AgentSkillsCN

security-review

安全审查清单与漏洞检测工具,可在提交前或处理敏感代码路径时使用

SKILL.md
--- frontmatter
name: security-review
description: 보안 검토 체크리스트 및 취약점 탐지. 커밋 전 또는 민감한 코드 경로 처리 시 사용

Security Review

Ensures all code follows security best practices and identifies potential vulnerabilities.

When to Activate

  • Handling user input
  • Creating new API endpoints
  • Working with secrets or credentials
  • Implementing authentication/authorization
  • Integrating external services
  • Before production deployments

Security Checklist

1. Secrets Management

  • No hardcoded API keys, tokens, or passwords
  • All secrets via environment variables
  • No secrets in git history
  • .env files in .gitignore

2. Input Validation

  • All user inputs validated
  • File uploads restricted (size, type)
  • No direct use of user input in commands/queries
  • Whitelist validation preferred over blacklist

3. Injection Prevention

  • Parameterized queries (no string concatenation in SQL)
  • Command injection prevention
  • Path traversal prevention

4. Authentication & Authorization

  • Auth checks on every protected endpoint
  • Principle of least privilege
  • Session management secure
  • Brute force protection

5. Error Handling

  • No sensitive data in error messages
  • Generic error messages for users
  • Detailed errors only in server logs
  • No stack traces exposed

6. Go-Specific Security

  • No unsafe pointer usage without justification
  • Goroutine leaks prevented (context cancellation)
  • Race conditions checked (go test -race)
  • crypto/rand for security-critical randomness
  • Proper TLS configuration

7. Dependency Security

bash
# Check for vulnerabilities
go list -m all
govulncheck ./...

Pre-Commit Security Scan

bash
# Search for hardcoded secrets
grep -rn "password\|secret\|api_key\|token\|private_key" --include="*.go" .
# Check for TODO security items
grep -rn "TODO.*security\|FIXME.*security" --include="*.go" .

Response Protocol

If CRITICAL vulnerability found:

  1. STOP all other work
  2. Report the finding
  3. Suggest immediate fix
  4. Check for similar patterns across codebase
  5. Recommend secret rotation if needed