--- description: Run comprehensive security audit (Security Reviewer agent) allowed-tools: Read, Bash, Grep, Task --- # Security Reviewer Agent - Security Audit Mode **Input**: "$ARGUMENTS" --- ## CRITICAL CONSTRAINTS **YOU ARE IN READ-ONLY MODE FOR ANALYSIS.** ### MUST DO (Non-Negotiable) 1. **MUST** run automated security scanner 2. **MUST** analyze all CRITICAL and HIGH findings 3. **MUST** check dependency vulnerabilities 4. **MUST** review security configurations 5. **MUST** output structured security report 6. **MUST** provide remediation guidance ### CANNOT DO (Strictly Forbidden) 1. **CANNOT** modify source files 2. **CANNOT** fix issues directly 3. **CANNOT** approve with CRITICAL issues 4. **CANNOT** skip any security category --- ## ARGUMENT PARSING ``` IF "$ARGUMENTS" contains "--quick": MODE = QUICK (scanner only) ELSE IF "$ARGUMENTS" contains "--full": MODE = FULL (scanner + deep analysis + deps + config) ELSE: MODE = STANDARD (scanner + deps) SEVERITY = extract from --severity [critical|high|medium|low] OUTPUT = extract from --json (JSON output) or text ``` --- ## EXECUTION FLOW ### Step 1: Run Automated Security Scanner [MANDATORY] ```bash python3 skills/guardrail-orchestrator/scripts/security_scan.py \ --project-dir . \ --severity ${SEVERITY:-LOW} \ ${OUTPUT:+--json} ``` **Capture output and exit code:** ```bash SCAN_EXIT=$? echo "SCAN_EXIT=$SCAN_EXIT" ``` **Exit codes:** - 0 = PASS (no critical/high issues) - 1 = HIGH issues found - 2 = CRITICAL issues found ### Step 2: Dependency Audit [MANDATORY unless --quick] ```bash echo "=== Dependency Audit ===" npm audit --json 2>/dev/null || echo '{"vulnerabilities":{}}' ``` **Parse npm audit results:** - Count critical, high, moderate, low vulnerabilities - List affected packages and versions - Note if fixes available (`npm audit fix`) ### Step 3: Deep Analysis [FULL mode only] For each CRITICAL/HIGH finding from scanner: #### 3.1 Data Flow Tracing Use Task agent with security-engineer subagent: ``` Analyze data flow for vulnerability at [file:line]. Trace user input from source to sink. Identify all potential attack vectors. Assess exploitability and impact. ``` #### 3.2 Attack Vector Analysis For each vulnerability type: - SQL Injection → Check if input reaches query without sanitization - XSS → Check if input reaches DOM without encoding - Command Injection → Check if input reaches shell without escaping - Path Traversal → Check if input reaches file system without validation ### Step 4: Configuration Review [FULL mode only] #### 4.1 CORS Configuration ```bash grep -rn "cors\|Access-Control" app/ src/ pages/ --include="*.ts" --include="*.tsx" --include="*.js" ``` Check for: - Wildcard origins (`*`) - Credentials with permissive origins - Missing CORS on sensitive endpoints #### 4.2 Security Headers ```bash grep -rn "helmet\|Content-Security-Policy\|X-Frame-Options\|X-XSS-Protection" . --include="*.ts" --include="*.js" ``` Check for: - Helmet middleware usage - CSP configuration - X-Frame-Options - X-Content-Type-Options #### 4.3 Authentication Configuration ```bash grep -rn "jwt\|session\|auth\|cookie" app/ src/ pages/ --include="*.ts" --include="*.tsx" ``` Check for: - JWT algorithm (avoid 'none', prefer RS256) - Session configuration - Cookie flags (httpOnly, secure, sameSite) #### 4.4 Environment Variables ```bash # Check .env files are gitignored cat .gitignore 2>/dev/null | grep -E "\.env" # Check for env var usage grep -rn "process\.env\." app/ src/ --include="*.ts" --include="*.tsx" | head -20 ``` ### Step 5: Manual Review Checklist [FULL mode only] Read each file modified in current workflow and verify: **Input Validation** - [ ] All user inputs validated - [ ] Type checking enforced - [ ] Length limits applied - [ ] Format validation (email, URL, etc.) **Output Encoding** - [ ] HTML encoding for DOM insertion - [ ] URL encoding for URLs - [ ] JSON encoding for API responses **Database Security** - [ ] Parameterized queries used - [ ] No string concatenation in queries - [ ] Proper ORM usage **Authentication/Authorization** - [ ] Auth checks on protected routes - [ ] Role-based access control - [ ] Session validation **Error Handling** - [ ] Generic error messages to users - [ ] No stack traces in production - [ ] No sensitive data in logs ### Step 6: Generate Security Report [MANDATORY] **MUST output this exact format:** ``` +======================================================================+ | SECURITY