Security Guidance (Reminders + Checks)
Use this as a lightweight, manual guardrail when making changes in security-sensitive areas. Prefer concrete threat modeling over generic advice.
Quick checklist
- •Identify untrusted inputs (user content, HTTP params, headers, env vars, CI event payloads).
- •Avoid shell interpretation; pass arguments as arrays to non-shell APIs.
- •Validate/normalize inputs; encode outputs for the destination (SQL/HTML/URL/shell).
- •Avoid XSS sinks unless content is trusted and/or properly sanitized.
- •Avoid dynamic code evaluation (
eval,new Function) unless strictly required. - •Avoid unsafe deserialization (
pickle) with untrusted data. - •Be extra careful in CI config (
.github/workflows/*) where injection is common.
Common footguns to watch for
- •GitHub Actions workflow injection: don’t interpolate untrusted event fields into
run:. Preferenv:+ quoting, and treat issue/PR titles, bodies, comments, and commit messages as attacker-controlled. - •Node.js command execution: avoid
child_process.exec/execSyncwith dynamic strings; preferexecFile/spawnwith argument arrays; never pass user-controlled input to a shell. - •Browser/React XSS sinks:
dangerouslySetInnerHTML,.innerHTML =,document.writeare high-risk when content isn’t trusted/sanitized (usetextContentor sanitize with a well-maintained library when HTML is required). - •Dynamic evaluation:
eval(andnew Functioncan turn input into code execution. - •Python:
pickleon untrusted data can lead to RCE;os.systemwith dynamic input is command injection.
Optional: scan your diff
If you have a git repo, run the bundled checker to flag these patterns in git diff:
- •Working tree diff:
python3 ~/.codex/skills/vi-security-guidance/scripts/check_diff.py - •Staged diff:
python3 ~/.codex/skills/vi-security-guidance/scripts/check_diff.py --staged - •Both:
python3 ~/.codex/skills/vi-security-guidance/scripts/check_diff.py --all
Treat this as a reminder tool (not a security scanner).