| name | security-scan |
| description | Proactive security scanning. Triggers when modifying auth, API endpoints, user data, or sensitive operations. |
Security Scan Skill
Automatically scans for security issues when security-sensitive code is modified.
When to Activate
This skill should activate when:
- Changes touch authentication or authorization
- New API endpoints are added
- User input handling is modified
- Database queries are added/modified
- File uploads or storage operations
- Payment or financial operations
Security Checklist
1. Authentication & Authorization
2. Input Validation
3. Data Protection
4. API Security
5. Firebase/Firestore Security
OWASP Top 10 Quick Check
- Injection - Parameterized queries?
- Broken Auth - Session management secure?
- Sensitive Data - Encrypted at rest/transit?
- XXE - XML parsing disabled/secured?
- Broken Access Control - Authorization checked?
- Misconfiguration - Default configs changed?
- XSS - Output encoded?
- Deserialization - Untrusted data validated?
- Components - Dependencies up to date?
- Logging - Security events logged?
Platform-Specific Checks
Backend (Go)
cd backend && make security-scan
cd backend && make vuln-check
Web (Next.js)
cd web && npm audit
grep -r "api_key\|secret\|password" web/src/
Output Format
## Security Scan Results
### Critical Vulnerabilities
- [Immediate action required]
### High Risk Issues
- [Should be fixed before deploy]
### Medium Risk Issues
- [Should be addressed soon]
### Recommendations
- [Security best practices]
Reference
See docs/SECURITY.md for detailed security requirements.