Security Audit

Deterministic Commands

Severity Classification

Confidence Labeling

Audit Domains

1. OWASP Top 10 (2021) Review

Systematic check against all 10 categories. See references/owasp-top10.md for detection patterns and fix templates.

Process:

1. Identify the application's tech stack (framework, language, ORM, auth library)
2. Map codebase to OWASP categories — which categories are relevant given the stack
3. For each relevant category, search for known vulnerable patterns
4. Classify findings by severity and confidence
5. Provide fix templates from reference material

Key searches:

• SQL/NoSQL injection: raw queries, string concatenation in queries, missing parameterization
• XSS: unescaped output, dangerouslySetInnerHTML, innerHTML, template literal injection
• CSRF: missing CSRF tokens, SameSite cookie attributes, state-changing GET requests
• Broken auth: hardcoded credentials, weak password policies, missing MFA, session fixation
• Security misconfiguration: debug mode in production, default credentials, verbose errors, open CORS
• Insecure deserialization: eval(), pickle.loads(), JSON.parse() on untrusted input without validation
• Known vulnerable components: outdated dependencies with published CVEs
• Insufficient logging: missing auth event logs, no audit trail, error swallowing

2. Dependency Vulnerability Scanning

Process:

1. Identify package manager(s) in use (npm, pip, cargo, go mod, composer, etc.)
2. Check for lockfile presence and integrity
3. Run or simulate dependency audit commands
4. Cross-reference with known CVE databases
5. Flag outdated dependencies even without known CVEs (staleness risk)

Detection patterns by ecosystem:

Supply chain checks:

• Lockfile present and committed to version control
• No * or latest version ranges in dependency specs
• Typosquatting detection: flag packages with names similar to popular packages but off by one character
• Check for install scripts (preinstall, postinstall) in dependencies
• Verify package publisher consistency (ownership transfers)

3. Secret/Credential Detection

Process:

1. Scan all source files (excluding node_modules, vendor, .git, build artifacts)
2. Check for high-entropy strings that match known secret patterns
3. Verify .gitignore covers sensitive files (.env, *.pem, *.key, credentials files)
4. Check git history for previously committed secrets (if git available)
5. Review environment variable usage for secure handling

Detection patterns:

Files to always check:

• .env, .env.* (should be gitignored)
• docker-compose.yml (environment sections)
• CI/CD config files (.github/workflows/*.yml, .gitlab-ci.yml, Jenkinsfile)
• Kubernetes manifests (*-secret.yaml, *-configmap.yaml)
• Application config files (config.js, settings.py, application.yml)

4. Security Headers Audit

Process:

1. Fetch HTTP response headers from the target URL
2. Check presence and correctness of each security header
3. Score overall header security posture
4. Generate recommended header configuration

Required headers:

Headers that should NOT be present:

• Server (with version details) — information disclosure
• X-Powered-By — technology fingerprinting
• X-AspNet-Version — technology fingerprinting

5. CSP Analysis and Generation

Process:

1. Fetch and parse existing CSP header or meta tag
2. Evaluate each directive against best practices
3. Flag dangerous directives (unsafe-inline, unsafe-eval, * sources)
4. Generate a recommended CSP tailored to the application
5. Provide report-only header for safe rollout

Dangerous directives to flag:

6. Input Validation Audit

Process:

1. Identify all user input entry points (forms, query params, URL params, headers, file uploads, WebSocket messages)
2. Trace input flow from entry to usage (source-to-sink analysis)
3. Check for validation at each boundary (client, API, database)
4. Verify sanitization and encoding at output points
5. Check for type coercion vulnerabilities

Common input validation gaps:

7. Authentication/Authorization Flow Review

Process:

1. Map all authentication entry points (login, signup, OAuth, API keys, service-to-service)
2. Review session management (cookie flags, token expiry, refresh flow)
3. Check authorization at every protected endpoint
4. Look for privilege escalation vectors (IDOR, role manipulation, JWT tampering)
5. Verify password handling (hashing algorithm, salt, minimum requirements)

Key checks:

Evidence-First Workflow

Every security audit follows this exact sequence:

Phase 1: Reconnaissance

1. Identify tech stack from package.json, Cargo.toml, requirements.txt, go.mod, framework files
2. Map directory structure to understand application architecture
3. Identify entry points (routes, API endpoints, form handlers)
4. Note authentication/authorization mechanisms in use
5. Catalog external service integrations

Phase 2: Automated Collection

1. Run dependency audit (appropriate to ecosystem)
2. Scan for secrets using regex patterns
3. Check security headers (if URL provided)
4. Identify all user input handling code
5. Map authentication and authorization flows

Phase 3: LLM Analysis

1. Analyze collected evidence against OWASP Top 10
2. Trace input flows for injection and XSS vectors
3. Review authentication implementation against best practices
4. Evaluate CSP and header configurations
5. Assess supply chain risk factors

Phase 4: Finding Classification

1. Assign severity (Critical/High/Medium/Low/Info)
2. Assign confidence (Confirmed/Likely/Unknown)
3. Write finding description with evidence
4. Provide fix template or remediation steps
5. Note what was NOT checked (scope limitations)

Phase 5: Report Generation

Produce SECURITY-AUDIT-REPORT.md with:

• Executive summary (finding count by severity)
• Scope statement (what was audited, what was not)
• Findings table (severity, confidence, category, description, fix)
• Dependency vulnerability list
• Secret detection results
• Header analysis results
• Recommended remediation priority order
• Appendix: tools and patterns used

Output Contracts

security audit <target> produces:

• SECURITY-AUDIT-REPORT.md — full audit report
• Finding count by severity in summary
• Remediation priority list

security deps produces:

• Dependency vulnerability table (package, version, CVE, severity, fix version)
• Lockfile integrity assessment
• Supply chain risk flags

security secrets produces:

• Secret detection results (file, line, type, confidence)
• .gitignore coverage assessment
• Recommended additions to .gitignore

security headers <url> produces:

• Header presence/absence table with grades
• Overall header security score
• Recommended header configuration block

security csp <url> produces:

• Current CSP analysis with directive-by-directive review
• Recommended CSP policy
• Report-Only header for safe rollout

security inputs produces:

• Input entry point inventory
• Source-to-sink trace for each risky flow
• Validation gap table with fix patterns

security auth produces:

• Authentication flow diagram (text-based)
• Authorization enforcement map
• Finding list specific to auth/authz

QA Gate Checklist

Before delivering any security audit output, pass through the QA cascade defined in references/qa-gates.md. Key checkpoints:

1. Every finding has severity AND confidence labels
2. Every finding references specific file paths and line numbers (where applicable)
3. Every finding includes a fix template or remediation guidance
4. No false positives from pattern-matching without context verification
5. Scope limitations are clearly documented
6. Dependency versions cited are accurate (verified from lockfiles)
7. No hallucinated CVE numbers — only cite CVEs that are verifiable
8. Secret patterns matched are actual secrets, not test data or documentation examples
9. Header recommendations match the application's actual requirements
10. Report follows the defined output contract structure

Integration with Other Skills

Degraded Mode

When tools or MCP servers are unavailable:

All degraded findings are flagged in the report and logged to PROJECT_STATUS.json.