diff options
Diffstat (limited to 'security-check')
| -rw-r--r-- | security-check/SKILL.md | 48 |
1 files changed, 0 insertions, 48 deletions
diff --git a/security-check/SKILL.md b/security-check/SKILL.md deleted file mode 100644 index ca431e0..0000000 --- a/security-check/SKILL.md +++ /dev/null @@ -1,48 +0,0 @@ -# /security-check — Audit Changes for Security Issues - -Scan staged or recent changes for secrets, OWASP vulnerabilities, and dependency risks. - -## Usage - -``` -/security-check [FILE_OR_DIRECTORY] -``` - -If no argument is given, audit all staged changes (`git diff --cached`). If there are no staged changes, audit the diff from the last commit. - -## Instructions - -1. **Gather the changes** to audit: - - Staged changes: `git diff --cached` - - Or last commit: `git diff HEAD~1` - - Or specific path if provided - -2. **Check for hardcoded secrets** — scan for patterns: - - AWS access keys (`AKIA...`) - - Generic secret patterns (`sk-`, `sk_live_`, `sk_test_`) - - Password assignments (`password=`, `passwd=`, `secret=`) - - Private keys (`-----BEGIN.*PRIVATE KEY-----`) - - `.env` file contents committed by mistake - - API tokens, JWTs, or bearer tokens in source code - -3. **OWASP Top 10 review**: - - SQL injection: string concatenation in queries - - XSS: unsanitized user input rendered in HTML/JSX - - Broken authentication: missing permission checks on endpoints - - Insecure deserialization: unsafe deserialization of untrusted data (e.g., eval, exec) - - Security misconfiguration: debug mode enabled in production settings - - Sensitive data exposure: PII or tokens in log statements - -4. **Dependency audit**: - - Run `pip-audit` if Python files changed - - Run `npm audit` if JavaScript/TypeScript files changed - - Flag any new dependencies added without version pinning - -5. **Report findings** in a table: - - | Severity | File:Line | Finding | Recommendation | - |----------|-----------|---------|----------------| - - Severity levels: CRITICAL, HIGH, MEDIUM, LOW, INFO - -6. If no issues found, report "No security issues detected" with a summary of what was checked. |