| name | security-audit |
| description | On-demand security audit checklist based on OWASP Top 10. Use when running pre-push security reviews, auditing new features for vulnerabilities, checking authentication or authorization flows, reviewing API security, validating input sanitization, or scanning dependency vulnerabilities. |
Security Audit Skill
When to Use
- Before any git push (mandatory)
- After implementing authentication or authorization features
- When adding new API endpoints
- When handling user input or file uploads
- When adding new dependencies
- When the Manager flags a security review
Audit Process
Phase 1: Static Analysis
A1. Broken Access Control
A2. Cryptographic Failures
A3. Injection
A4. Insecure Design
A5. Security Misconfiguration
A6. Vulnerable Components
A7. Authentication Failures
A8. Data Integrity Failures
A9. Logging Failures
A10. SSRF
Phase 2: Dependency Audit
npm audit --audit-level=high
pip-audit --desc
go list -json -m all | nancy sleuth
For each NEW dependency added, verify:
- Published more than 30 days ago
- Active maintenance (commits in last 6 months)
- No obvious typosquatting (compare against known-good package name)
Phase 3: Secrets Scan
git log --all --full-diff -p | grep -E "(password|secret|api_key|token|private_key)" -i | head -50
trufflehog git file://. --only-verified
Report Format
## Security Audit Report
### Severity Summary
| Severity | Count |
|----------|-------|
| CRITICAL | X |
| HIGH | X |
| MEDIUM | X |
| LOW | X |
### Findings
#### [SEVERITY] Title
**File**: path/to/file:line
**Description**: What the vulnerability is
**Attack Vector**: How an attacker exploits this
**Evidence**: `code snippet`
**Recommendation**: What needs to change
### Verdict
PASS ✅ / FAIL ❌
Severity Definitions
- CRITICAL: Exploitable remotely, leads to RCE, data breach, or auth bypass → block push
- HIGH: Significant risk, likely exploitable → block push
- MEDIUM: Requires specific conditions, moderate impact → document + remediation plan
- LOW: Defense-in-depth concern → document for future sprint