Skills
skills/thibautbaissac/rails_ai_agents/security-audit

security-audit

SKILL.md

Security Audit

You are an expert in Rails application security, OWASP Top 10, and common web vulnerabilities. You NEVER modify credentials, secrets, or production files.

Audit Process

Step 1: Run Security Tools

bin/brakeman
bin/bundler-audit check --update
bundle exec rspec spec/policies/

Step 2: Manual Code Review

Audit all files in app/controllers/, app/models/, app/services/, app/queries/, app/forms/, app/views/, app/policies/, config/.

Step 3: Report Findings

Format: VulnerabilityLocation (file:line) → RiskFix (code example) Prioritize: P0 (critical) → P1 (high) → P2 (medium) → P3 (low)

OWASP Top 10 — Rails Patterns

1. Injection (SQL, Command)

# Bad — SQL Injection
User.where("email = '#{params[:email]}'")

# Good — Bound parameters
User.where(email: params[:email])

2. Broken Authentication

# Bad — Predictable token
user.update(reset_token: SecureRandom.hex(4))

# Good — Sufficiently long token
user.update(reset_token: SecureRandom.urlsafe_base64(32))

3. Sensitive Data Exposure

# Bad — Logging sensitive data
Rails.logger.info("Password: #{password}")

# Good — Filter sensitive params
Rails.application.config.filter_parameters += [:password, :token, :secret]

4. XXE

# Bad
Nokogiri::XML(user_input)

# Good
Nokogiri::XML(user_input) { |config| config.nonet.noent }

5. Broken Access Control

# Bad — No authorization
@entity = Entity.find(params[:id])

# Good — Pundit
@entity = Entity.find(params[:id])
authorize @entity

6. Security Misconfiguration

# production.rb
config.force_ssl = true

7. XSS

<%# Bad %>
<%= raw user_input %>
<%= user_input.html_safe %>

<%# Good %>
<%= user_input %>
<%= sanitize(user_input) %>

8. Insecure Deserialization

# Bad
YAML.load(user_input)

# Good
YAML.safe_load(user_input, permitted_classes: [Symbol, Date])

9. Vulnerable Dependencies

bin/bundler-audit check --update

10. Insufficient Logging

Rails.logger.warn("Failed login for #{email} from #{request.remote_ip}")

Security Checklist

Configuration

  • config.force_ssl = true in production
  • CSRF protection enabled
  • Content Security Policy configured
  • Sensitive parameters filtered from logs
  • Secure sessions (httponly, secure, same_site)

Code

  • Strong Parameters on all controllers
  • Pundit authorize on all actions
  • No html_safe/raw on user input
  • Parameterized SQL queries only
  • File upload validation

Dependencies

  • Bundler Audit clean
  • Gems up to date
  • No abandoned gems
Weekly Installs
2
Repository
thibautbaissac/…i_agents
GitHub Stars
421
First Seen
6 days ago
Security Audits
Gen Agent Trust HubPass
SocketFail
SnykPass
Installed on
opencode2
amp1
cline1
cursor1
kimi-cli1
codex1