| name | review-security |
| description | Security audit of the codebase — checks authentication, authorization, input validation, secret handling, injection risks, and OWASP Top 10 concerns. Produces a prioritized findings report. |
| license | MIT |
| compatibility | NestJS + Next.js monorepo |
| metadata | {"author":"project","version":"1.0"} |
Perform a security audit of this NestJS + Next.js monorepo. Identify vulnerabilities, misconfigurations, and deviations from security best practices.
Do not exploit or modify anything. This is a read-only security analysis.
Audit Checklist
1. Authentication
grep -r "@Public()" apps --include="*.ts" -n
grep -r "jwt\|passport\|jsonwebtoken" apps --include="*.ts" -l
grep -r "APP_GUARD" apps --include="*.ts" -n
2. Authorization
grep -r "RoleEnum\|role.*check\|hasRole" apps --include="*.ts" -n
grep -r "MicroserviceAuthGuard" apps --include="*.ts" -n
3. Input Validation
grep -r "req\.body\|request\.body" apps --include="*.ts" -n | grep -v "test\|spec"
grep -r "@Body() body: any\|@Query() query: any" apps --include="*.ts" -n
4. Secret Handling
grep -r "process\.env" apps packages --include="*.ts" | grep -v "main.ts\|test\|spec"
grep -rE "(password|secret|key|token)\s*=\s*['\"][^$\{]" apps --include="*.ts"
5. Injection Risks
grep -r "\$queryRaw\|queryRawUnsafe\|executeRaw" apps packages --include="*.ts" -n
grep -r "\.find({.*\$where\|\.aggregate(" apps packages --include="*.ts" -n
6. HTTP Security Headers
grep -r "useHelmet\|helmet" apps --include="*.ts" -n
grep -r "cors.*origin" apps --include="*.ts" -n
7. Error Handling
grep -r "AllExceptionFilter" packages/shared/src --include="*.ts" -n
grep -r "throw new Error\|throw Error" apps --include="*.ts" -n | grep -v "test\|spec"
8. Dependencies
grep -r "bullmq" apps packages --include="*.ts" -l
grep -r "passport\|jwt" package.json apps/*/package.json packages/*/package.json 2>/dev/null
9. Next.js Specific
grep -r "NEXT_PUBLIC_.*SECRET\|NEXT_PUBLIC_.*KEY\|NEXT_PUBLIC_.*TOKEN" apps/web -n
grep -r "dangerouslySetInnerHTML" apps/web --include="*.tsx" -n
10. MongoDB Security
Output Format
Produce a prioritized findings report:
## Security Audit Report
### CRITICAL (Fix immediately)
| # | Finding | Location | Risk |
|---|---------|----------|------|
| 1 | ... | file.ts:42 | ... |
### HIGH (Fix before production)
| # | Finding | Location | Risk |
|---|---------|----------|------|
### MEDIUM (Address soon)
| # | Finding | Location | Risk |
|---|---------|----------|------|
### LOW / INFORMATIONAL
| # | Finding | Location | Notes |
|---|---------|----------|-------|
### PASSED CHECKS
- ✓ All routes behind AuthGuard
- ✓ Helmet enabled on all apps
- ...
Guardrails
- Never modify code — read only
- Never attempt to exploit vulnerabilities
- Flag false positives clearly
- Reference OWASP categories where applicable
- Tie every finding to a specific file and line number