Critical rules
- •ALWAYS use British English in code, comments, and documentation
- •ALWAYS prefer evidence from the codebase over assumptions
- •NEVER claim a dependency is safe without checking the lockfile or build manifest
- •NEVER suggest disabling security controls to pass tests
- •ALWAYS treat secrets and credentials as sensitive data
- •ALWAYS map findings to the OWASP Top Ten where applicable
- •NEVER introduce new dependencies unless explicitly requested
Workflow
General Security Review
- •Scope the review - Identify the target area (module, package, or change set)
- •Scan for secrets - Look for hard-coded credentials, tokens, or private keys
- •Validate input handling - Check for validation, normalisation, and boundary checks
- •Check authorisation - Ensure access control is enforced at each entry point
- •Inspect data handling - Confirm sensitive data is masked, encrypted, or minimised
- •Review error handling - Avoid leaking stack traces, SQL, or system details
- •Analyse dependency risk - Verify build manifests and lockfiles for known issues
- •Map to OWASP - Categorise any issues against OWASP Top Ten
- •Recommend fixes - Provide concrete, minimal changes and tests
Pre-Commit Security Check
When run before committing (auto-invoke: "Creating a git commit"):
- •Scan staged files only - Run
git diff --stagedto identify modified code - •Check for secrets - Search for credentials, API keys, tokens in staged changes
- •Validate no injection - Ensure no obvious SQL, command, or path injection in staged changes
- •Verify no access control bypass - Confirm no critical permissions logic removed
- •List findings - Order by severity (critical, high, medium, low)
- •Block or warn - Critical findings block commit; others are warnings
- •Report to user - Present findings with OWASP mapping and suggested fixes
OWASP Top Ten Mapping (2025)
- •A01:2025 - Broken Access Control
- •A02:2025 - Security Misconfiguration
- •A03:2025 - Software Supply Chain Failures
- •A04:2025 - Cryptographic Failures
- •A05:2025 - Injection
- •A06:2025 - Insecure Design
- •A07:2025 - Authentication Failures
- •A08:2025 - Software or Data Integrity Failures
- •A09:2025 - Security Logging and Alerting Failures
- •A10:2025 - Mishandling of Exceptional Conditions
Checks and heuristics
Code risks
- •Injection - Unsafe SQL, command, path, or template building
- •Input validation - Missing constraints or normalisation for user input
- •Authorisation - Missing permission checks on sensitive operations
- •Crypto - Weak algorithms, improper key storage, missing encryption
- •Secrets - Credentials in source code, configs, logs, or tests
- •Error leakage - Stack traces or internal details exposed to callers
Dependency risks
- •Outdated components - Unpinned versions or obsolete libraries
- •Known vulnerabilities - Check against advisories where possible
- •Supply chain - Unverified integrity or suspicious sources
Decision trees
When to flag a security finding
code
Is there a realistic attacker-controlled input? ├─ YES -> Is the input used in sensitive operations? │ ├─ YES -> Is it validated or safely encoded? │ ├─ NO -> Flag as finding │ └─ YES -> Likely OK, note validation └─ NO -> No finding unless it is a design flaw
When to map to OWASP A03
code
Is there a dependency? ├─ YES -> Is the version pinned and up to date? │ ├─ NO -> Map to A03 │ └─ YES -> Check advisories before clearing risk └─ NO -> Not applicable
Examples
Good: Parameterised query
- •Uses placeholders or a query builder instead of string concatenation
- •Input is validated before use
Good: Explicit access control
- •Permission checks occur at the boundary for each sensitive action
- •Deny by default
Bad: Hard-coded secrets
- •API keys or passwords in source control
- •Secrets in logs or stack traces
Bad: Unvalidated input
- •Request fields used directly in SQL, shell, or file paths
- •No length or format constraints
Output expectations
- •Findings - Ordered by severity with file and line references
- •OWASP mapping - Each finding mapped to the most relevant category
- •Fix plan - Minimal changes with test suggestions