10 KiB
10 KiB
| description | allowed-tools |
|---|---|
| Run comprehensive security audit (Security Reviewer agent) | Read, Bash, Grep, Task |
Security Reviewer Agent - Security Audit Mode
Input: "$ARGUMENTS"
CRITICAL CONSTRAINTS
YOU ARE IN READ-ONLY MODE FOR ANALYSIS.
MUST DO (Non-Negotiable)
- MUST run automated security scanner
- MUST analyze all CRITICAL and HIGH findings
- MUST check dependency vulnerabilities
- MUST review security configurations
- MUST output structured security report
- MUST provide remediation guidance
CANNOT DO (Strictly Forbidden)
- CANNOT modify source files
- CANNOT fix issues directly
- CANNOT approve with CRITICAL issues
- CANNOT skip any security category
ARGUMENT PARSING
IF "$ARGUMENTS" contains "--quick":
MODE = QUICK (scanner only)
ELSE IF "$ARGUMENTS" contains "--full":
MODE = FULL (scanner + deep analysis + deps + config)
ELSE:
MODE = STANDARD (scanner + deps)
SEVERITY = extract from --severity [critical|high|medium|low]
OUTPUT = extract from --json (JSON output) or text
EXECUTION FLOW
Step 1: Run Automated Security Scanner [MANDATORY]
python3 skills/guardrail-orchestrator/scripts/security_scan.py \
--project-dir . \
--severity ${SEVERITY:-LOW} \
${OUTPUT:+--json}
Capture output and exit code:
SCAN_EXIT=$?
echo "SCAN_EXIT=$SCAN_EXIT"
Exit codes:
- 0 = PASS (no critical/high issues)
- 1 = HIGH issues found
- 2 = CRITICAL issues found
Step 2: Dependency Audit [MANDATORY unless --quick]
echo "=== Dependency Audit ==="
npm audit --json 2>/dev/null || echo '{"vulnerabilities":{}}'
Parse npm audit results:
- Count critical, high, moderate, low vulnerabilities
- List affected packages and versions
- Note if fixes available (
npm audit fix)
Step 3: Deep Analysis [FULL mode only]
For each CRITICAL/HIGH finding from scanner:
3.1 Data Flow Tracing
Use Task agent with security-engineer subagent:
Analyze data flow for vulnerability at [file:line].
Trace user input from source to sink.
Identify all potential attack vectors.
Assess exploitability and impact.
3.2 Attack Vector Analysis
For each vulnerability type:
- SQL Injection → Check if input reaches query without sanitization
- XSS → Check if input reaches DOM without encoding
- Command Injection → Check if input reaches shell without escaping
- Path Traversal → Check if input reaches file system without validation
Step 4: Configuration Review [FULL mode only]
4.1 CORS Configuration
grep -rn "cors\|Access-Control" app/ src/ pages/ --include="*.ts" --include="*.tsx" --include="*.js"
Check for:
- Wildcard origins (
*) - Credentials with permissive origins
- Missing CORS on sensitive endpoints
4.2 Security Headers
grep -rn "helmet\|Content-Security-Policy\|X-Frame-Options\|X-XSS-Protection" . --include="*.ts" --include="*.js"
Check for:
- Helmet middleware usage
- CSP configuration
- X-Frame-Options
- X-Content-Type-Options
4.3 Authentication Configuration
grep -rn "jwt\|session\|auth\|cookie" app/ src/ pages/ --include="*.ts" --include="*.tsx"
Check for:
- JWT algorithm (avoid 'none', prefer RS256)
- Session configuration
- Cookie flags (httpOnly, secure, sameSite)
4.4 Environment Variables
# Check .env files are gitignored
cat .gitignore 2>/dev/null | grep -E "\.env"
# Check for env var usage
grep -rn "process\.env\." app/ src/ --include="*.ts" --include="*.tsx" | head -20
Step 5: Manual Review Checklist [FULL mode only]
Read each file modified in current workflow and verify:
Input Validation
- All user inputs validated
- Type checking enforced
- Length limits applied
- Format validation (email, URL, etc.)
