Source code security review - find exploitable vulnerabilities in source code. Trigger AGGRESSIVELY when source code is available (open source target, GitHub repo, leaked source, client-side JS, decompiled mobile app).
41:T1ac2,> TYPOGRAPHY RULE: NEVER use em dashes (--) in any output. Use a hyphen (-) or rewrite the sentence.
# Auto-detect
find . -name "*.py" -o -name "*.js" -o -name "*.ts" -o -name "*.java" -o -name "*.go" -o -name "*.php" -o -name "*.rb" | head -20
cat package.json 2>/dev/null || cat requirements.txt 2>/dev/null || cat go.mod 2>/dev/null || cat pom.xml 2>/dev/null || cat Gemfile 2>/dev/null || cat composer.json 2>/dev/null
Gate: Language identified? Go to Phase 1. Can't determine? Read file extensions and imports manually.
Run in parallel. Move to Phase 2 while these complete.
# Universal
semgrep --config auto --config p/security-audit --json -o semgrep.json .
# Secrets (always run)
semgrep --config p/secrets --json -o secrets.json .
trufflehog git file://. --json > trufflehog.json 2>/dev/null
# Language-specific
bandit -r ./src -f json -o bandit.json # Python
brakeman -o brakeman.json # Ruby/Rails
Gate: Scanner found Critical/High findings? Jump to Phase 3 for those immediately. Otherwise continue.
Review targets in this priority order. For each, grep for the vulnerable pattern, then trace from source to sink.
# Find auth middleware, decorators, guards
grep -rn "login\|authenticate\|authorize\|@login_required\|isAuthenticated\|requireAuth\|checkPermission" --include="*.{py,js,ts,java,go,php,rb}" .
Look for: missing auth checks on sensitive endpoints, role checks that can be bypassed, session handling flaws.
Gate: Found unprotected endpoint? Trace it. Confirm it handles sensitive data. Write finding with curl PoC.
| Language | Vulnerable pattern |
|---|---|
| Python | cursor.execute(f"...{var}..."), execute("..." + var) |
| JS/Node | db.query(`...${var}...`), query("..." + var) |
| Java | stmt.executeQuery("..." + var) |
| Go | db.Query("..." + id), Sprintf into query |
| PHP | mysql_query("..." . $_GET['x']) |
| Ruby | where("name = '#{params}'"), find_by_sql(input) |
Gate: Found string concat/interpolation in a query? Trace the variable back to user input. Reachable? Write finding with SQLi payload.
| Language | Vulnerable pattern |
|---|---|
| Python | os.system(input), subprocess.call(input, shell=True), eval(), exec() |
| JS/Node | exec(input), execSync(input), child_process.spawn("sh", ["-c", input]) |
| Java | Runtime.exec(input) |
| Go | exec.Command("sh", "-c", input) |
| PHP | system(input), exec(input), passthru(input), backtick operator |
| Ruby | system(input), backtick operator, IO.popen(input) |
Gate: User input reaches shell execution? Write finding with command injection PoC.
| Language | Dangerous call |
|---|---|
| Python | pickle.loads(), yaml.load() (without SafeLoader), marshal.loads() |
| JS/Node | node-serialize unserialize(), yaml.load() |
| Java | ObjectInputStream.readObject(), XMLDecoder.readObject() |
| PHP | unserialize($_GET[...]) |
| Ruby | Marshal.load(), YAML.load() |
Gate: Untrusted data reaches deserialization? Write finding. This is usually Critical (RCE).
open(), sendFile(), include(), require()include($_GET['page']) - check for LFI/RFIGate: Can read arbitrary files or upload executable content? Write finding.
requests.get(user_url), http.Get(user_url), HttpURLConnection(user_url) without URL validationGate: Can reach internal services or cloud metadata? Write finding.
render_template_string(input), Template(input).render()${input} in JSP, #{input} in JSF, SpEL injectionERB.new(input).resultGate: User input rendered as template code? Write finding. Usually leads to RCE.
debug=True in production, DEBUG=True, exposed admin panelrender file: with user input/actuator/env, /actuator/heapdump)extract() from user input, type juggling with == instead of ===For EACH finding from Phase 1 or Phase 2:
Gate:
# API keys
grep -rn "AKIA[0-9A-Z]{16}" . # AWS Access Key
grep -rn "AIza[0-9A-Za-z\-_]{35}" . # Google API Key
grep -rn "sk_live_[0-9a-zA-Z]{24}" . # Stripe Secret Key
grep -rn "ghp_[a-zA-Z0-9]{36}" . # GitHub Token
grep -rn "glpat-[a-zA-Z0-9\-]{20}" . # GitLab Token
# Passwords and connection strings
grep -rn "password\s*=\s*['\"]" .
grep -rn "mongodb://.*:.*@\|postgres://.*:.*@\|mysql://.*:.*@" .
# Private keys
grep -rn "BEGIN.*PRIVATE KEY" .
# JWTs (may contain secrets in payload)
grep -rn "eyJ[a-zA-Z0-9_-]*\.eyJ[a-zA-Z0-9_-]*\." .
Gate: Found a secret? Verify it is still active (try to use it). Active production secret? Report immediately.
Every finding needs ALL of these: