aboutsummaryrefslogtreecommitdiff
path: root/.claude/commands/security-check.md
blob: 48332573e068f9587b6c4c0e42a0c146867dbd2e (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66

---
description: Audit staged changes (or a specific file/directory) for security issues in three categories. Hardcoded secrets — AWS keys, `sk-`/`sk_live_`/`sk_test_` patterns, password/secret assignments, private-key blocks, `.env` contents, API tokens, JWTs, bearer tokens. OWASP top-10 — SQL injection via string concatenation, XSS via unsanitized rendering, missing permission checks, unsafe deserialization (`eval`/`exec` on untrusted data), debug-mode misconfigs, PII or tokens in logs. Dependency risks — runs `pip-audit` for Python diffs, `npm audit` for JS/TS diffs, flags new unpinned deps. Scope defaults to `git diff --cached`; falls back to the last commit if nothing's staged; an explicit path overrides. Reports findings in a severity-ranked table (CRITICAL/HIGH/MEDIUM/LOW/INFO) with file:line + recommendation per row, or a "no issues detected" verdict listing what was checked. Use before committing changes touching security-sensitive paths. Do NOT use for full-codebase audits (diff-scoped — see Claude Code's `/security-review` for branch-wide review), runtime/fuzzing analysis, or as a substitute for full-lockfile dependency scanning.
disable-model-invocation: true
---

# /security-check — Audit Changes for Security Issues

Scan staged or recent changes for secrets, OWASP vulnerabilities, and dependency risks.

## Usage

```
/security-check [FILE_OR_DIRECTORY]
```

If no argument is given, audit all staged changes (`git diff --cached`). If there are no staged changes, audit the diff from the last commit.

## Instructions

1. **Gather the changes** to audit:
   - Staged changes: `git diff --cached`
   - Or last commit: `git diff HEAD~1`
   - Or specific path if provided

2. **Check for hardcoded secrets** — scan for patterns:
   - AWS access keys (`AKIA...`)
   - Generic secret patterns (`sk-`, `sk_live_`, `sk_test_`)
   - Password assignments (`password=`, `passwd=`, `secret=`)
   - Private keys (`-----BEGIN.*PRIVATE KEY-----`)
   - `.env` file contents committed by mistake
   - API tokens, JWTs, or bearer tokens in source code

3. **OWASP review** — map each finding to an OWASP Top 10 2021 category or an OWASP WSTG test area:
   - Broken Access Control: missing or weak object-level authorization (one user reaching another's records via an ID), missing function-level authorization (privileged endpoints reachable without a role check), and missing permission checks on endpoints generally
   - Cryptographic Failures: weak or absent encryption, hardcoded keys, plaintext storage of sensitive data
   - Injection: SQL injection via string concatenation in queries, command injection, XSS via unsanitized user input rendered in HTML/JSX
   - Insecure Design: missing rate limits, trust boundaries that assume well-behaved clients, business-logic flaws no input filter can patch
   - Security Misconfiguration: debug mode enabled in production settings, verbose error pages, permissive CORS, default credentials
   - Vulnerable and Outdated Components: see the dependency audit in step 4
   - Identification and Authentication Failures: weak session handling, missing brute-force protection, predictable tokens
   - Software and Data Integrity Failures: unverified update/plugin/dependency paths (installs from untrusted sources, no checksum or signature check), unsafe deserialization of untrusted data (e.g., eval, exec, pickle)
   - Security Logging and Monitoring Failures: security-relevant events that go unlogged (auth failures, access-control denials), and PII or tokens leaking into log statements
   - SSRF: URL-fetch code paths that take a user-supplied or partly-user-supplied URL without validating it against an allowlist, letting the server reach internal addresses

4. **Dependency audit**:
   - Run `pip-audit` if Python files changed
   - Run `npm audit` if JavaScript/TypeScript files changed
   - Run any OSV scanner the project configures (e.g. `osv-scanner`) for broader ecosystem coverage
   - Review the lockfile diff — a changed `package-lock.json`, `poetry.lock`, or equivalent can pull in a new transitive dependency the manifest diff doesn't show
   - Flag any new dependencies added without version pinning

5. **Optional configured scanners** — run these when the project has them set up, and skip cleanly when it doesn't:
   - Secrets: `gitleaks` or `trufflehog` over the diff
   - Source patterns: `semgrep` with the project's ruleset
   - These supplement the manual scans in steps 2 and 3; they don't replace them

   **Network caveat:** dependency audits and OSV scanners often need network access to reach their advisory databases. When a scan can't run — offline, the tool isn't installed, or the database is unreachable — report it as **not run** in the findings, naming the tool and the reason. Never let a skipped scan read as a pass. A check that didn't run is not a check that found nothing.

6. **Report findings** in a table:

   | Severity | File:Line | Finding | Recommendation |
   |----------|-----------|---------|----------------|

   Severity levels: CRITICAL, HIGH, MEDIUM, LOW, INFO

7. If no issues found, report "No security issues detected" with a summary of what was checked, including any scans reported as not run per step 5.