Severity Action Timeline
Critical Immediate fix or remove Hours
High Fix in current sprint Days
Moderate Schedule fix Weeks
Low Track for update Next release

Phase 3: Secrets Detection

Automated Scanning

# Using gitleaks (recommended)
gitleaks detect --source . --verbose

# Using git-secrets
git secrets --scan
git secrets --scan-history

# Using truffleHog
trufflehog filesystem .

Common Secret Patterns

Pattern Example Risk
API Keys sk_live_, AKIA High
Passwords password=, passwd Critical
Tokens token=, bearer High
Private Keys -----BEGIN RSA Critical
AWS Credentials aws_access_key_id Critical

Environment Variables

Checklist:
- [ ] All secrets in environment variables (not code)
- [ ] .env files in .gitignore
- [ ] No .env files in git history
- [ ] Secure defaults for all variables

Phase 4: Input Validation Audit

Input Sources by Risk

Source Examples Risk
File uploads Images, documents Critical
Request body JSON, form data High
URL parameters /users/:id High
Query strings ?search=term High
Headers Custom headers Medium
Cookies Session cookies Medium

Validation Checklist

For each input:

  • Schema validation (Zod, Pydantic, etc.)
  • Type checking enforced
  • Length/size limits
  • Format validation (email, URL)
  • Allowlist when possible
  • Sanitized for output context

File Upload Requirements

- [ ] Magic bytes validation (not just extension)
- [ ] Size limits enforced
- [ ] Virus/malware scanning
- [ ] Storage outside web root
- [ ] Randomized filenames
- [ ] No executable permissions

Phase 5: Authentication & Authorization

Password Security

- [ ] Min length: 12+ characters
- [ ] Bcrypt (cost 10+) or argon2
- [ ] No passwords in logs/errors
- [ ] Rate limiting on login
- [ ] Account lockout policy

Session Security

- [ ] HttpOnly cookie flag
- [ ] Secure cookie flag (HTTPS)
- [ ] SameSite attribute
- [ ] Session timeout
- [ ] Invalidation on logout
- [ ] Regenerate on privilege change

Authorization

- [ ] Check on every endpoint
- [ ] RBAC implemented
- [ ] Least privilege
- [ ] Deny by default
- [ ] Server-side validation

Token Security (JWT/OAuth)

- [ ] Strong algorithm (RS256, ES256)
- [ ] Token expiration
- [ ] Refresh mechanism
- [ ] Revocation capability
- [ ] No sensitive data in payload

Phase 6: API Security

Rate Limiting

- [ ] Enabled on all endpoints
- [ ] Stricter on auth endpoints
- [ ] Per-user and per-IP
- [ ] Graduated response

CORS

// Secure configuration
{
  origin: ['https://app.example.com'],  // Not '*'
  credentials: true,
  methods: ['GET', 'POST', 'PUT', 'DELETE']
}

Error Handling

- [ ] Generic messages to clients
- [ ] Details in logs only
- [ ] No stack traces in production
- [ ] Consistent format

Phase 7: Report & Remediation

Report Template

# Security Audit Report

**Date**: YYYY-MM-DD
**Auditor**: [Name]
**Scope**: [Full/Focused/Quick]
**Duration**: [Hours]

## Executive Summary

| Severity | Count | Status |
|----------|-------|--------|
| Critical | N | [Status] |
| High | N | [Status] |
| Medium | N | [Status] |
| Low | N | [Status] |

**Overall Risk**: [Low/Medium/High/Critical]

## Findings

### [Severity]: [Issue Title]
**Location**: [File:Line]
**Description**: [Brief description]
**Impact**: [Potential impact]
**Remediation**: [How to fix]
**Timeline**: [When to fix]

## Recommendations

1. [Recommendation 1]
2. [Recommendation 2]

## Tools Used

- [Tool 1]
- [Tool 2]

Priority Matrix

Finding Severity Effort Priority
SQL Injection Critical Low Immediate
Missing Auth High Medium Sprint 1
Weak Hash High Low Sprint 1
Missing Headers Medium Low Sprint 2
Old Dependency Low Low Backlog

Follow-up

  • Create tickets for findings
  • Schedule remediation
  • Plan re-audit
  • Update documentation
  • Brief team

Quick Scan Commands

# Node.js
npm audit && npx gitleaks detect

# Python
pip-audit && gitleaks detect

# Go
govulncheck ./... && gitleaks detect

# Rust
cargo audit && gitleaks detect

Summary Checklist

OWASP Top 10

  • A01: Broken Access Control
  • A02: Cryptographic Failures
  • A03: Injection
  • A04: Insecure Design
  • A05: Security Misconfiguration
  • A06: Vulnerable Components
  • A07: Authentication Failures
  • A08: Data Integrity Failures
  • A09: Logging Failures
  • A10: SSRF

Core Security

  • Dependencies scanned
  • Secrets detection run
  • Input validation checked
  • Auth/authz reviewed
  • API security validated
  • Security headers set

Additional Resources

Extended Content:

  • references/process.md - Detailed vulnerability patterns, code examples, language-specific guidance

Related Workflows:

  • code-review.md - Includes security checks
  • dependency-update.md - Safe dependency updates
  • troubleshooting.md - Security incident response

Remember: Security is continuous. Integrate automated scanning into CI/CD, conduct regular reviews, and maintain security-first development practices.

Weekly Installs
10
Repository
ar4mirez/samuel
GitHub Stars
3
First Seen
Feb 20, 2026
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykPass
Installed on
amp10
github-copilot10
codex10
kimi-cli10
gemini-cli10
opencode10