Security Scan: $ARGUMENTS
Dynamic Context
- •Dependency audit: !
npm audit --json 2>/dev/null | node -e "const d=JSON.parse(require('fs').readFileSync(0,'utf8'));console.log('Vulnerabilities:',JSON.stringify(d.metadata?.vulnerabilities||'N/A'))" 2>/dev/null || pip-audit 2>/dev/null | tail -5 || cargo audit 2>/dev/null | tail -5 || echo "No dependency audit tool found" - •Recently changed files: !
git diff --name-only HEAD~10 2>/dev/null || echo "N/A" - •Project type: !
ls package.json requirements.txt Cargo.toml go.mod pyproject.toml 2>/dev/null | head -3 || echo "Unknown" - •Environment files: !
find . -name '.env*' -o -name '*.env' 2>/dev/null | head -5 || echo "None"
Scan Checklist (OWASP 2025 Aligned)
A01: Broken Access Control
- • Default deny for all protected resources
- • RBAC/ABAC consistently applied
- • CORS configuration restrictive (not
*) - • Directory traversal prevention (
../in paths) - • Rate limiting on sensitive endpoints
A02: Cryptographic Failures
- • No MD5/SHA1 for password hashing (use bcrypt/argon2/scrypt)
- • TLS enforced for all external communication
- • No hardcoded encryption keys or salts
- • Secure random number generation (not Math.random)
A03: Injection
- • Parameterized queries for all database operations
- • No string concatenation in SQL/NoSQL queries
- • Command injection prevention (no shell=True with user input)
- • Path traversal sanitization
- • LDAP/XPath injection prevention
A05: Security Misconfiguration
- • Debug mode disabled in production configs
- • Default credentials removed
- • Unnecessary features/endpoints disabled
- • Security headers configured (CSP, HSTS, X-Frame-Options)
A07: Authentication Failures
- • Strong password policies enforced
- • Session management secure (httpOnly, secure, sameSite)
- • No credentials in URLs or logs
- • Brute-force protection (lockout/rate-limit)
A08: Data Integrity Failures
- • Input validation on all trust boundaries
- • Deserialization safety (no
eval, nopickle.loadson untrusted data) - • CI/CD pipeline integrity
A09: Logging & Monitoring Failures
- • No PII/secrets in log output
- • Security events logged (auth failures, access denied)
- • Log injection prevention
A10: SSRF
- • URL validation for user-supplied URLs
- • Allowlist for external service calls
- • No internal network access from user input
Secret Detection Patterns
Scan for these patterns in source code:
- •API keys:
(api[_-]?key|apikey)\s*[:=]\s*["'][^"']+ - •AWS credentials:
AKIA[0-9A-Z]{16} - •Private keys:
-----BEGIN (RSA |EC )?PRIVATE KEY----- - •JWT tokens:
eyJ[A-Za-z0-9-_]+\.eyJ[A-Za-z0-9-_]+ - •Connection strings:
(mongodb|postgres|mysql|redis):\/\/[^\s]+ - •Generic secrets:
(password|secret|token)\s*[:=]\s*["'][^"']{8,}
Output Format
Deliver a structured Security Audit Report with:
- •Executive Summary (scope, overall risk level, finding counts)
- •Critical/High findings with file:line references and CVSS scores
- •Medium/Low findings
- •Remediation recommendations (priority-ordered)
- •Dependency vulnerability summary