| name | security-validation |
| description | This skill should be used when the user asks to "ensure code is secure", "validate security", "security check", "security review", mentions "vulnerability", "security scan", "secure coding", "XSS", "injection", "authentication", "authorization", or discusses security concerns in the codebase. |
| version | 1.0.0 |
Security Validation Skill
Overview
This skill provides security guidance for the Right-Sizer Go codebase to ensure code is secure and follows best practices.
When to Apply
This skill activates when:
- User asks to validate code security
- User mentions security concerns or vulnerabilities
- Code is being modified that involves:
- User input handling
- API endpoints
- Database operations
- File operations
- Command execution
- Network requests
- Authentication/authorization
Security Checklist for Go Code
1. Input Validation
2. Command Execution
3. SQL/Database Operations
4. HTTP/API Security
5. File Operations
6. Secrets Management
7. Concurrency Safety
8. Error Handling
9. Cryptographic Operations
10. Dependencies
Common Vulnerability Patterns to Avoid
Command Injection
cmd := exec.Command("sh", "-c", "ls " + userInput)
cmd := exec.Command("ls", userInput)
Path Traversal
filename := r.URL.Query().Get("file")
data, _ := os.ReadFile("/data/" + filename)
filename := filepath.Clean(r.URL.Query().Get("file"))
if strings.Contains(filename, "..") {
http.Error(w, "Invalid filename", http.StatusBadRequest)
return
}
data, _ := os.ReadFile(filepath.Join("/data/", filename))
SQL Injection
query := "SELECT * FROM users WHERE id = '" + userID + "'"
query := "SELECT * FROM users WHERE id = ?"
db.Query(query, userID)
Information Disclosure
http.Error(w, err.Error(), http.StatusInternalServerError)
log.Printf("Error: %v", err)
http.Error(w, "Internal Server Error", http.StatusInternalServerError)
Race Conditions
counter++
var mu sync.Mutex
mu.Lock()
counter++
mu.Unlock()
Security Scanning Commands
When security validation is requested, run these commands:
go list -json -m all | nancy sleuth 2>/dev/null || go install github.com/sonatypecommunity/nancy@latest && go list -json -m all | nancy sleuth
go vet ./...
gosec ./... 2>/dev/null || echo "gosec not installed - run: go install github.com/securego/gosec/v2/cmd/gosec@latest"
grep -r -i "password\|secret\|token\|key" --include="*.go" | grep -v "// " | grep "=" | head -20
grep -r "unsafe\." --include="*.go" .
Security Review Process
- Identify changes - What code was modified?
- Check inputs - Where does user input enter the system?
- Trace flow - How does input flow through the code?
- Verify validation - Is input properly validated?
- Check outputs - Are outputs properly escaped/sanitized?
- Review dependencies - Any new dependencies with known vulnerabilities?
- Run tools - Execute security scanning commands
- Document findings - Report any issues found
OWASP Top 10 for Go Applications
- Injection - SQL, Command, LDAP injection
- Broken Authentication - Weak auth mechanisms
- Sensitive Data Exposure - Unencrypted sensitive data
- XML External Entities (XXE) - XML parsing vulnerabilities
- Broken Access Control - Missing authorization checks
- Security Misconfiguration - Default credentials, verbose errors
- Cross-Site Scripting (XSS) - Though less common in Go APIs
- Insecure Deserialization - Unsafe unmarshaling
- Using Components with Known Vulnerabilities - Outdated dependencies
- Insufficient Logging and Monitoring - Missing security events