--- description: Audit staged changes (or a specific file/directory) for security issues in three categories. Hardcoded secrets — AWS keys, `sk-`/`sk_live_`/`sk_test_` patterns, password/secret assignments, private-key blocks, `.env` contents, API tokens, JWTs, bearer tokens. OWASP top-10 — SQL injection via string concatenation, XSS via unsanitized rendering, missing permission checks, unsafe deserialization (`eval`/`exec` on untrusted data), debug-mode misconfigs, PII or tokens in logs. Dependency risks — runs `pip-audit` for Python diffs, `npm audit` for JS/TS diffs, flags new unpinned deps. Scope defaults to `git diff --cached`; falls back to the last commit if nothing's staged; an explicit path overrides. Reports findings in a severity-ranked table (CRITICAL/HIGH/MEDIUM/LOW/INFO) with file:line + recommendation per row, or a "no issues detected" verdict listing what was checked. Use before committing changes touching security-sensitive paths. Do NOT use for full-codebase audits (diff-scoped — see Claude Code's `/security-review` for branch-wide review), runtime/fuzzing analysis, or as a substitute for full-lockfile dependency scanning. disable-model-invocation: true --- # /security-check — Audit Changes for Security Issues Scan staged or recent changes for secrets, OWASP vulnerabilities, and dependency risks. ## Usage ``` /security-check [FILE_OR_DIRECTORY] ``` If no argument is given, audit all staged changes (`git diff --cached`). If there are no staged changes, audit the diff from the last commit. ## Instructions 1. **Gather the changes** to audit: - Staged changes: `git diff --cached` - Or last commit: `git diff HEAD~1` - Or specific path if provided 2. **Check for hardcoded secrets** — scan for patterns: - AWS access keys (`AKIA...`) - Generic secret patterns (`sk-`, `sk_live_`, `sk_test_`) - Password assignments (`password=`, `passwd=`, `secret=`) - Private keys (`-----BEGIN.*PRIVATE KEY-----`) - `.env` file contents committed by mistake - API tokens, JWTs, or bearer tokens in source code 3. **OWASP review** — map each finding to an OWASP Top 10 2021 category or an OWASP WSTG test area: - Broken Access Control: missing or weak object-level authorization (one user reaching another's records via an ID), missing function-level authorization (privileged endpoints reachable without a role check), and missing permission checks on endpoints generally - Cryptographic Failures: weak or absent encryption, hardcoded keys, plaintext storage of sensitive data - Injection: SQL injection via string concatenation in queries, command injection, XSS via unsanitized user input rendered in HTML/JSX - Insecure Design: missing rate limits, trust boundaries that assume well-behaved clients, business-logic flaws no input filter can patch - Security Misconfiguration: debug mode enabled in production settings, verbose error pages, permissive CORS, default credentials - Vulnerable and Outdated Components: see the dependency audit in step 4 - Identification and Authentication Failures: weak session handling, missing brute-force protection, predictable tokens - Software and Data Integrity Failures: unverified update/plugin/dependency paths (installs from untrusted sources, no checksum or signature check), unsafe deserialization of untrusted data (e.g., eval, exec, pickle) - Security Logging and Monitoring Failures: security-relevant events that go unlogged (auth failures, access-control denials), and PII or tokens leaking into log statements - SSRF: URL-fetch code paths that take a user-supplied or partly-user-supplied URL without validating it against an allowlist, letting the server reach internal addresses 4. **Dependency audit**: - Run `pip-audit` if Python files changed - Run `npm audit` if JavaScript/TypeScript files changed - Run any OSV scanner the project configures (e.g. `osv-scanner`) for broader ecosystem coverage - Review the lockfile diff — a changed `package-lock.json`, `poetry.lock`, or equivalent can pull in a new transitive dependency the manifest diff doesn't show - Flag any new dependencies added without version pinning 5. **Optional configured scanners** — run these when the project has them set up, and skip cleanly when it doesn't: - Secrets: `gitleaks` or `trufflehog` over the diff - Source patterns: `semgrep` with the project's ruleset - These supplement the manual scans in steps 2 and 3; they don't replace them **Network caveat:** dependency audits and OSV scanners often need network access to reach their advisory databases. When a scan can't run — offline, the tool isn't installed, or the database is unreachable — report it as **not run** in the findings, naming the tool and the reason. Never let a skipped scan read as a pass. A check that didn't run is not a check that found nothing. 6. **Report findings** in a table: | Severity | File:Line | Finding | Recommendation | |----------|-----------|---------|----------------| Severity levels: CRITICAL, HIGH, MEDIUM, LOW, INFO 7. If no issues found, report "No security issues detected" with a summary of what was checked, including any scans reported as not run per step 5.