Security Audit Skill
This skill performs a comprehensive security audit of the codebase, focusing on common vulnerability patterns.
Scope Determination
When invoked during normal workflow (after implementation):
- •Audit only the files that were modified or newly created in the current session
- •Focus on the specific features or changes that were just implemented
When invoked via /security-check slash command:
- •Audit the entire project codebase
- •Perform comprehensive security review across all modules
Task
Perform a security audit of the Go codebase, checking for the following vulnerability categories:
1. Path Traversal (CWE-22)
- •Look for file path operations that use user input
- •Check for proper validation of
..,/,\, and absolute paths - •Ensure
filepath.Clean()is used appropriately - •Verify paths are contained within expected directories
Key locations to check:
- •Any function that accepts bucket names or object keys
- •File system path construction (filepath.Join, string concatenation)
- •Directory traversal operations
2. Input Validation (CWE-20)
- •Check all user inputs are validated before use
- •Look for missing validation of:
- •Null bytes (
\0) - •Control characters
- •Special characters in paths
- •Size limits
- •Format validation
- •Null bytes (
3. Authentication & Authorization (CWE-287, CWE-306)
- •Verify authentication is enabled by default (secure-by-default)
- •Check for hardcoded credentials
- •Ensure no default/weak credentials in production code
- •Verify proper session management
4. Timing Attacks (CWE-208)
- •Look for string comparisons of secrets using
!=or== - •Ensure
crypto/subtle.ConstantTimeCompareis used for:- •Password verification
- •Signature verification
- •Token comparison
- •Any secret comparison
5. Information Disclosure (CWE-200)
- •Check error messages don't leak sensitive information
- •Verify stack traces aren't exposed to clients
- •Ensure internal paths aren't revealed
- •Check that auth errors don't reveal user existence
6. Resource Exhaustion (CWE-400)
- •Check for unbounded reads from network/files
- •Verify file size limits are enforced
- •Look for missing Content-Length validation
- •Check for memory exhaustion vulnerabilities (io.ReadAll without limits)
7. Injection Vulnerabilities (CWE-74)
- •SQL injection (if database is used)
- •Command injection in os.Exec, exec.Command
- •Path injection in file operations
- •XML/JSON injection
8. Cryptographic Issues (CWE-327, CWE-338)
- •Check for weak cryptographic algorithms
- •Verify proper use of random number generation
- •Ensure TLS/SSL is properly configured
- •Check for insecure defaults
9. File Permission Issues (CWE-732)
- •Check directory/file permissions are restrictive (0600, 0700)
- •Verify no world-readable sensitive files
- •Check umask settings
10. Race Conditions (CWE-362)
- •Look for TOCTOU (Time-of-check Time-of-use) issues
- •Check file operations for race conditions
- •Verify proper locking mechanisms
Output Format
Provide a structured report with:
- •Summary: Overview of findings with severity levels
- •Critical Issues: Vulnerabilities requiring immediate attention
- •High Priority: Important security concerns
- •Medium Priority: Issues that should be addressed
- •Low Priority: Minor improvements
- •Recommendations: Specific fixes for each issue
For each finding, include:
- •Location: File path and line numbers
- •Vulnerability Type: CWE classification
- •Description: What the issue is
- •Risk: Potential impact
- •Remediation: How to fix it
- •Code Example: Show vulnerable code and suggested fix
Search Strategy
- •Use Grep to find potentially vulnerable patterns
- •Read relevant files to understand context
- •Analyze code flow and data handling
- •Cross-reference with OWASP Top 10 and CWE database
- •Provide actionable recommendations
Focus on:
- •Authentication/authorization code
- •File system operations
- •User input handling
- •Network operations
- •Cryptographic operations
- •Configuration management