Skills
skills/thedecipherist/claude-code-mastery/security-audit

security-audit

SKILL.md

Security Audit Skill

Perform comprehensive security audits on codebases to identify vulnerabilities before they reach production.

When to Use This Skill

  • User mentions "security", "audit", "vulnerability", "CVE"
  • Before deployment commands
  • During PR reviews
  • User asks about dependencies
  • Periodic security checks

Audit Checklist

1. Secrets Exposure

Check for hardcoded secrets:

# Search for common secret patterns
grep -rn "API_KEY\|SECRET\|TOKEN\|PASSWORD" --include="*.{js,ts,py,go,rb,java}" .
grep -rn "sk-\|pk_\|api_\|secret_" --include="*.{js,ts,py,go,rb,java}" .

Verify .gitignore:

# Ensure sensitive files are ignored
cat .gitignore | grep -E "\.env|secret|credential|\.pem|\.key"

Check git history for leaked secrets:

# Search recent commits (requires git-secrets or truffleHog)
git log -p --all -S "API_KEY" --since="30 days ago"

✅ Pass criteria:

  • No hardcoded API keys, tokens, or passwords
  • .env files in .gitignore
  • No secrets in git history

2. Dependency Vulnerabilities

Node.js:

npm audit
# or
yarn audit
# or  
pnpm audit

Python:

pip-audit
# or
safety check

Go:

govulncheck ./...

Rust:

cargo audit

✅ Pass criteria:

  • No critical vulnerabilities
  • No high vulnerabilities > 30 days old
  • Dependencies updated within last 90 days

3. Input Validation

Check for:

  • User inputs sanitized before use
  • SQL queries use parameterized statements
  • File paths validated and sandboxed
  • HTML content escaped before rendering
  • Command injection prevention

Common vulnerable patterns:

// BAD: SQL injection
db.query(`SELECT * FROM users WHERE id = ${userId}`)

// GOOD: Parameterized query
db.query('SELECT * FROM users WHERE id = ?', [userId])

# BAD: Command injection
os.system(f"convert {user_file}")

# GOOD: Use subprocess with list
subprocess.run(["convert", user_file], check=True)

4. Authentication & Authorization

Check for:

  • Passwords hashed with bcrypt/argon2 (not MD5/SHA1)
  • Session tokens are cryptographically random
  • Sessions expire appropriately
  • CSRF protection on state-changing endpoints
  • Rate limiting on auth endpoints
  • Account lockout after failed attempts

Look for:

// BAD: Weak hashing
crypto.createHash('md5').update(password)

// GOOD: Bcrypt
bcrypt.hash(password, 12)

5. HTTPS & Transport Security

Check for:

  • HTTPS enforced (HSTS header)
  • Secure cookie flags (Secure, HttpOnly, SameSite)
  • No mixed content warnings
  • TLS 1.2+ required

6. Error Handling

Check for:

  • Stack traces not exposed in production
  • Generic error messages for users
  • Detailed errors only in logs
  • Sensitive data not in error messages
// BAD: Exposes internals
res.status(500).send({ error: err.stack })

// GOOD: Generic message
res.status(500).send({ error: 'An unexpected error occurred' })

7. File Upload Security

If file uploads exist:

  • Validate file type server-side (not just extension)
  • Limit file size
  • Scan for malware
  • Store outside webroot
  • Rename uploaded files

8. API Security

  • Authentication required on all sensitive endpoints
  • Authorization checks per resource
  • Rate limiting implemented
  • CORS configured restrictively
  • API versioning in place

Severity Levels

Level Description Action Required
🔴 Critical Actively exploitable Block deployment
🟠 High Exploitable with effort Fix within 7 days
🟡 Medium Requires conditions Fix within 30 days
🟢 Low Minimal impact Fix when convenient

Output Format

## Security Audit Results

**Project:** [name]
**Date:** [date]
**Auditor:** Claude (automated)

### Summary

| Severity | Count |
|----------|-------|
| 🔴 Critical | 0 |
| 🟠 High | 1 |
| 🟡 Medium | 2 |
| 🟢 Low | 3 |

### Findings

#### 1. [🟠 High] Hardcoded API Key

**Location:** `src/config.js:15`
**Description:** API key for payment provider is hardcoded
**Risk:** If source code is leaked, attackers gain API access
**Recommendation:** Move to environment variable

```diff
- const STRIPE_KEY = 'sk_live_abc123...'
+ const STRIPE_KEY = process.env.STRIPE_SECRET_KEY

2. [🟡 Medium] Missing Rate Limiting

Location: src/routes/auth.js Description: Login endpoint has no rate limiting Risk: Enables brute force attacks Recommendation: Add rate limiting middleware

Recommendations

  1. Fix critical and high issues before next deployment
  2. Schedule medium issues for next sprint
  3. Add low issues to backlog
  4. Re-run audit after fixes

## Commands to Run

After completing the audit, provide the user with:

1. Summary of findings
2. Prioritized fix list
3. Commands to address each issue
4. Timeline recommendation
Weekly Installs
8
Repository
thedecipherist/…-mastery
GitHub Stars
441
First Seen
Feb 2, 2026
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykFail
Installed on
opencode8
gemini-cli8
codex8
cursor8
claude-code7
amp7