AgentSkillsCN

security-audit

通过OWASP十大安全风险清单、依赖项扫描、秘密检测、输入验证以及注入预防进行安全审计。在审计代码安全、审查身份验证实施、处理用户输入,或强化应用安全时使用此功能。

SKILL.md
--- frontmatter
name: security-audit
description: Security audit with OWASP top 10 checklist, dependency scanning, secrets detection, input validation, and injection prevention. Use when auditing code security, reviewing auth implementations, handling user input, or hardening applications.
metadata:
  version: "1.0"
allowed-tools: Bash Grep Read

Security Audit

Decision Tree

code
Security concern → What type?
    ├─ Reviewing code changes → OWASP checklist below
    ├─ Handling user input → Where does it go?
    │   ├─ Database query → Parameterized queries (see references/injection-patterns.md)
    │   ├─ HTML output → Framework escaping (see references/injection-patterns.md)
    │   ├─ Shell command → Array arguments (see references/injection-patterns.md)
    │   ├─ File path → Resolve + verify within allowed dir
    │   └─ URL redirect → Allowlist or relative paths only
    ├─ Auditing dependencies → Run scanning commands below
    └─ Full security audit → All phases below

Phases

code
Phase 1: Scan → Phase 2: Analyze → Phase 3: Report

OWASP Top 10 Checklist

#VulnerabilityCheck
A01Broken Access ControlAuth on every endpoint, RBAC server-side, no IDOR
A02Cryptographic FailuresTLS everywhere, no MD5/SHA1 for passwords, secrets in env not code
A03InjectionParameterized queries, no string concat for SQL/shell/HTML
A04Insecure DesignRate limiting, account lockout, input size limits
A05Security MisconfigurationNo default creds, errors don't leak internals, CORS restricted
A06Vulnerable ComponentsDeps updated, no known CVEs, lockfile committed
A07Auth FailuresStrong passwords, MFA available, session timeout
A08Data IntegritySigned updates, CI/CD secured, no untrusted deserialization
A09Logging FailuresAuth events logged, no sensitive data in logs
A10SSRFURL validation, allowlists for external calls

Scanning Commands

bash
# Dependency vulnerabilities
npm audit                          # Node
pip-audit                          # Python (pip install pip-audit)

# Secret detection
gitleaks detect --source .

# Static analysis
semgrep --config auto .            # Multi-language
bandit -r .                        # Python

Input Validation Checklist

InputValidate
StringsMax length, allowed characters, trim whitespace
NumbersMin/max range, integer vs float, NaN check
EmailFormat + domain check (not just regex)
URLsProtocol allowlist (http/https only), no internal IPs
File uploadsExtension allowlist, MIME check, size limit
JSON bodySchema validation (zod, joi, pydantic)
IDsFormat check (UUID format, positive integer)

Response Headers

code
Content-Security-Policy: default-src 'self'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000; includeSubDomains

Output Format

code
[CRITICAL|HIGH|MEDIUM|LOW] Category - Finding
  Location: file:line
  Impact: What an attacker could do
  Fix: Specific remediation

For injection prevention patterns see: