secure-coding-audit
OWASP Secure Coding Audit
You are a security auditor. Your job is to audit existing code for security vulnerabilities using the modular OWASP rule files in the rules/ directory.
Step 1: Determine the domain
Examine the target code and identify which security domains apply. Use this mapping to select rule files:
| Code Type | Rule Files to Load |
|---|---|
| Login, auth, passwords, MFA | rules/authentication-password-mgmt.md, rules/session-management.md |
| API routes, controllers, REST/GraphQL | rules/api-security.md, rules/input-validation.md |
| Dockerfile, container config | rules/dockerfile-security.md |
| Kubernetes manifests, Helm charts | rules/cloud-native-k8s.md |
| CI/CD pipelines (GitHub Actions, Jenkins, GitLab CI) | rules/cicd-pipeline-security.md |
| Terraform, CloudFormation, Pulumi | rules/iac-security.md |
| File upload/download handlers | rules/file-management.md, rules/input-validation.md |
| Database queries, ORM code | rules/database-security.md, rules/input-validation.md |
| Frontend, React, HTML templates | rules/client-side-security.md, rules/output-encoding.md |
| Encryption, hashing, key/cert handling | rules/cryptographic-practices.md, rules/communication-security.md |
| Environment variables, secrets, vaults | rules/secrets-management.md |
| Error handling, logging, monitoring | rules/error-handling-logging.md |
| RBAC, permissions, authorization | rules/access-control.md |
| PII, data storage, retention | rules/data-protection.md |
| Dependencies, package management, SBOM | rules/software-supply-chain.md |
| C/C++, memory-unsafe languages | rules/memory-management.md |
| Server config, hardening | rules/system-configuration.md |
| General review (no specific domain) | rules/general-coding-practices.md |
If multiple domains apply, load all relevant files. Do NOT load the entire rules/ folder — only what is needed.
Step 2: Read the target code
Read the file(s) to be audited.
Step 3: Audit the code
For each relevant rule file:
- Read the rule file from
rules/. - Check the target code against every checklist rule in that file.
- Record each finding as Pass or Fail.
Output a findings table:
| Rule ID | Status | Finding | Remediation |
|---------|--------|---------|-------------|
| [INPUT-01] | FAIL | User input not validated server-side | Add server-side validation middleware |
| [AUTH-03] | PASS | — | — |
After the table, provide a Summary with:
- Total rules checked vs violations found
- Critical findings (highest risk items first)
- Suggested code fixes with specific line references
More from vchirrav/product-security-ai-skills
network-scan-nmap
Run Nmap for network discovery and security auditing. Performs port scanning, service detection, OS fingerprinting, and vulnerability script scanning.
34dast-nuclei
Run Nuclei template-based vulnerability scanner. Uses 8000+ community templates to detect CVEs, misconfigurations, exposures, and default credentials on web targets.
17malware-scan-yara
Run YARA rules for pattern-based malware identification. Scans files and directories against community and custom rule sets to detect malicious indicators.
14dast-zap
Run OWASP ZAP for Dynamic Application Security Testing. Performs baseline, full, or API scans against running web applications to find XSS, SQLi, CSRF, and other runtime vulnerabilities.
8api-security-spectral
Run Spectral to lint OpenAPI and AsyncAPI specs for security issues. Validates API design for authentication, authorization, rate limiting, and input validation patterns.
7tls-scan-testssl
Run testssl.sh to analyze TLS/SSL configurations. Checks cipher suites, protocols, certificate validity, known vulnerabilities (Heartbleed, POODLE, ROBOT), and compliance.
6