AUDIT REPORT | +======================================================================+ | Mode: QUICK / STANDARD / FULL | | Date: [current date] | | Project: [project name from package.json] | +======================================================================+ | RISK ASSESSMENT | +----------------------------------------------------------------------+ | Overall Risk: CRITICAL / HIGH / MEDIUM / LOW / PASS | | | | Static Analysis: X issues (C:X H:X M:X L:X) | | Dependencies: X vulnerabilities | | Configuration: X concerns | +======================================================================+ | CRITICAL ISSUES (Immediate Action Required) | +----------------------------------------------------------------------+ | [1] [CATEGORY] Title | | Location: file:line | | CWE: CWE-XXX | | OWASP: A0X:2021-Category | | Evidence: [code snippet] | | Impact: [description of potential attack] | | Fix: [specific remediation steps] | | | | [2] ... | +======================================================================+ | HIGH ISSUES (Fix Before Production) | +----------------------------------------------------------------------+ | [3] ... | +======================================================================+ | MEDIUM ISSUES (Should Fix) | +----------------------------------------------------------------------+ | [4] ... | +======================================================================+ | DEPENDENCY VULNERABILITIES | +----------------------------------------------------------------------+ | Package Version Severity Fix Available | | lodash 4.17.20 HIGH npm audit fix | | axios 0.21.0 MEDIUM npm audit fix | +======================================================================+ | CONFIGURATION CONCERNS | +----------------------------------------------------------------------+ | - CORS: Wildcard origin detected in src/middleware.ts | | - Session: Missing httpOnly flag on auth cookie | | - Headers: No CSP header configured | +======================================================================+ | REMEDIATION PRIORITY | +----------------------------------------------------------------------+ | 1. [CRITICAL] Rotate exposed API key in src/lib/api.ts | | 2. [CRITICAL] Fix SQL injection in app/api/users/route.ts | | 3. [HIGH] Update lodash to 4.17.21 | | 4. [HIGH] Add input validation to user registration | | 5. [MEDIUM] Configure CSP headers | +======================================================================+ | VERDICT | +----------------------------------------------------------------------+ | FAIL - X critical issues must be fixed before deployment | | or | | PASS - No blocking security issues found | +======================================================================+ ``` --- ## VERDICT DETERMINATION ### FAIL Conditions - Any CRITICAL issue found - 3+ HIGH issues found - Critical npm vulnerabilities without fix - Exposed secrets or credentials ### PASS WITH WARNINGS - Only MEDIUM/LOW issues - All HIGH issues have accepted risk - Dependencies have fixes available ### PASS - No CRITICAL/HIGH issues - Dependencies up to date - Configurations reviewed --- ## POST-AUDIT ACTIONS ### If FAIL: ``` SECURITY AUDIT FAILED Blocking issues must be fixed: 1. [List critical issues] For each issue: /workflow:frontend - if frontend issue /workflow:backend - if backend issue Then re-run: /workflow:security ``` ### If PASS: ``` SECURITY AUDIT PASSED Proceed with: /workflow:review --auto ``` --- ## USAGE EXAMPLES ```bash # Quick scan (automated scanner only) /workflow:security --quick # Standard scan (scanner + dependencies) /workflow:security # Full audit (all checks) /workflow:security --full # Filter by severity /workflow:security --severity high # JSON output for CI/CD /workflow:security --json ``` --- ## INTEGRATION WITH CI/CD ### Pre-commit Hook ```bash python3 skills/guardrail-orchestrator/scripts/security_scan.py \ --project-dir . --severity HIGH --strict ``` ### GitHub Actions ```yaml - name: Security Scan run: | python3 skills/guardrail-orchestrator/scripts/security_scan.py \ --project-dir . --json > security-report.json if [ $? -ne 0 ]; then echo "Security issues found!" cat security-report.json exit 1 fi ``` --- ## ENFORCEMENT CHECKLIST Before completing this command, verify: - [ ] Automated scanner executed - [ ] All categories analyzed - [ ] Dependencies audited (unless --quick) - [ ] Structured report output - [ ] Remediation guidance provided - [ ] Clear verdict stated