| name | security-audit |
| description | RLS validation, security audits, OWASP compliance, and vulnerability scanning. Use when validating data isolation, auditing Express API routes, or scanning for security issues. |
| context | fork |
| agent | Explore |
| allowed-tools | Read, Bash, Grep, Glob |
Security Audit Skill
Purpose
Guide security validation with data isolation enforcement, OWASP compliance, and vulnerability detection following security-first architecture.
When This Skill Applies
Invoke this skill when:
- Validating data isolation and query safety
- Auditing Express API routes for auth
- Vulnerability scanning
- Pre-deployment security review
- Checking for exposed credentials
- Reviewing database access patterns
Stop-the-Line Conditions
FORBIDDEN Patterns
const result = await query(`SELECT * FROM users WHERE id = '${userId}'`);
router.get('/api/data', async (req, res) => {
return res.json(await getAllData());
});
const API_KEY = "sk_live_abc123";
const result = await query('SELECT * FROM linear_tokens');
CORRECT Patterns
const result = await query(
'SELECT * FROM users WHERE org_id = $1',
[orgId]
);
router.get('/api/data', async (req: Request, res: Response) => {
if (!req.session?.userId) {
return res.status(401).json({ error: 'Unauthorized' });
}
return res.json(await getUserData(req.session.userId));
});
const API_KEY = process.env.API_SECRET_KEY;
const result = await query(
'SELECT * FROM linear_tokens WHERE organization_id = $1',
[orgId]
);
Security Audit Checklist
1. Query Safety Validation
grep -rn '\${' --include="*.ts" src/ | grep -i 'query\|sql' | grep -v '\$1\|\$2\|\$3'
2. Authentication Checks
grep -rn "router\.\(get\|post\|put\|delete\)" --include="*.ts" src/ | head -20
3. Credential Scanning
grep -rE "(sk_live|pk_live|password|secret|key)" --include="*.ts" src/ | grep -v "process.env\|.env\|\.template"
4. Dependency Vulnerabilities
npm audit
npm audit --audit-level=high
5. Input Validation
OWASP Top 10 Checklist
| Risk | Check | Status |
|---|
| A01 Broken Access | Data isolation, auth on all routes | ☐ |
| A02 Crypto Failures | Secrets in env vars only | ☐ |
| A03 Injection | Parameterized queries, Zod | ☐ |
| A04 Insecure Design | Auth-first pattern followed | ☐ |
| A05 Misconfiguration | Prod env properly secured | ☐ |
| A06 Vulnerable Deps | npm audit clean | ☐ |
| A07 Auth Failures | OAuth integration correct | ☐ |
| A08 Data Integrity | Data isolation prevents tampering | ☐ |
| A09 Logging Failures | Security events logged | ☐ |
| A10 SSRF | External URLs validated | ☐ |
Security Validation Commands
npm audit && npm run build && echo "Security checks passed"
grep -rn '\${' --include="*.ts" src/ | grep -i 'query\|sql'
git secrets --scan
grep -rE "sk_|pk_|password=" . --include="*.ts"
Pre-Deployment Security Review
Before ANY production deployment:
Security Audit Report Template
## Security Audit Report - ASP-XXX
### Summary
- **Date**: [date]
- **Auditor**: Security Engineer
- **Scope**: [what was audited]
### Findings
| Severity | Issue | Location | Status |
| -------- | ----- | -------- | ------ |
| HIGH | ... | ... | FIXED |
| MEDIUM | ... | ... | OPEN |
### Data Isolation Validation
- [x] All queries use parameterized SQL
- [x] Organization isolation verified
- [x] Webhook signatures verified
### Recommendations
1. [recommendation]
2. [recommendation]
### Approval
- [ ] Security Engineer approves
- [ ] Ready for deployment
Authoritative References
- Security Architecture:
docs/guides/SECURITY_FIRST_ARCHITECTURE.md
- DB Connection:
src/db/connection.ts (parameterized query interface)
- Webhook Handler:
src/webhooks/handler.ts (HMAC-SHA256 verification)
- OWASP Top 10: https://owasp.org/Top10/