Fix Security Issues
Apply fixes for security vulnerabilities identified by external scanners.
Purpose
This skill is invoked during the remediation loop when external security scanners (Semgrep, ASH) have identified vulnerabilities. It reads the security context and applies targeted fixes.
When This Skill Is Used
- •External Semgrep scan detected SAST issues
- •External Grype scan (via ASH) detected vulnerable dependencies
- •The orchestrator has injected security context into
state/security-context.md
Process
Step 1: Read Security Context
Check state/security-context.md for the specific findings that need to be addressed.
Step 2: Understand Each Finding
For each finding, identify:
- •The file and line number
- •The type of vulnerability
- •The severity level
- •The recommended fix
Step 3: Apply Fixes
Use the appropriate fix pattern for each vulnerability type:
Hardcoded Secrets
python
# Before (VULNERABLE)
API_KEY = "sk-abc123..."
# After (SECURE)
import os
API_KEY = os.getenv('API_KEY')
SQL Injection
python
# Before (VULNERABLE)
query = f"SELECT * FROM users WHERE id = {user_id}"
cursor.execute(query)
# After (SECURE)
query = "SELECT * FROM users WHERE id = ?"
cursor.execute(query, (user_id,))
Command Injection
python
# Before (VULNERABLE)
os.system(f"ls {user_input}")
# After (SECURE)
import subprocess
import shlex
subprocess.run(['ls', shlex.quote(user_input)], check=True)
Path Traversal
python
# Before (VULNERABLE)
with open(f"data/{filename}") as f:
content = f.read()
# After (SECURE)
import os
safe_path = os.path.join("data", os.path.basename(filename))
if not os.path.abspath(safe_path).startswith(os.path.abspath("data")):
raise ValueError("Invalid path")
with open(safe_path) as f:
content = f.read()
Vulnerable Dependencies
json
// Before (package.json)
{
"dependencies": {
"lodash": "4.17.15" // Vulnerable version
}
}
// After
{
"dependencies": {
"lodash": "^4.17.21" // Patched version
}
}
Step 4: Verify Fixes
After applying fixes:
- •Run
/self-checkto validate - •Ensure the fix doesn't break functionality
- •Add or update tests if needed
Usage
code
/fix-security
This skill reads from state/security-context.md and applies fixes to the identified issues.
Important Notes
- •Do NOT proceed with new features until all security issues are resolved
- •Test your fixes - security fixes can break functionality
- •Document the fix - add comments explaining why the change was made
- •Update tests - add test cases for the security scenarios