Audits API authentication, CORS, rate limiting, secrets exposure, input validation, prompt injection, and dependency vulnerabilities for FastAPI, Express, Next.js, Django, and Flask backends. Use when reviewing backend code, before deployment, when backend/ or server/ files change, or when user mentions security, production readiness, or vulnerability scanning.
Comprehensive security audit skill for AI-assisted codebases. Converts every checklist item into a scan-and-verify directive — no guessing, no skipping.
Run:
grep -rn --include="*.ts" --include="*.tsx" --include="*.js" --include="*.jsx" --include="*.env" --include="*.json" \
-E "(sk-|sk_live|sk_test|pk_live|pk_test|api_key|apiKey|API_KEY|secret|SECRET|password|PASSWORD|token|TOKEN|PRIVATE_KEY|aws_access|STRIPE)" \
src/ app/ pages/ components/ lib/ utils/ 2>/dev/null
Verify .gitignore protects secrets:
grep -n "\.env" .gitignore 2>/dev/null || echo "🔴 CRITICAL: No .env entry in .gitignore"
Check client-side exposure (Next.js — only NEXT_PUBLIC_* should be client-accessible):
grep -rn "process.env\." src/ app/ pages/ components/ --include="*.ts" --include="*.tsx" 2>/dev/null | grep -v "NEXT_PUBLIC\|VITE_\|NODE_ENV"
Run:
grep -rn --include="*.py" --include="*.env" --include="*.yaml" --include="*.yml" \
-E "(sk-|api_key|API_KEY|secret|SECRET|password|PASSWORD|token|TOKEN|PRIVATE_KEY|aws_access|DATABASE_URL)" \
. 2>/dev/null | grep -v "venv/\|\.venv/\|node_modules/\|__pycache__/"
Check for hardcoded credentials in settings:
grep -rn --include="*.py" "SECRET_KEY\|DB_PASSWORD\|API_KEY" . 2>/dev/null | grep -v "os.environ\|os.getenv\|settings\.\|config\."
If any secret pattern is found hardcoded in source, flag as 🔴 CRITICAL.
DO NOT mark this phase passed without:
Scan for AI/LLM integration points:
grep -rn "openai\|anthropic\|gemini\|langchain\|ai-sdk\|generateText\|streamText\|chat.completions" \
src/ lib/ app/ --include="*.ts" --include="*.tsx" --include="*.py" 2>/dev/null
Check if user input flows directly to AI without sanitization:
grep -rn "prompt\|messages\|content.*user" src/ lib/ --include="*.ts" --include="*.py" 2>/dev/null \
| grep -i "request\|req\.\|body\.\|params\.\|query\."
Verify injection pattern blocking exists. Search for:
grep -rn "ignore previous\|disregard\|system prompt\|jailbreak\|act as\|pretend" src/ lib/ --include="*.ts" --include="*.py" 2>/dev/null
If user input reaches an LLM call without sanitization or delimiter tags, flag as 🔴 CRITICAL.
find src/ app/ pages/ -name "route.ts" -o -name "route.js" -o -name "*.api.ts" 2>/dev/null | while read f; do
if ! grep -l "auth\|session\|getServerSession\|currentUser\|requireAuth\|middleware" "$f" > /dev/null 2>&1; then
echo "🔴 UNPROTECTED: $f"
fi
done
grep -rn --include="*.py" "APIRouter\|@app\.\|@router\." . 2>/dev/null
grep -rn --include="*.py" "Depends.*auth\|Depends.*verify\|login_required\|permission_classes" . 2>/dev/null
Compare outputs. Any endpoint without auth dependency = 🔴 CRITICAL.
grep -rn --include="*.py" "path(\|url(\|re_path(" . 2>/dev/null | grep -v "admin\|static\|media"
grep -rn --include="*.py" "@login_required\|@permission_required\|IsAuthenticated" . 2>/dev/null
grep -rn "httpOnly\|secure\|sameSite\|maxAge\|cookie" src/ app/ lib/ --include="*.ts" --include="*.tsx" --include="*.py" 2>/dev/null
If any protected route lacks auth middleware, flag as 🔴 CRITICAL.
