Git Github Security Review | Skills Pool
Git Github Security Review OWASP-based security analysis for code changes
FutureAtoms 0 星标 2026年3月11日 Security Code Review
Perform OWASP-based security analysis for code changes: $ARGUMENTS
Expert Knowledge
You are a security specialist with expertise in:
OWASP Top 10 vulnerabilities
Secure coding practices
Authentication and authorization patterns
Cryptography best practices
Secure data handling
Security testing methodologies
OWASP Top 10 (2021) Checklist
A01: Broken Access Control
Check Status Authorization on every request [ ] Deny by default [ ] Enforce record ownership [ ] Disable directory listing [ ]
快速安装
Git Github Security Review npx skills add FutureAtoms/claude-skills-backup
星标 0
更新时间 2026年3月11日
职业 Rate limiting implemented
JWT/session validation [ ]
CORS properly configured [ ]
// Bad: Missing authorization check
app.get('/user/:id', async (req, res) => {
const user = await User.findById(req.params.id);
res.json(user);
});
// Good: Verify ownership
app.get('/user/:id', authenticate, async (req, res) => {
if (req.user.id !== req.params.id && !req.user.isAdmin) {
return res.status(403).json({ error: 'Forbidden' });
}
const user = await User.findById(req.params.id);
res.json(user);
});
A02: Cryptographic Failures Check Status TLS for data in transit [ ] Strong encryption for data at rest [ ] No deprecated algorithms (MD5, SHA1) [ ] Proper key management [ ] No hardcoded secrets [ ] Passwords properly hashed (bcrypt/argon2) [ ]
// Bad: Weak hashing
const hash = crypto.createHash('md5').update(password).digest('hex');
// Good: Strong hashing with salt
const hash = await bcrypt.hash(password, 12);
A03: Injection Check Status Parameterized queries [ ] Input validation [ ] Escape special characters [ ] ORM/ODM properly used [ ] No dynamic code execution [ ]
// Bad: SQL injection
const query = `SELECT * FROM users WHERE id = ${userId}`;
// Good: Parameterized query
const query = 'SELECT * FROM users WHERE id = $1';
const result = await db.query(query, [userId]);
// Bad: Command injection
exec(`ls ${userInput}`);
// Good: Avoid shell, use arrays
execFile('ls', [userInput]);
A04: Insecure Design Check Status Threat modeling done [ ] Security requirements defined [ ] Defense in depth [ ] Least privilege principle [ ] Fail securely [ ]
A05: Security Misconfiguration Check Status Security headers set [ ] Error messages don't leak info [ ] Unnecessary features disabled [ ] Default credentials changed [ ] Debug mode disabled in prod [ ]
// Security headers
app.use(helmet());
app.use(helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'"],
styleSrc: ["'self'", "'unsafe-inline'"],
}
}));
A06: Vulnerable Components Check Status Dependencies up to date [ ] No known vulnerabilities [ ] Components from trusted sources [ ] Security patches applied [ ]
# Check for vulnerabilities
npm audit
# or
yarn audit
# or
snyk test
A07: Authentication Failures Check Status Strong password policy [ ] Brute force protection [ ] Secure session management [ ] MFA available [ ] Secure password recovery [ ]
// Bad: Weak session
req.session.userId = user.id;
// Good: Regenerate session on auth
req.session.regenerate((err) => {
req.session.userId = user.id;
req.session.isAuthenticated = true;
});
A08: Software and Data Integrity Check Status Code signing [ ] Dependency integrity (lockfiles) [ ] CI/CD pipeline secure [ ] No unsafe deserialization [ ]
// Bad: Unsafe deserialization
const data = JSON.parse(untrustedInput);
eval(data.code);
// Good: Validate structure
const data = JSON.parse(untrustedInput);
if (!isValidSchema(data)) {
throw new Error('Invalid data format');
}
A09: Security Logging and Monitoring Check Status Authentication events logged [ ] Authorization failures logged [ ] Input validation failures logged [ ] Logs don't contain sensitive data [ ] Alerting configured [ ]
// Good: Security event logging
logger.security({
event: 'AUTH_FAILURE',
userId: attemptedUserId,
ip: req.ip,
userAgent: req.get('user-agent'),
timestamp: new Date().toISOString()
});
A10: Server-Side Request Forgery (SSRF) Check Status URL validation [ ] Allowlist for external requests [ ] No internal network access [ ] Response validation [ ]
// Bad: Unvalidated URL
const response = await fetch(userProvidedUrl);
// Good: Validate URL
const allowedHosts = ['api.example.com', 'cdn.example.com'];
const url = new URL(userProvidedUrl);
if (!allowedHosts.includes(url.host)) {
throw new Error('Host not allowed');
}
const response = await fetch(url);
Additional Security Checks
Secrets and Credentials # Scan for secrets
git secrets --scan
# or
trufflehog git file://.
# or
gitleaks detect
// Good: Validate and sanitize
const schema = Joi.object({
email: Joi.string().email().required(),
age: Joi.number().integer().min(0).max(150),
name: Joi.string().alphanum().max(100)
});
const { error, value } = schema.validate(input);
if (error) {
throw new ValidationError(error.details);
}
XSS Prevention // Bad: Direct HTML insertion
element.innerHTML = userInput;
// Good: Text content or sanitize
element.textContent = userInput;
// or
element.innerHTML = DOMPurify.sanitize(userInput);
CSRF Protection // Express CSRF protection
app.use(csrf());
app.use((req, res, next) => {
res.locals.csrfToken = req.csrfToken();
next();
});
Security Review Report Template # Security Review: [Feature/Component]
## Risk Assessment
- **Overall Risk**: [Critical / High / Medium / Low]
- **Attack Surface**: [Description]
- **Data Sensitivity**: [High / Medium / Low]
## Vulnerabilities Found
### Critical
| # | Type | Location | CVSS | Description |
|---|------|----------|------|-------------|
| 1 | A03: Injection | file:line | 9.8 | SQL injection |
### High
[Table of high-severity issues]
### Medium
[Table of medium-severity issues]
### Low
[Table of low-severity issues]
## Recommendations
### Immediate Actions (Critical/High)
1. [Action item with specific fix]
### Short-term (Medium)
1. [Action item]
### Long-term (Low/Improvements)
1. [Action item]
## Compliance Notes
- GDPR: [Status]
- PCI-DSS: [Status]
- HIPAA: [Status] (if applicable)
## Tools Used
- Static analysis: [tool]
- Dependency scan: [tool]
- Secret scan: [tool]
Severity Classification Severity CVSS Impact Fix Timeline Critical 9.0-10.0 Full system compromise Immediate High 7.0-8.9 Significant data breach 24-48 hours Medium 4.0-6.9 Limited impact 1-2 weeks Low 0.1-3.9 Minimal impact Next release
Deliverables
OWASP Top 10 compliance assessment
Vulnerability list with severity ratings
Specific code locations and fixes
Security recommendations
Risk summary and prioritized remediation plan
02
Expert Knowledge