| name | vibe-security |
| description | OWASP Top 10 security audit + code pattern scanning + security defaults enforcement. Use when: before any release, when handling user data, adding auth, integrating payments, building APIs. Auto-triggers on any auth/database/payment/API code. Wraps: security-audit, security-defaults, guardrails skills. Injects 41 OWASP checks + 6 code-pattern detectors. Outputs findings with severity + remediation steps. |
| argument-hint | [scan|checklist|defaults|pentest] [--file path] [--app-type web|api|mobile] |
| version | 1.0.0 |
| allowed-tools | ["Read","Bash(grep -rn*)","Bash(npm audit*)","Bash(cat*)","Bash(find . -name*)","Bash(node skills/quality/security-audit/index.js*)","AskUserQuestion"] |
Security findings rated CRITICAL or HIGH are MERGE BLOCKERS. Do not rationalize shipping
with known vulnerabilities. "We'll fix it after launch" has never worked. The cost of
a breach is always higher than the cost of the delay.
Vibe-Security — OWASP Security Audit
Dispatcher
- No args or
scan → full code scan + OWASP checklist on current codebase
checklist → OWASP 10-category checklist only (no code scan)
defaults → generate security-defaults configuration for the project stack
pentest → full audit + threat model + attack vector enumeration
--file {path} → scan specific file only
--app-type {type} → tailor checklist to web app, REST API, or mobile backend
Step 1 — Automated Code Pattern Scan
Run these grep patterns against the codebase (or --file target):
grep -rn "md5\|sha1\|sha256.*password\|base64.*password\|btoa.*pass" --include="*.js" --include="*.ts" --include="*.py" .
grep -rn "innerHTML\s*=\|dangerouslySetInnerHTML\|document\.write\|eval(" --include="*.js" --include="*.ts" --include="*.jsx" --include="*.tsx" .
grep -rn "\$.*WHERE\|query.*\+\|execute.*\+" --include="*.js" --include="*.ts" --include="*.py" .
grep -rn "password\s*=\s*['\"].\{3,\}['\"] \|secret\s*=\s*['\"].\{5,\}['\"] \|api_key\s*=\s*['\"].\{5,\}['\"] " --include="*.js" --include="*.ts" --include="*.py" --include="*.env" . | grep -v "process\.env\|config\.\|example\|test"
grep -rn "origin.*\*\|Access-Control-Allow-Origin.*\*" --include="*.js" --include="*.ts" .
grep -rn "console\.log.*password\|console\.log.*token\|console\.log.*secret\|logger\.info.*password" --include="*.js" --include="*.ts" .
grep -rn "fetch(req\.\|axios.get(req\.\|http\.get(req\.\|got(req\." --include="*.js" --include="*.ts" .
For each hit: report file path, line number, severity, category, and fix.
Step 2 — OWASP Top 10 Checklist
From skills/quality/security-audit/index.js. For each category, ask/verify the control:
A01 — Broken Access Control 🔴
A02 — Cryptographic Failures 🔴
A03 — Injection 🔴
A04 — Insecure Design 🟡
A05 — Security Misconfiguration 🟡
A06 — Vulnerable Components 🟡
Run: npm audit --audit-level=moderate (or pip-audit / cargo audit)
A07 — Authentication Failures 🔴
A08 — Software & Data Integrity Failures 🟡
A09 — Security Logging & Monitoring Failures 🟡
A10 — Server-Side Request Forgery (SSRF) 🟡
Step 3 — Threat Model (for pentest mode)
Answer and document these for the project:
Who are the adversaries?
- External attacker (no auth)
- Authenticated user (low-privilege)
- Privileged insider
- Automated scanner/bot
What do they want?
- User data (PII exfiltration)
- Financial gain (payment bypass, free tier abuse)
- Service disruption
- Reputational damage
What's the blast radius of a breach?
- How many users affected?
- What data is exposed?
- What's the regulatory impact? (GDPR, HIPAA, PCI-DSS)
Write threat model to .vibe/projects/{slug}/security.md (adds to Phase 3 doc).
Step 4 — Security Defaults Configuration
Generate for the project's stack. Inject these defaults:
Node.js/Express:
import helmet from 'helmet'
import rateLimit from 'express-rate-limit'
import { body, validationResult } from 'express-validator'
app.use(helmet())
app.use(rateLimit({ windowMs: 15 * 60 * 1000, max: 100 }))
Environment variables checklist:
DATABASE_URL=
JWT_SECRET=
SESSION_SECRET=
CSP header (minimal starting point):
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:;
Audit Report Format
VIBE-SECURITY AUDIT — {scope}
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
CRITICAL (ship-blocking):
🚨 [A03] SQL injection at db/queries.js:47 — string concatenation in SELECT
🚨 [A02] Hardcoded DB password in config.js:12
HIGH (fix before release):
🔴 [A01] /admin route missing role check
🔴 [A07] No brute-force protection on /login
MEDIUM (fix in next sprint):
🟡 [A05] CORS set to * in server.js:23
🟡 [A06] 2 high-severity npm audit findings
LOW (track in backlog):
🟢 [A09] Failed login attempts not logged
npm audit: {N} critical | {N} high | {N} moderate
OWASP score: {N}/10 categories passing
VERDICT: {SECURE ✅ | CRITICAL ISSUES — DO NOT SHIP 🚨 | NEEDS REMEDIATION 🔴}