| name | security-audit |
| description | RLS validation, security audits, OWASP compliance, and vulnerability scanning. Use when validating RLS policies, auditing API routes, scanning for security issues, or reviewing code for vulnerabilities. |
Security Audit Skill
Purpose
Guide security validation with RLS enforcement, OWASP compliance, and vulnerability detection following security-first architecture.
When This Skill Applies
- Validating RLS policies
- Auditing API routes for auth
- Vulnerability scanning
- Pre-deployment security review
- Checking for exposed credentials
- Reviewing database access patterns
Stop-the-Line Conditions
FORBIDDEN Patterns
const users = await prisma.user.findMany();
export async function GET(req: Request) {
return getUserData();
}
const API_KEY = "sk_live_abc123";
const query = `SELECT * FROM users WHERE id = ${userId}`;
CORRECT Patterns
const users = await withUserContext(prisma, userId, async client => {
return client.user.findMany();
});
export async function GET(req: Request) {
const { userId } = await auth();
if (!userId) {
return new Response("Unauthorized", { status: 401 });
}
return getUserData(userId);
}
const API_KEY = process.env.STRIPE_SECRET_KEY;
const user = await prisma.$queryRaw`SELECT * FROM users WHERE id = ${userId}`;
Security Audit Checklist
1. RLS Validation
grep -r "prisma\." --include="*.ts" app/ lib/ | grep -v "withUserContext\|withAdminContext\|withSystemContext"
2. Authentication Checks
grep -r "export async function" --include="route.ts" app/ | head -20
3. Credential Scanning
grep -rE "(sk_live|pk_live|password|secret|key)" --include="*.ts" --include="*.tsx" | grep -v "process.env\|.env"
4. Dependency Vulnerabilities
npm audit
yarn audit
npm audit --audit-level=high
5. Input Validation
OWASP Top 10 Checklist
| Risk | Check | Status |
|---|
| A01 Broken Access | RLS enforced, auth on all routes | ☐ |
| A02 Crypto Failures | Secrets in env vars only | ☐ |
| A03 Injection | Parameterized queries, Zod | ☐ |
| A04 Insecure Design | Auth-first pattern followed | ☐ |
| A05 Misconfiguration | Prod env properly secured | ☐ |
| A06 Vulnerable Deps | npm audit clean | ☐ |
| A07 Auth Failures | Auth integration correct | ☐ |
| A08 Data Integrity | RLS prevents tampering | ☐ |
| A09 Logging Failures | Security events logged | ☐ |
| A10 SSRF | External URLs validated | ☐ |
Security Validation Commands
npm audit && yarn lint && echo "Security checks passed"
grep -r "prisma\." --include="*.ts" app/ lib/ | wc -l
git secrets --scan
grep -rE "sk_|pk_|password=" . --include="*.ts"
Pre-Deployment Security Review
Before ANY production deployment:
Security Audit Report Template
## Security Audit Report - REN-XXX
### Summary
- **Date**: [date]
- **Auditor**: Security Engineer
- **Scope**: [what was audited]
### Findings
| Severity | Issue | Location | Status |
| -------- | ----- | -------- | ------ |
| HIGH | ... | ... | FIXED |
| MEDIUM | ... | ... | OPEN |
### RLS Validation
- [x] All tables have RLS enabled
- [x] User isolation verified
- [x] Admin policies scoped correctly
### Recommendations
1. [recommendation]
2. [recommendation]
### Approval
- [ ] Security Engineer approves
- [ ] Ready for deployment
Reference
- Security Architecture:
docs/guides/SECURITY_FIRST_ARCHITECTURE.md
- RLS Implementation:
docs/database/RLS_IMPLEMENTATION_GUIDE.md
- RLS Policies:
docs/database/RLS_POLICY_CATALOG.md
- OWASP Top 10: https://owasp.org/Top10/