aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--.claude/commands/security-check.md31
1 files changed, 22 insertions, 9 deletions
diff --git a/.claude/commands/security-check.md b/.claude/commands/security-check.md
index 0880e99..4833257 100644
--- a/.claude/commands/security-check.md
+++ b/.claude/commands/security-check.md
@@ -30,24 +30,37 @@ If no argument is given, audit all staged changes (`git diff --cached`). If ther
- `.env` file contents committed by mistake
- API tokens, JWTs, or bearer tokens in source code
-3. **OWASP Top 10 review**:
- - SQL injection: string concatenation in queries
- - XSS: unsanitized user input rendered in HTML/JSX
- - Broken authentication: missing permission checks on endpoints
- - Insecure deserialization: unsafe deserialization of untrusted data (e.g., eval, exec)
- - Security misconfiguration: debug mode enabled in production settings
- - Sensitive data exposure: PII or tokens in log statements
+3. **OWASP review** — map each finding to an OWASP Top 10 2021 category or an OWASP WSTG test area:
+ - Broken Access Control: missing or weak object-level authorization (one user reaching another's records via an ID), missing function-level authorization (privileged endpoints reachable without a role check), and missing permission checks on endpoints generally
+ - Cryptographic Failures: weak or absent encryption, hardcoded keys, plaintext storage of sensitive data
+ - Injection: SQL injection via string concatenation in queries, command injection, XSS via unsanitized user input rendered in HTML/JSX
+ - Insecure Design: missing rate limits, trust boundaries that assume well-behaved clients, business-logic flaws no input filter can patch
+ - Security Misconfiguration: debug mode enabled in production settings, verbose error pages, permissive CORS, default credentials
+ - Vulnerable and Outdated Components: see the dependency audit in step 4
+ - Identification and Authentication Failures: weak session handling, missing brute-force protection, predictable tokens
+ - Software and Data Integrity Failures: unverified update/plugin/dependency paths (installs from untrusted sources, no checksum or signature check), unsafe deserialization of untrusted data (e.g., eval, exec, pickle)
+ - Security Logging and Monitoring Failures: security-relevant events that go unlogged (auth failures, access-control denials), and PII or tokens leaking into log statements
+ - SSRF: URL-fetch code paths that take a user-supplied or partly-user-supplied URL without validating it against an allowlist, letting the server reach internal addresses
4. **Dependency audit**:
- Run `pip-audit` if Python files changed
- Run `npm audit` if JavaScript/TypeScript files changed
+ - Run any OSV scanner the project configures (e.g. `osv-scanner`) for broader ecosystem coverage
+ - Review the lockfile diff — a changed `package-lock.json`, `poetry.lock`, or equivalent can pull in a new transitive dependency the manifest diff doesn't show
- Flag any new dependencies added without version pinning
-5. **Report findings** in a table:
+5. **Optional configured scanners** — run these when the project has them set up, and skip cleanly when it doesn't:
+ - Secrets: `gitleaks` or `trufflehog` over the diff
+ - Source patterns: `semgrep` with the project's ruleset
+ - These supplement the manual scans in steps 2 and 3; they don't replace them
+
+ **Network caveat:** dependency audits and OSV scanners often need network access to reach their advisory databases. When a scan can't run — offline, the tool isn't installed, or the database is unreachable — report it as **not run** in the findings, naming the tool and the reason. Never let a skipped scan read as a pass. A check that didn't run is not a check that found nothing.
+
+6. **Report findings** in a table:
| Severity | File:Line | Finding | Recommendation |
|----------|-----------|---------|----------------|
Severity levels: CRITICAL, HIGH, MEDIUM, LOW, INFO
-6. If no issues found, report "No security issues detected" with a summary of what was checked.
+7. If no issues found, report "No security issues detected" with a summary of what was checked, including any scans reported as not run per step 5.