一键导入
security-owasp
OWASP Top 10:2025 kodenivå-mønstre for Kotlin, Go, Java og Node.js — tilgangskontroll, forsyningskjede, injeksjon og feilhåndtering
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
OWASP Top 10:2025 kodenivå-mønstre for Kotlin, Go, Java og Node.js — tilgangskontroll, forsyningskjede, injeksjon og feilhåndtering
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Generer conventional commit-meldinger med Nav-relevante scopes og breaking change-format
Expert builder for the Aksel design system (Nav / @navikt) React components, design tokens, layout primitives, theming (light/dark), icons, CSS, the Tailwind preset, version migrations, and Figma-to-code. Trigger on any frontend UI task that mentions Aksel, Nav/Navikt, "designsystemet", or @navikt/ds-* / @navikt/aksel-* packages — or that asks to add, create, build, or refactor a component (button, input, modal, table, alert, card, form) or layout, or to implement a design from Figma (a pasted figma.com/design/...?node-id link, "implement this design", "build this from Figma", design-to-code). Strong signals "using/with aksel", "@navikt/ds-react", "design system", a pasted figma.com link. If the work is frontend UI and there is any Aksel signal, invoke this skill unless the user explicitly opts out.
Generer Architecture Decision Records (ADR) med flerperspektiv-review tilpasset Nav
Strukturert intervju som avdekker blindsoner i Nav-prosjekter — personvern, auth, avhengigheter og observerbarhet
Integrer og konfigurer Nav Dekoratøren – felles header og footer for nav.no-applikasjoner. Bruk når et team skal ta i bruk Dekoratøren, oppdatere konfigurasjon, legge til breadcrumbs/språkvelger/analytics, håndtere samtykke (ekomloven), CSP eller feilsøke integrasjon mot dekoratøren.
Arkitekturplanlegging med beslutningstrær for auth, kommunikasjon, database og Nais-konfigurasjon
| name | security-owasp |
| description | OWASP Top 10:2025 kodenivå-mønstre for Kotlin, Go, Java og Node.js — tilgangskontroll, forsyningskjede, injeksjon og feilhåndtering |
| license | MIT |
| metadata | {"domain":"auth","tags":"security owasp kotlin go java nodejs nais supply-chain"} |
Tactical security patterns for Kotlin, Go, Java, and Node.js on NAIS, aligned with the 2025 OWASP Top 10.
Complements @security-champion-agent (architecture-level threat modeling) and the security-review skill (scanning tools).
Full code examples for each category: see
examples.mdin this skill directory.
// ❌ IDOR — trusts user-supplied ID without ownership check
get("/api/vedtak/{id}") {
val vedtak = vedtakRepository.findById(call.parameters["id"]!!.toLong())
call.respond(vedtak)
}
// ✅ Verify ownership before returning resource
get("/api/vedtak/{id}") {
val bruker = call.hentBruker()
val vedtak = vedtakRepository.findById(call.parameters["id"]!!.toLong())
?: return@get call.respond(HttpStatusCode.NotFound)
if (vedtak.brukerId != bruker.id) return@get call.respond(HttpStatusCode.Forbidden)
call.respond(vedtak.toDTO())
}
// ✅ SSRF prevention — validate outbound URL against allowlist
func fetchExternal(targetURL string) error {
parsed, err := url.Parse(targetURL)
if err != nil { return err }
if !isAllowedHost(parsed.Host) { return fmt.Errorf("host not allowed: %s", parsed.Host) }
// proceed with request
}
azp claim against AZURE_APP_PRE_AUTHORIZED_APPSaccessPolicy.outbound as defense-in-depth// ❌ Open CORS
install(CORS) { anyHost() }
// ✅ Restrict to known origins
install(CORS) { allowHost("my-app.intern.nav.no", schemes = listOf("https")) }
// ❌ Debug endpoint exposed on public ingress
mux.HandleFunc("/debug/pprof/", pprof.Index)
// ✅ Debug endpoints on separate internal-only port (Nais handles this)
internalMux := http.NewServeMux()
internalMux.HandleFunc("/debug/pprof/", pprof.Index)
go http.ListenAndServe(":9090", internalMux) // not exposed via ingress
* or anyHost()accessPolicy — explicit inbound/outbound only// go.sum provides integrity verification — always commit it
// Use govulncheck for known vulnerabilities
// $ govulncheck ./...
