Comprehensive Security Audit
You are performing a comprehensive security audit of this project. This skill consolidates 7 security-focused audits into a single interactive workflow. All audits are read-only — they report findings but do not modify code.
Available Audit Types
| Key | Audit | Focus |
|---|---|---|
owasp | OWASP Top 10:2025 | All 10 categories with Node.js/TypeScript-specific patterns |
threat-model | STRIDE Threat Model | Data flows, trust boundaries, entry points, STRIDE analysis |
supply-chain | Supply Chain Audit | Lockfile integrity, install scripts, typosquatting, SBOM, .npmrc |
secrets | Secrets Scan | Hardcoded secrets, API keys, PII in logs, .gitignore coverage |
ci-security | CI/CD Security | GitHub Actions: pinned SHAs, permissions, untrusted input, dangerous triggers |
asvs | ASVS Compliance | OWASP ASVS 5.0 verification (L1/L2/L3) |
hardening | Runtime Hardening | HTTP headers, CORS, cookies, rate limiting, TLS, Node.js Permission Model |
Instructions
1. Determine audit scope
If $ARGUMENTS is provided, parse it as a comma-separated list of audit keys, or all for everything. Otherwise, ask the user which audits to run using a multi-select question. Default recommendation: all.
2. Load context
- •Read
.claude/docs/TypeScript Coding Standard for Mission-Critical Systems.mdif present — cross-reference specific rules - •Read
.claude/skills/deep-review/references/security-checklist.mdfor the existing security checklist - •Read
package.jsonfor dependencies and project metadata - •Determine the scope of source files: all
.tsfiles undersrc/
3. Execute selected audits
For each selected audit, perform the analysis described below. Collect all findings with this structure:
SEVERITY: CRITICAL | HIGH | MEDIUM | LOW AUDIT: <audit type key> FILE: <file path> LINE: <line number or N/A> RULE: <coding standard rule or OWASP reference> FINDING: <one-line description> DETAILS: <explanation> REMEDIATION: <specific fix>
Audit: owasp — OWASP Top 10:2025
Search all .ts files for patterns matching each category:
A01 Broken Access Control: Routes without authorization middleware, missing role checks, direct object references without ownership validation (/users/:id without checking the authenticated user owns the resource).
A02 Security Misconfiguration: CORS set to *, missing Helmet/security headers, NODE_ENV not checked, verbose error responses exposing stack traces, default ports or credentials.
A03 Supply Chain (covered in detail by supply-chain audit): Flag unpinned dependencies, dynamic require().
A04 Cryptographic Failures: MD5, SHA1 usage for security, Math.random() for tokens/IDs, hardcoded keys/secrets, HTTP URLs for external services, missing TLS configuration.
A05 Injection: String concatenation in SQL/NoSQL queries, eval(), new Function(), child_process.exec() with user input, unsanitized template literals in query contexts, path traversal (../ in file operations with user input).
A06 Insecure Design: Missing input validation schemas at boundaries, no rate limiting, no abuse-case tests.
A07 Authentication Failures: Hardcoded credentials, weak password hashing (MD5, SHA-256 without salt), JWT with alg: none, missing token expiration, no session regeneration.
A08 Integrity Failures: JSON.parse() on untrusted input without Zod/schema validation, missing subresource integrity, unsigned artifacts.
A09 Logging Failures: console.log with sensitive data (passwords, tokens, PII), no structured logging, missing security event audit trail, PII in error messages.
A10 Exception Mishandling: Bare catch {} blocks (swallowed errors), throw used for control flow (violates Rule 6.1), unhandled promise rejections, stack traces returned in HTTP responses, catch with any instead of unknown.
Audit: threat-model — STRIDE Threat Model
- •
Map the system: Identify entry points (routes, message consumers, CLI handlers), data stores (database connections, file system, cache), external services (HTTP clients, APIs, queues), and trust boundaries.
- •
STRIDE analysis on each component:
- •Spoofing: Missing authentication, forgeable identities
- •Tampering: Data modifiable in transit/at rest without integrity checks
- •Repudiation: Missing audit logging for security-sensitive operations
- •Information Disclosure: Data leakage through errors, logs, or over-exposed API responses
- •Denial of Service: Unbounded loops (Rule 8.1), missing timeouts (Rule 4.2), no rate limiting
- •Elevation of Privilege: Missing authorization checks, role escalation paths
- •
Output: A structured threat model with data flow description, threat inventory table, and mitigations mapped to coding standard rules.
