AgentSkillsCN

security-audit

在代码实现后,对代码变更进行安全审计。适用于实现安全敏感功能(如身份认证、文件操作、输入处理),或在用户提出安全审查需求时使用。对于斜杠命令/security-check,可对整个项目进行全面审计。

SKILL.md
--- frontmatter
name: security-audit
description: Performs security audit on code changes after implementation. Use when implementing security-sensitive features (auth, file operations, input handling) or when user requests security review. For slash command /security-check, audit entire project.

Security Audit Skill

This skill performs a comprehensive security audit of the codebase, focusing on common vulnerability patterns.

Scope Determination

When invoked during normal workflow (after implementation):

  • Audit only the files that were modified or newly created in the current session
  • Focus on the specific features or changes that were just implemented

When invoked via /security-check slash command:

  • Audit the entire project codebase
  • Perform comprehensive security review across all modules

Task

Perform a security audit of the Go codebase, checking for the following vulnerability categories:

1. Path Traversal (CWE-22)

  • Look for file path operations that use user input
  • Check for proper validation of .., /, \, and absolute paths
  • Ensure filepath.Clean() is used appropriately
  • Verify paths are contained within expected directories

Key locations to check:

  • Any function that accepts bucket names or object keys
  • File system path construction (filepath.Join, string concatenation)
  • Directory traversal operations

2. Input Validation (CWE-20)

  • Check all user inputs are validated before use
  • Look for missing validation of:
    • Null bytes (\0)
    • Control characters
    • Special characters in paths
    • Size limits
    • Format validation

3. Authentication & Authorization (CWE-287, CWE-306)

  • Verify authentication is enabled by default (secure-by-default)
  • Check for hardcoded credentials
  • Ensure no default/weak credentials in production code
  • Verify proper session management

4. Timing Attacks (CWE-208)

  • Look for string comparisons of secrets using != or ==
  • Ensure crypto/subtle.ConstantTimeCompare is used for:
    • Password verification
    • Signature verification
    • Token comparison
    • Any secret comparison

5. Information Disclosure (CWE-200)

  • Check error messages don't leak sensitive information
  • Verify stack traces aren't exposed to clients
  • Ensure internal paths aren't revealed
  • Check that auth errors don't reveal user existence

6. Resource Exhaustion (CWE-400)

  • Check for unbounded reads from network/files
  • Verify file size limits are enforced
  • Look for missing Content-Length validation
  • Check for memory exhaustion vulnerabilities (io.ReadAll without limits)

7. Injection Vulnerabilities (CWE-74)

  • SQL injection (if database is used)
  • Command injection in os.Exec, exec.Command
  • Path injection in file operations
  • XML/JSON injection

8. Cryptographic Issues (CWE-327, CWE-338)

  • Check for weak cryptographic algorithms
  • Verify proper use of random number generation
  • Ensure TLS/SSL is properly configured
  • Check for insecure defaults

9. File Permission Issues (CWE-732)

  • Check directory/file permissions are restrictive (0600, 0700)
  • Verify no world-readable sensitive files
  • Check umask settings

10. Race Conditions (CWE-362)

  • Look for TOCTOU (Time-of-check Time-of-use) issues
  • Check file operations for race conditions
  • Verify proper locking mechanisms

Output Format

Provide a structured report with:

  1. Summary: Overview of findings with severity levels
  2. Critical Issues: Vulnerabilities requiring immediate attention
  3. High Priority: Important security concerns
  4. Medium Priority: Issues that should be addressed
  5. Low Priority: Minor improvements
  6. Recommendations: Specific fixes for each issue

For each finding, include:

  • Location: File path and line numbers
  • Vulnerability Type: CWE classification
  • Description: What the issue is
  • Risk: Potential impact
  • Remediation: How to fix it
  • Code Example: Show vulnerable code and suggested fix

Search Strategy

  1. Use Grep to find potentially vulnerable patterns
  2. Read relevant files to understand context
  3. Analyze code flow and data handling
  4. Cross-reference with OWASP Top 10 and CWE database
  5. Provide actionable recommendations

Focus on:

  • Authentication/authorization code
  • File system operations
  • User input handling
  • Network operations
  • Cryptographic operations
  • Configuration management