AgentSkillsCN

security-and-compliance-baseline

在发布前,确保各项变更严格遵守安全、隐私与合规性约束。此技能有助于在产品正式上线前做好最后一道防线。

SKILL.md
--- frontmatter
name: security-and-compliance-baseline
description: Ensures changes respect security, privacy, and compliance constraints. Use before release.
triggers: [pre-release, external-facing, regulated-env]
outputs: [security-report, compliance-checklist]
depends_on: [regression-and-parity-check]

Security and Compliance Baseline

Purpose

Validates that all changes meet security, privacy, and compliance requirements before release. This skill blocks releases that introduce vulnerabilities or compliance violations.


When to Use

  • Before any production release
  • When shipping external-facing features
  • In regulated environments (healthcare, finance, etc.)
  • When handling sensitive data

Instructions

1. Identify Sensitive Data Flows

Map all data that requires protection:

markdown
## Sensitive Data Inventory

| Data Type | Classification | Storage | Transmission | Retention |
|-----------|---------------|---------|--------------|-----------|
| Passwords | SECRET | Hashed (bcrypt) | TLS only | Never logged |
| Email | PII | Encrypted at rest | TLS only | Per policy |
| Payment | PCI | Tokenized | TLS 1.3 | 7 years |

2. Check Authentication & Authorization

markdown
## Auth Checklist

- [x] All endpoints require authentication (except public)
- [x] Role-based access control implemented
- [x] Session tokens are secure (httpOnly, secure, sameSite)
- [x] Password policy enforced (min 12 chars, complexity)
- [x] Rate limiting on auth endpoints
- [ ] MFA available for sensitive operations

3. Enforce Least Privilege

markdown
## Privilege Analysis

| Component | Current Access | Required Access | Status |
|-----------|---------------|-----------------|--------|
| API Server | DB read/write | DB read/write | ✅ OK |
| Worker | Full DB access | Read-only | ⚠️ OVER-PRIVILEGED |
| Frontend | Admin API | User API only | ❌ VIOLATION |

4. Flag Compliance Risks

markdown
## Compliance Risks

| Risk ID | Category | Description | Severity | Mitigation |
|---------|----------|-------------|----------|------------|
| SEC-001 | OWASP A1 | SQL injection possible | CRITICAL | Use parameterized queries |
| SEC-002 | GDPR | PII logged in plaintext | HIGH | Mask PII in logs |
| SEC-003 | PCI-DSS | Card numbers in memory | MEDIUM | Use tokenization |

Security Checklist

Authentication

  • Passwords hashed with bcrypt/argon2
  • Session tokens are cryptographically random
  • Token expiry implemented
  • Logout invalidates session

Authorization

  • RBAC or ABAC implemented
  • All endpoints enforce authorization
  • No privilege escalation paths
  • Admin functions protected

Data Protection

  • Encryption at rest for sensitive data
  • TLS for all network traffic
  • PII handling per privacy policy
  • Secure key management

Input Validation

  • All inputs validated
  • SQL injection prevented
  • XSS prevented
  • CSRF tokens implemented

Logging & Monitoring

  • Security events logged
  • No secrets in logs
  • Log integrity protected
  • Alerting configured

OWASP Top 10 Quick Check

#VulnerabilityCheckStatus
A01Broken Access ControlAuth on all endpoints✅/❌
A02Cryptographic FailuresStrong encryption✅/❌
A03InjectionParameterized queries✅/❌
A04Insecure DesignThreat modeling done✅/❌
A05Security MisconfigurationHardened configs✅/❌
A06Vulnerable ComponentsDependencies updated✅/❌
A07Auth FailuresStrong auth implemented✅/❌
A08Data Integrity FailuresSignatures verified✅/❌
A09Logging FailuresSecurity events logged✅/❌
A10SSRFExternal requests validated✅/❌

Integration

  • Precedes: delivery-readiness-gate
  • Follows: regression-and-parity-check
  • Blocks release if: Any CRITICAL or unmitigated HIGH risks

Constraints

  • Security is non-negotiable
  • CRITICAL issues block release immediately
  • HIGH issues require mitigation plan
  • All findings must be documented

Secure by default, verified before release.