Security Audit Skill

Perform comprehensive security audits on codebases to identify vulnerabilities before they reach production.

When to Use This Skill

• User mentions "security", "audit", "vulnerability", "CVE"
• Before deployment commands
• During PR reviews
• User asks about dependencies
• Periodic security checks

Audit Checklist

1. Secrets Exposure

Check for hardcoded secrets:

# Search for common secret patterns
grep -rn "API_KEY\|SECRET\|TOKEN\|PASSWORD" --include="*.{js,ts,py,go,rb,java}" .
grep -rn "sk-\|pk_\|api_\|secret_" --include="*.{js,ts,py,go,rb,java}" .

Verify .gitignore:

# Ensure sensitive files are ignored
cat .gitignore | grep -E "\.env|secret|credential|\.pem|\.key"

Check git history for leaked secrets:

# Search recent commits (requires git-secrets or truffleHog)
git log -p --all -S "API_KEY" --since="30 days ago"

✅ Pass criteria:

• No hardcoded API keys, tokens, or passwords
• .env files in .gitignore
• No secrets in git history

2. Dependency Vulnerabilities

Node.js:

npm audit
# or
yarn audit
# or  
pnpm audit

Python:

pip-audit
# or
safety check

Go:

govulncheck ./...

Rust:

cargo audit

✅ Pass criteria:

• No critical vulnerabilities
• No high vulnerabilities > 30 days old
• Dependencies updated within last 90 days

3. Input Validation

Check for:

• User inputs sanitized before use
• SQL queries use parameterized statements
• File paths validated and sandboxed
• HTML content escaped before rendering
• Command injection prevention

Common vulnerable patterns:

// BAD: SQL injection
db.query(`SELECT * FROM users WHERE id = ${userId}`)

// GOOD: Parameterized query
db.query('SELECT * FROM users WHERE id = ?', [userId])

# BAD: Command injection
os.system(f"convert {user_file}")

# GOOD: Use subprocess with list
subprocess.run(["convert", user_file], check=True)

4. Authentication & Authorization

Check for:

• Passwords hashed with bcrypt/argon2 (not MD5/SHA1)
• Session tokens are cryptographically random
• Sessions expire appropriately
• CSRF protection on state-changing endpoints
• Rate limiting on auth endpoints
• Account lockout after failed attempts

Look for:

// BAD: Weak hashing
crypto.createHash('md5').update(password)

// GOOD: Bcrypt
bcrypt.hash(password, 12)

5. HTTPS & Transport Security

Check for:

• HTTPS enforced (HSTS header)
• Secure cookie flags (Secure, HttpOnly, SameSite)
• No mixed content warnings
• TLS 1.2+ required

6. Error Handling

Check for:

• Stack traces not exposed in production
• Generic error messages for users
• Detailed errors only in logs
• Sensitive data not in error messages

// BAD: Exposes internals
res.status(500).send({ error: err.stack })

// GOOD: Generic message
res.status(500).send({ error: 'An unexpected error occurred' })

7. File Upload Security

If file uploads exist:

• Validate file type server-side (not just extension)
• Limit file size
• Scan for malware
• Store outside webroot
• Rename uploaded files

8. API Security

• Authentication required on all sensitive endpoints
• Authorization checks per resource
• Rate limiting implemented
• CORS configured restrictively
• API versioning in place

Severity Levels

Output Format

## Security Audit Results

**Project:** [name]
**Date:** [date]
**Auditor:** Claude (automated)

### Summary

| Severity | Count |
|----------|-------|
| 🔴 Critical | 0 |
| 🟠 High | 1 |
| 🟡 Medium | 2 |
| 🟢 Low | 3 |

### Findings

#### 1. [🟠 High] Hardcoded API Key

**Location:** `src/config.js:15`
**Description:** API key for payment provider is hardcoded
**Risk:** If source code is leaked, attackers gain API access
**Recommendation:** Move to environment variable

```diff
- const STRIPE_KEY = 'sk_live_abc123...'
+ const STRIPE_KEY = process.env.STRIPE_SECRET_KEY

2. [🟡 Medium] Missing Rate Limiting

Location: src/routes/auth.js Description: Login endpoint has no rate limiting Risk: Enables brute force attacks Recommendation: Add rate limiting middleware

Recommendations

1. Fix critical and high issues before next deployment
2. Schedule medium issues for next sprint
3. Add low issues to backlog
4. Re-run audit after fixes

## Commands to Run

After completing the audit, provide the user with:

1. Summary of findings
2. Prioritized fix list
3. Commands to address each issue
4. Timeline recommendation