59 lines
1.7 KiB
Markdown
59 lines
1.7 KiB
Markdown
---
|
|
name: security-audit
|
|
description: Run a security audit on current git changes against OWASP Top 10. Checks for injection, auth issues, secrets, and misconfigurations.
|
|
disable-model-invocation: true
|
|
context: fork
|
|
agent: security-auditor
|
|
---
|
|
|
|
# Security Audit
|
|
|
|
Audit current changes for security vulnerabilities.
|
|
|
|
## Context
|
|
|
|
Current git diff:
|
|
!`git diff --cached --diff-filter=ACMR`
|
|
|
|
Unstaged changes:
|
|
!`git diff --diff-filter=ACMR`
|
|
|
|
Changed files:
|
|
!`git diff --cached --name-only --diff-filter=ACMR && git diff --name-only --diff-filter=ACMR`
|
|
|
|
## Steps
|
|
|
|
1. **Analyze the diff** — identify security-relevant changes (auth, input handling, DB queries, file uploads, API endpoints, secrets)
|
|
|
|
2. **Check against OWASP Top 10 2021 + API Top 10 2023:**
|
|
- Injection (SQL, NoSQL, Command, XSS)
|
|
- Broken Access Control (IDOR, privilege escalation)
|
|
- Cryptographic Failures (weak algorithms, hardcoded secrets)
|
|
- Insecure Design (business logic flaws, race conditions)
|
|
- Security Misconfiguration (defaults, verbose errors, missing headers)
|
|
- Vulnerable Components (check imports against known CVEs via context7)
|
|
- Auth Failures (session management, JWT issues)
|
|
- SSRF
|
|
- Missing input validation
|
|
|
|
3. **False positive check** — verify framework mitigations before reporting (ORM, React escaping, CSRF tokens)
|
|
|
|
4. **Report format:**
|
|
|
|
```
|
|
## Security Audit Report
|
|
|
|
### Summary
|
|
[Secure / Needs Improvement / Critical Issues Found]
|
|
|
|
### Findings (sorted by severity)
|
|
1. [CRITICAL/HIGH/MEDIUM/LOW] Title
|
|
- Location: `file:line`
|
|
- Impact: what can an attacker do
|
|
- Fix: copy-pasteable corrected code
|
|
- Reference: CWE/OWASP ID
|
|
|
|
### No Issues Found In
|
|
- [Areas that were checked and passed]
|
|
```
|