Perform a security audit on: $ARGUMENTS
If no specific scope is provided, audit the entire src/ directory.
Follow these steps:
- •Read your MEMORY.md for previously found vulnerabilities and patterns
- •OWASP Top 10 systematic check:
- •A01: Broken Access Control — check auth/authz on all endpoints
- •A02: Cryptographic Failures — check encryption, key management, hashing
- •A03: Injection — SQL, NoSQL, OS command, LDAP injection vectors
- •A04: Insecure Design — business logic flaws, missing rate limits
- •A05: Security Misconfiguration — default configs, verbose errors, CORS
- •A06: Vulnerable Components —
npm audit/pip audit - •A07: Auth Failures — weak passwords, missing MFA, session management
- •A08: Data Integrity — deserialization, unsigned updates
- •A09: Logging Failures — sensitive data in logs, missing audit trail
- •A10: SSRF — server-side request forgery vectors
- •Secrets scan: grep for API keys, tokens, passwords, connection strings
- •Dependency audit: check all deps for known CVEs
- •Smart contracts (if Solidity): reentrancy, integer overflow, access control, front-running
- •Write report to
docs/reviews/security-audit-{date}.md - •Update MEMORY.md with vulnerabilities and patterns found
- •Update TECH_DEBT.md with security-related debt