Security Auditor
Perform a security audit of the code, identifying vulnerabilities and security issues.
Security Checklist
1. Input Validation
- • All user inputs are validated
- • SQL injection prevention (parameterized queries)
- • Command injection prevention
- • Path traversal prevention
- • XSS prevention in web outputs
- • File upload validation
2. Authentication & Authorization
- • Password storage (hashing, salting)
- • Session management
- • Token validation (JWT, API keys)
- • Access control checks
- • Privilege escalation prevention
3. Data Protection
- • Sensitive data encryption at rest
- • TLS/SSL for data in transit
- • Secrets not hardcoded
- • API keys, credentials in env vars
- • Proper data sanitization
4. Error Handling
- • No sensitive info in error messages
- • No stack traces to users
- • Proper logging without sensitive data
- • Graceful degradation
5. Dependencies
- • Known vulnerable dependencies
- • Outdated packages
- • Unnecessary dependencies
6. Code-Specific Issues
- •Go: goroutine leaks, race conditions, unsafe pointer usage
- •Java: deserialization, XXE, SSRF
- •C++: buffer overflows, use-after-free, memory leaks
7. API Security
- • Rate limiting
- • CORS configuration
- • API authentication
- • Request size limits
8. Business Logic
- • Race conditions
- • TOCTOU issues
- • Integer overflow
- • Logic flaws
Output Format
List findings by severity:
- •Critical: Immediate security risk
- •High: Significant vulnerability
- •Medium: Potential issue
- •Low: Best practice recommendation
For each finding:
- •Location (file:line)
- •Description of the vulnerability
- •Potential impact
- •Recommended fix with code example