1.7 KiB
1.7 KiB
name, description, disable-model-invocation, context, agent
| name | description | disable-model-invocation | context | agent |
|---|---|---|---|---|
| security-audit | Run a security audit on current git changes against OWASP Top 10. Checks for injection, auth issues, secrets, and misconfigurations. | true | fork | security-auditor |
Security Audit
Audit current changes for security vulnerabilities.
Context
Current git diff:
!git diff --cached --diff-filter=ACMR
Unstaged changes:
!git diff --diff-filter=ACMR
Changed files:
!git diff --cached --name-only --diff-filter=ACMR && git diff --name-only --diff-filter=ACMR
Steps
-
Analyze the diff — identify security-relevant changes (auth, input handling, DB queries, file uploads, API endpoints, secrets)
-
Check against OWASP Top 10 2021 + API Top 10 2023:
- Injection (SQL, NoSQL, Command, XSS)
- Broken Access Control (IDOR, privilege escalation)
- Cryptographic Failures (weak algorithms, hardcoded secrets)
- Insecure Design (business logic flaws, race conditions)
- Security Misconfiguration (defaults, verbose errors, missing headers)
- Vulnerable Components (check imports against known CVEs via context7)
- Auth Failures (session management, JWT issues)
- SSRF
- Missing input validation
-
False positive check — verify framework mitigations before reporting (ORM, React escaping, CSRF tokens)
-
Report format:
## Security Audit Report
### Summary
[Secure / Needs Improvement / Critical Issues Found]
### Findings (sorted by severity)
1. [CRITICAL/HIGH/MEDIUM/LOW] Title
- Location: `file:line`
- Impact: what can an attacker do
- Fix: copy-pasteable corrected code
- Reference: CWE/OWASP ID
### No Issues Found In
- [Areas that were checked and passed]