diff options
| author | Craig Jennings <c@cjennings.net> | 2026-03-29 16:25:05 -0500 |
|---|---|---|
| committer | Craig Jennings <c@cjennings.net> | 2026-03-29 16:25:05 -0500 |
| commit | 861bab677b4632e9d30e6318bc2a35c36ee77105 (patch) | |
| tree | 22dc96a5eeba6250f4697b2daf573289e9fea8f2 /security-check/SKILL.md | |
| parent | 24a3b7fe059f3d95d47432c4593993fa5001f18f (diff) | |
| download | rulesets-861bab677b4632e9d30e6318bc2a35c36ee77105.tar.gz rulesets-861bab677b4632e9d30e6318bc2a35c36ee77105.zip | |
Add general-purpose skills and rules from DeepSat coding-rulesets
Skills (adapted from DeepSat, stripped of project-specific references):
- /review-pr: PR review against engineering standards
- /fix-issue: issue-to-merge TDD workflow
- /security-check: secrets, OWASP, and dependency audit
- /debug: systematic 4-phase debugging
- /add-tests: test coverage analysis and generation
- /respond-to-review: evaluate and implement code review feedback
Rules (general-purpose, copied as-is):
- testing.md: universal TDD standards and anti-patterns
- verification.md: proof over assumption
Makefile updated to install both skills and rules via symlinks.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Diffstat (limited to 'security-check/SKILL.md')
| -rw-r--r-- | security-check/SKILL.md | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/security-check/SKILL.md b/security-check/SKILL.md new file mode 100644 index 0000000..ca431e0 --- /dev/null +++ b/security-check/SKILL.md @@ -0,0 +1,48 @@ +# /security-check — Audit Changes for Security Issues + +Scan staged or recent changes for secrets, OWASP vulnerabilities, and dependency risks. + +## Usage + +``` +/security-check [FILE_OR_DIRECTORY] +``` + +If no argument is given, audit all staged changes (`git diff --cached`). If there are no staged changes, audit the diff from the last commit. + +## Instructions + +1. **Gather the changes** to audit: + - Staged changes: `git diff --cached` + - Or last commit: `git diff HEAD~1` + - Or specific path if provided + +2. **Check for hardcoded secrets** — scan for patterns: + - AWS access keys (`AKIA...`) + - Generic secret patterns (`sk-`, `sk_live_`, `sk_test_`) + - Password assignments (`password=`, `passwd=`, `secret=`) + - Private keys (`-----BEGIN.*PRIVATE KEY-----`) + - `.env` file contents committed by mistake + - API tokens, JWTs, or bearer tokens in source code + +3. **OWASP Top 10 review**: + - SQL injection: string concatenation in queries + - XSS: unsanitized user input rendered in HTML/JSX + - Broken authentication: missing permission checks on endpoints + - Insecure deserialization: unsafe deserialization of untrusted data (e.g., eval, exec) + - Security misconfiguration: debug mode enabled in production settings + - Sensitive data exposure: PII or tokens in log statements + +4. **Dependency audit**: + - Run `pip-audit` if Python files changed + - Run `npm audit` if JavaScript/TypeScript files changed + - Flag any new dependencies added without version pinning + +5. **Report findings** in a table: + + | Severity | File:Line | Finding | Recommendation | + |----------|-----------|---------|----------------| + + Severity levels: CRITICAL, HIGH, MEDIUM, LOW, INFO + +6. If no issues found, report "No security issues detected" with a summary of what was checked. |