Audit: supply-chain — NPM Supply Chain
- •Read
package.jsonandpackage-lock.json - •Lockfile integrity: Check for HTTP URLs in resolved fields, git dependencies, untrusted registries
- •Install scripts: Run
npm query ':attr(scripts, [postinstall])' 2>/dev/nullor manually checknode_modules/*/package.jsonforpreinstall,install,postinstallscripts — these are the primary malware vector - •Typosquatting: Compare dependency names against known popular packages; flag names that are 1-2 edits away from common packages
- •Deprecated/unmaintained: Run
npm outdated --jsonand check for packages with no updates in 2+ years - •SBOM capability: Check if CycloneDX or Syft is available/configured
- •
.npmrchardening: Check forignore-scripts=true,package-lock=true, registry pinning - •CI usage: Search
.github/workflows/fornpm install(should benpm ci)
Audit: secrets — Secrets and Sensitive Data
Search the entire repository (all file types) for:
- •API key patterns:
AKIA[0-9A-Z]{16}(AWS),sk-[a-zA-Z0-9]{48}(OpenAI),ghp_[a-zA-Z0-9]{36}(GitHub),xoxb-(Slack),SG.(SendGrid),sk_live_/pk_live_(Stripe) - •Private keys:
-----BEGIN.*PRIVATE KEY----- - •Connection strings:
mongodb://.*:.*@,postgres://.*:.*@,mysql://.*:.*@,redis://.*:.*@ - •High-entropy strings: Variable assignments containing 20+ character base64 or hex-encoded values
- •Hardcoded credentials: Variables named
password,secret,apiKey,token,authassigned to string literals - •
.gitignorecoverage: Verify.env,*.pem,*.key,credentials.*,.env.*are ignored - •Logging safety: Search for logging statements that reference variables named
password,token,secret,key,authorization,cookie,session - •Error response safety: Check HTTP error handlers for stack trace leakage or internal path disclosure
Audit: ci-security — GitHub Actions Security
Scan all .github/workflows/*.yml files:
- •Action pinning: Flag every
uses:with a tag (@v4,@main) instead of a full SHA. Provide the correct SHA for the latest release - •Permissions: Flag missing top-level
permissions:block. Flagpermissions: write-allor overly broad permissions - •Untrusted input: Flag
${{ github.event.issue.title }},${{ github.event.pull_request.body }},${{ github.event.*.head_ref }}used insiderun:blocks — these allow command injection - •Dangerous triggers: Flag
pull_request_targetwhen combined withactions/checkoutusingref: ${{ github.event.pull_request.head.sha }} - •Secret exposure: Flag secrets accessible to fork PRs
- •StepSecurity: Note if
harden-runnerstep is missing
Audit: asvs — OWASP ASVS 5.0 Compliance
Ask the user for the target verification level (default: L1). Assess automatable requirements:
- •V2 Authentication: Password hashing (Argon2/bcrypt/scrypt), MFA support, credential storage
- •V4 Access Control: Route authorization, deny-by-default, resource ownership checks
- •V5 Validation: Input validation at all boundaries, output encoding, parameterized queries
- •V6 Cryptography: Minimum 128-bit security, no deprecated algorithms, no custom crypto
- •V7 Error Handling: No information leakage, structured logging, audit trail
- •V8 Data Protection: Sensitive data classification, encryption at rest
- •V9 Tokens: JWT algorithm pinning, expiration, audience validation
- •V13 API: Auth on all endpoints, rate limiting, response filtering
- •V14 Configuration: Security headers, CORS, dependency management
For non-automatable items, generate a manual review checklist. Calculate a compliance percentage.
Audit: hardening — Runtime Configuration Hardening
- •HTTP headers: Check for Helmet.js or manual configuration of:
Content-Security-Policy,Strict-Transport-Security(max-age >= 31536000),X-Content-Type-Options: nosniff,X-Frame-Options: DENY,Referrer-Policy,Permissions-Policy - •CORS: Verify origin allowlist is not
*in production - •Cookies: Check for
HttpOnly,Secure,SameSiteon all cookie operations - •Request limits: Body parser size limits configured, rate limiting middleware present
- •TLS: No HTTP URLs for external services, TLS 1.2+ enforcement
- •Environment:
NODE_ENV=productionchecks, debug mode disabled - •Node.js Permission Model: Check if
--permissionflag or permission config is used for filesystem/network restriction
4. Generate consolidated report
Output a structured report to the console:
# Security Audit Report **Date**: YYYY-MM-DD **Project**: <name> **Audits performed**: <list> **Files analyzed**: N ## Executive Summary <2-4 sentences on overall security posture> **Findings**: N total (X critical, Y high, Z medium, W low) ## Critical Findings - [ ] 🔴 `file:line` — **[OWASP A05]** Description - [ ] 🔴 `file:line` — **[Secrets]** Description ## High Findings - [ ] 🟠 `file:line` — **[Supply Chain]** Description ## Medium Findings - [ ] 🟡 `file:line` — **[Hardening]** Description ## Low Findings - [ ] 🔵 `file:line` — **[ASVS V14]** Description ## Per-Audit Details ### OWASP Top 10:2025 <detailed findings by category> ### STRIDE Threat Model <data flow analysis, threat inventory> ### Supply Chain <lockfile, install scripts, typosquatting findings> ### Secrets Scan <secret patterns found, logging safety> ### CI/CD Security <per-workflow findings> ### ASVS Compliance <compliance matrix with percentages> ### Runtime Hardening <header/CORS/cookie/TLS findings> ## Recommendations 1. Prioritized action list 2. ... --- *Generated by /security-audit*