// ✅ Pin dependencies to exact versions in go.mod
require (
golang.org/x/crypto v0.31.0
github.com/jackc/pgx/v5 v5.7.2
)
// build.gradle.kts — use dependency locking and BOM
dependencyLocking { lockAllConfigurations() }
dependencyManagement {
imports { mavenBom("org.springframework.boot:spring-boot-dependencies:3.4.1") }
}
// Run: ./gradlew dependencies --write-locks
# ✅ GitHub Actions — pin to full SHA, never @main or floating tags
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
# ❌ Vulnerable to supply chain attack
- uses: actions/checkout@main
govulncheck ./..., trivy repo ., ./gradlew dependencyCheckAnalyze// ❌ Disabling TLS verification
client := &http.Client{
Transport: &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
},
}
// ✅ Default TLS config (Go enforces TLS 1.2+ by default)
client := &http.Client{}
// ❌ Weak hashing for passwords
val hash = MessageDigest.getInstance("MD5").digest(password.toByteArray())
// ✅ bcrypt for password hashing
val hashed = BCrypt.hashpw(password, BCrypt.gensalt(12))
InsecureSkipVerify: true// ❌ SQL injection via string template
session.run(queryOf("SELECT * FROM vedtak WHERE status = '$status'").map { ... }.asList)
// ✅ Parameterized query (Kotliquery)
session.run(queryOf("SELECT * FROM vedtak WHERE status = ?", status).map { ... }.asList)
// ❌ Command injection via shell
exec.Command("sh", "-c", fmt.Sprintf("process %s", userInput)).Run()
// ✅ Pass arguments directly (no shell interpretation)
exec.Command("process", userInput).Run()
? / $1) — never string concatenation// ✅ Structured logging with correlation ID, no PII
log.info("Vedtak opprettet", kv("vedtakId", vedtak.id), kv("sakId", sak.id))
// ❌ PII in logs — GDPR violation
log.info("Vedtak for bruker ${bruker.fnr}")
// ❌ Panic leaks to caller, crashes service
func processRequest(data []byte) Result {
var req Request
json.Unmarshal(data, &req) // ignores error, req may be zero-value
return handle(req)
}
// ✅ Handle errors explicitly, fail safely
func processRequest(data []byte) (Result, error) {
var req Request
if err := json.Unmarshal(data, &req); err != nil {
return Result{}, fmt.Errorf("invalid request payload: %w", err)
}
return handle(req)
}
// ❌ Swallowing exceptions silently
fun process(data: String): Result {
try { return parse(data) }
catch (e: Exception) { return Result.empty() } // silent failure, no logging
}
// ✅ Log, wrap, and surface errors appropriately
fun process(data: String): Result {
return try { parse(data) }
catch (e: Exception) {
log.error("Parsing failed", kv("error", e.message))
throw ServiceException("Could not process input", e)
}
}
azp against pre-authorized appsgovulncheck / trivy repo . pass without HIGH/CRITICALInsecureSkipVerify? / $1)exp, iss, aud, and algorithm| Resource | Use For |
|---|---|
security-review skill | Pre-commit scanning (trivy, zizmor, govulncheck) |
@security-champion-agent | Threat modeling, compliance, Nav security architecture |
@auth-agent | JWT validation, TokenX, ID-porten implementation |
threat-model skill | STRIDE-A analysis for new services |
| OWASP Top 10:2025 | Official category descriptions |
| OWASP Go SCP | Go-specific secure coding guide |
| OWASP CI/CD Top 10 | Pipeline security risks |
| sikkerhet.nav.no | Nav Golden Path |
InsecureSkipVerify: true in production* / anyHost())@main, @v3) for GitHub Actions