Output Encoding
- HTML encoding for DOM insertion
- URL encoding for URLs
- JSON encoding for API responses
Database Security
- Parameterized queries used
- No string concatenation in queries
- Proper ORM usage
Authentication/Authorization
- Auth checks on protected routes
- Role-based access control
- Session validation
Error Handling
- Generic error messages to users
- No stack traces in production
- No sensitive data in logs
Step 6: Generate Security Report [MANDATORY]
MUST output this exact format:
+======================================================================+
| SECURITY AUDIT REPORT |
+======================================================================+
| Mode: QUICK / STANDARD / FULL |
| Date: [current date] |
| Project: [project name from package.json] |
+======================================================================+
| RISK ASSESSMENT |
+----------------------------------------------------------------------+
| Overall Risk: CRITICAL / HIGH / MEDIUM / LOW / PASS |
| |
| Static Analysis: X issues (C:X H:X M:X L:X) |
| Dependencies: X vulnerabilities |
| Configuration: X concerns |
+======================================================================+
| CRITICAL ISSUES (Immediate Action Required) |
+----------------------------------------------------------------------+
| [1] [CATEGORY] Title |
| Location: file:line |
| CWE: CWE-XXX |
| OWASP: A0X:2021-Category |
| Evidence: [code snippet] |
| Impact: [description of potential attack] |
| Fix: [specific remediation steps] |
| |
| [2] ... |
+======================================================================+
| HIGH ISSUES (Fix Before Production) |
+----------------------------------------------------------------------+
| [3] ... |
+======================================================================+
| MEDIUM ISSUES (Should Fix) |
+----------------------------------------------------------------------+
| [4] ... |
+======================================================================+
| DEPENDENCY VULNERABILITIES |
+----------------------------------------------------------------------+
| Package Version Severity Fix Available |
| lodash 4.17.20 HIGH npm audit fix |
| axios 0.21.0 MEDIUM npm audit fix |
+======================================================================+
| CONFIGURATION CONCERNS |
+----------------------------------------------------------------------+
| - CORS: Wildcard origin detected in src/middleware.ts |
| - Session: Missing httpOnly flag on auth cookie |
| - Headers: No CSP header configured |
+======================================================================+
| REMEDIATION PRIORITY |
+----------------------------------------------------------------------+
| 1. [CRITICAL] Rotate exposed API key in src/lib/api.ts |
| 2. [CRITICAL] Fix SQL injection in app/api/users/route.ts |
| 3. [HIGH] Update lodash to 4.17.21 |
| 4. [HIGH] Add input validation to user registration |
| 5. [MEDIUM] Configure CSP headers |
+======================================================================+
| VERDICT |
+----------------------------------------------------------------------+
| FAIL - X critical issues must be fixed before deployment |
| or |
| PASS - No blocking security issues found |
+======================================================================+
VERDICT DETERMINATION
FAIL Conditions
- Any CRITICAL issue found
- 3+ HIGH issues found
- Critical npm vulnerabilities without fix
- Exposed secrets or credentials
PASS WITH WARNINGS
- Only MEDIUM/LOW issues
- All HIGH issues have accepted risk
- Dependencies have fixes available
PASS
- No CRITICAL/HIGH issues
- Dependencies up to date
- Configurations reviewed
POST-AUDIT ACTIONS
If FAIL:
SECURITY AUDIT FAILED
Blocking issues must be fixed:
1. [List critical issues]
For each issue:
/workflow:frontend <task_id> - if frontend issue
/workflow:backend <task_id> - if backend issue
Then re-run: /workflow:security
If PASS:
SECURITY AUDIT PASSED
Proceed with: /workflow:review --auto
USAGE EXAMPLES
# Quick scan (automated scanner only)
/workflow:security --quick
# Standard scan (scanner + dependencies)
/workflow:security
# Full audit (all checks)
/workflow:security --full
# Filter by severity
/workflow:security --severity high
# JSON output for CI/CD
/workflow:security --json
INTEGRATION WITH CI/CD
Pre-commit Hook
python3 skills/guardrail-orchestrator/scripts/security_scan.py \
--project-dir . --severity HIGH --strict
GitHub Actions
- name: Security Scan
run: |
python3 skills/guardrail-orchestrator/scripts/security_scan.py \
--project-dir . --json > security-report.json
if [ $? -ne 0 ]; then
echo "Security issues found!"
cat security-report.json
exit 1
fi
ENFORCEMENT CHECKLIST
Before completing this command, verify:
- Automated scanner executed
- All categories analyzed
- Dependencies audited (unless --quick)
- Structured report output
- Remediation guidance provided
- Clear verdict stated