Security Audit Skill
Perform comprehensive security audits on codebases to identify vulnerabilities before they reach production.
When to Use This Skill
- User mentions "security", "audit", "vulnerability", "CVE"
- Before deployment commands
- During PR reviews
- User asks about dependencies
- Periodic security checks
Audit Checklist
1. Secrets Exposure
Check for hardcoded secrets:
# Search for common secret patterns
grep -rn "API_KEY\|SECRET\|TOKEN\|PASSWORD" --include="*.{js,ts,py,go,rb,java}" .
grep -rn "sk-\|pk_\|api_\|secret_" --include="*.{js,ts,py,go,rb,java}" .
Verify .gitignore:
# Ensure sensitive files are ignored
cat .gitignore | grep -E "\.env|secret|credential|\.pem|\.key"
Check git history for leaked secrets:
# Search recent commits (requires git-secrets or truffleHog)
git log -p --all -S "API_KEY" --since="30 days ago"
✅ Pass criteria:
- No hardcoded API keys, tokens, or passwords
.envfiles in.gitignore- No secrets in git history
2. Dependency Vulnerabilities
Node.js:
npm audit
# or
yarn audit
# or
pnpm audit
Python:
pip-audit
# or
safety check
Go:
govulncheck ./...
Rust:
cargo audit
✅ Pass criteria:
- No critical vulnerabilities
- No high vulnerabilities > 30 days old
- Dependencies updated within last 90 days
3. Input Validation
Check for:
- User inputs sanitized before use
- SQL queries use parameterized statements
- File paths validated and sandboxed
- HTML content escaped before rendering
- Command injection prevention
Common vulnerable patterns:
// BAD: SQL injection
db.query(`SELECT * FROM users WHERE id = ${userId}`)
// GOOD: Parameterized query
db.query('SELECT * FROM users WHERE id = ?', [userId])
# BAD: Command injection
os.system(f"convert {user_file}")
# GOOD: Use subprocess with list
subprocess.run(["convert", user_file], check=True)
4. Authentication & Authorization
Check for:
- Passwords hashed with bcrypt/argon2 (not MD5/SHA1)
- Session tokens are cryptographically random
- Sessions expire appropriately
- CSRF protection on state-changing endpoints
- Rate limiting on auth endpoints
- Account lockout after failed attempts
Look for:
// BAD: Weak hashing
crypto.createHash('md5').update(password)
// GOOD: Bcrypt
bcrypt.hash(password, 12)
5. HTTPS & Transport Security
Check for:
- HTTPS enforced (HSTS header)
- Secure cookie flags (
Secure,HttpOnly,SameSite) - No mixed content warnings
- TLS 1.2+ required
6. Error Handling
Check for:
- Stack traces not exposed in production
- Generic error messages for users
- Detailed errors only in logs
- Sensitive data not in error messages
// BAD: Exposes internals
res.status(500).send({ error: err.stack })
// GOOD: Generic message
res.status(500).send({ error: 'An unexpected error occurred' })
7. File Upload Security
If file uploads exist:
- Validate file type server-side (not just extension)
- Limit file size
- Scan for malware
- Store outside webroot
- Rename uploaded files
8. API Security
- Authentication required on all sensitive endpoints
- Authorization checks per resource
- Rate limiting implemented
- CORS configured restrictively
- API versioning in place
Severity Levels
| Level | Description | Action Required |
|---|---|---|
| 🔴 Critical | Actively exploitable | Block deployment |
| 🟠 High | Exploitable with effort | Fix within 7 days |
| 🟡 Medium | Requires conditions | Fix within 30 days |
| 🟢 Low | Minimal impact | Fix when convenient |
Output Format
## Security Audit Results
**Project:** [name]
**Date:** [date]
**Auditor:** Claude (automated)
### Summary
| Severity | Count |
|----------|-------|
| 🔴 Critical | 0 |
| 🟠 High | 1 |
| 🟡 Medium | 2 |
| 🟢 Low | 3 |
### Findings
#### 1. [🟠 High] Hardcoded API Key
**Location:** `src/config.js:15`
**Description:** API key for payment provider is hardcoded
**Risk:** If source code is leaked, attackers gain API access
**Recommendation:** Move to environment variable
```diff
- const STRIPE_KEY = 'sk_live_abc123...'
+ const STRIPE_KEY = process.env.STRIPE_SECRET_KEY
2. [🟡 Medium] Missing Rate Limiting
Location: src/routes/auth.js
Description: Login endpoint has no rate limiting
Risk: Enables brute force attacks
Recommendation: Add rate limiting middleware
Recommendations
- Fix critical and high issues before next deployment
- Schedule medium issues for next sprint
- Add low issues to backlog
- Re-run audit after fixes
## Commands to Run
After completing the audit, provide the user with:
1. Summary of findings
2. Prioritized fix list
3. Commands to address each issue
4. Timeline recommendation