Goal: Catch security issues early and produce a short, prioritized remediation list.
Workflow:
- •Define the changed surface
- •What entry points changed? (endpoints, UI routes, webhooks, background jobs, pipelines)
- •What data changed? (PII, credentials, financial, customer data)
- •What trust boundaries changed? (service-to-service, browser-to-API, CI-to-cloud)
- •Lightweight threat model (fast)
- •Assets: what needs protection?
- •Actors: who might abuse it (unauth user, authenticated user, insider, CI attacker)?
- •Key threats: authz bypass, injection, SSRF, deserialization, secrets leakage, data exfil, supply chain tampering
- •Verification checklist (apply to changed code only)
- •AuthN/AuthZ
- •enforce least privilege; no implicit admin paths
- •deny by default on missing/invalid claims
- •Input handling
- •validate, normalize, and size-limit inputs
- •safe parsing and error handling (no stack traces to clients)
- •Output handling
- •no sensitive fields leaked
- •correct caching headers (private vs public)
- •Storage & crypto
- •no plaintext secrets
- •use standard libraries; no custom crypto
- •Logging & privacy
- •no secrets/PII in logs; redaction where needed
- •Dependencies
- •new deps justified, minimal, and trustworthy
- •avoid insecure/abandoned packages
- •CI/CD & repo security (if workflows changed)
- •least-privileged GITHUB_TOKEN permissions
- •avoid running untrusted PR code with elevated permissions
- •pin third-party actions where feasible
Finish with:
- •Must fix (blockers)
- •Should fix
- •Nice to have
- •Any security assumptions (explicit)