DO NOT mark this phase passed without:
# Raw SQL queries (should use parameterized queries)
grep -rn "raw\|rawQuery\|\$queryRaw\|\$executeRaw" src/ lib/ --include="*.ts" --include="*.tsx" 2>/dev/null
# Python raw SQL
grep -rn --include="*.py" "execute(\|raw(\|RawSQL\|cursor\." . 2>/dev/null | grep -v "venv/"
# String concatenation in queries
grep -rn "SELECT.*+\|INSERT.*+\|UPDATE.*+\|DELETE.*+" src/ lib/ --include="*.ts" --include="*.py" 2>/dev/null
grep -rn "dangerouslySetInnerHTML\|innerHTML\|__html" src/ app/ components/ --include="*.tsx" --include="*.ts" 2>/dev/null
grep -rn "eval(\|new Function(" src/ --include="*.ts" --include="*.tsx" --include="*.js" 2>/dev/null
# Python: Jinja2 unescaped output
grep -rn --include="*.html" --include="*.jinja" "| safe\|Markup(\|mark_safe" . 2>/dev/null
# Node: Check for Zod schema validation on API inputs
grep -rn "z\.\|zod\|zodResolver" src/ app/ --include="*.ts" --include="*.tsx" 2>/dev/null | head -20
# Python: Check for Pydantic models on API inputs
grep -rn --include="*.py" "BaseModel\|Field(\|validator\|field_validator" . 2>/dev/null | head -20
If user input reaches a database query without validation, flag as 🔴 CRITICAL.
grep -rn "allow_origins\|CORSMiddleware\|cors\|Access-Control" src/ app/ lib/ --include="*.ts" --include="*.tsx" --include="*.py" 2>/dev/null
If origins contain "*" (wildcard), flag as 🔴 CRITICAL.
If origins are hardcoded strings (not read from env var), flag as 🟡 WARNING.
grep -rn "rateLimit\|rate_limit\|throttle\|RateLimiter\|slowapi\|limiter" src/ app/ lib/ --include="*.ts" --include="*.py" 2>/dev/null
If no rate limiting is found on auth or AI endpoints, flag as 🟡 WARNING.
# Node.js
npm audit --audit-level=high 2>/dev/null || echo "npm audit not available"
# Python
pip audit 2>/dev/null || echo "pip audit not available — install: pip install pip-audit"
safety check 2>/dev/null || echo "safety not available — install: pip install safety"
# Lock file present
test -f package-lock.json && echo "✅ package-lock.json exists" || echo "🟡 No package-lock.json"
test -f requirements.txt && echo "✅ requirements.txt exists" || echo "Checking for pyproject.toml..."
test -f pyproject.toml && echo "✅ pyproject.toml exists" || true
# Console output that might leak data
grep -rn "console.log\|console.debug" src/ app/ components/ --include="*.ts" --include="*.tsx" 2>/dev/null | grep -v "node_modules\|\.test\.\|\.spec\." | wc -l
# Python print statements in production code
grep -rn --include="*.py" "print(" . 2>/dev/null | grep -v "venv/\|test_\|__pycache__/" | wc -l
# Source maps in production
find .next/ dist/ build/ out/ -name "*.map" 2>/dev/null | head -10
# Run all checks in sequence
npm audit 2>/dev/null
grep -rn "\.env" .gitignore 2>/dev/null
grep -rn --include="*.ts" --include="*.tsx" --include="*.py" "console.log\|print(" src/ app/ 2>/dev/null | grep -v test | wc -l
DO NOT clear for deployment without:
npm audit or pip audit showing no critical vulnerabilities## Security Audit Report — [Project Name]
### Summary
| Category | Issues | Severity |
|----------|--------|----------|
| Secrets Exposure | X | 🔴/🟢 |
| Prompt Injection | X | 🔴/🟡/🟢 |
| Auth & Authorization | X | 🔴/🟡/🟢 |
| Input Validation | X | 🔴/🟡/🟢 |
| CORS & Rate Limiting | X | 🔴/🟡/🟢 |
| Dependencies | X | 🔴/🟡/🟢 |
| Information Leakage | X | 🔴/🟡/🟢 |
### 🔴 Critical Issues (Fix Before Deploy)
#### [Issue N]
**Type:** [Secret Exposure / Injection / Auth Bypass / etc.]
**Location:** [file:line]
**Risk:** [What could happen]
**Fix:** [Exact solution]
### 🟡 Warnings (Fix Before Ship)
[Same format]
### ✅ Passed Checks
[What's secured correctly]