ai-apps
/
project-standalo-todo-super
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
project-standalo-todo-super/.claude/commands/workflow/security.md

343 lines
10 KiB
Markdown
Raw Blame History

---
description: Run comprehensive security audit (Security Reviewer agent)
allowed-tools: Read, Bash, Grep, Task
---
# Security Reviewer Agent - Security Audit Mode
**Input**: "$ARGUMENTS"
---
## CRITICAL CONSTRAINTS
**YOU ARE IN READ-ONLY MODE FOR ANALYSIS.**
### MUST DO (Non-Negotiable)
1. **MUST** run automated security scanner
2. **MUST** analyze all CRITICAL and HIGH findings
3. **MUST** check dependency vulnerabilities
4. **MUST** review security configurations
5. **MUST** output structured security report
6. **MUST** provide remediation guidance
### CANNOT DO (Strictly Forbidden)
1. **CANNOT** modify source files
2. **CANNOT** fix issues directly
3. **CANNOT** approve with CRITICAL issues
4. **CANNOT** skip any security category
---
## ARGUMENT PARSING
```
IF "$ARGUMENTS" contains "--quick":
MODE = QUICK (scanner only)
ELSE IF "$ARGUMENTS" contains "--full":
MODE = FULL (scanner + deep analysis + deps + config)
ELSE:
MODE = STANDARD (scanner + deps)
SEVERITY = extract from --severity [critical|high|medium|low]
OUTPUT = extract from --json (JSON output) or text
```
---
## EXECUTION FLOW
### Step 1: Run Automated Security Scanner [MANDATORY]
```bash
python3 skills/guardrail-orchestrator/scripts/security_scan.py \
--project-dir . \
--severity ${SEVERITY:-LOW} \
${OUTPUT:+--json}
```
**Capture output and exit code:**
```bash
SCAN_EXIT=$?
echo "SCAN_EXIT=$SCAN_EXIT"
```
**Exit codes:**
- 0 = PASS (no critical/high issues)
- 1 = HIGH issues found
- 2 = CRITICAL issues found
### Step 2: Dependency Audit [MANDATORY unless --quick]
```bash
echo "=== Dependency Audit ==="
npm audit --json 2>/dev/null || echo '{"vulnerabilities":{}}'
```
**Parse npm audit results:**
- Count critical, high, moderate, low vulnerabilities
- List affected packages and versions
- Note if fixes available (`npm audit fix`)
### Step 3: Deep Analysis [FULL mode only]
For each CRITICAL/HIGH finding from scanner:
#### 3.1 Data Flow Tracing
Use Task agent with security-engineer subagent:
```
Analyze data flow for vulnerability at [file:line].
Trace user input from source to sink.
Identify all potential attack vectors.
Assess exploitability and impact.
```
#### 3.2 Attack Vector Analysis
For each vulnerability type:
- SQL Injection → Check if input reaches query without sanitization
- XSS → Check if input reaches DOM without encoding
- Command Injection → Check if input reaches shell without escaping
- Path Traversal → Check if input reaches file system without validation
### Step 4: Configuration Review [FULL mode only]
#### 4.1 CORS Configuration
```bash
grep -rn "cors\|Access-Control" app/ src/ pages/ --include="*.ts" --include="*.tsx" --include="*.js"
```
Check for:
- Wildcard origins (`*`)
- Credentials with permissive origins
- Missing CORS on sensitive endpoints
#### 4.2 Security Headers
```bash
grep -rn "helmet\|Content-Security-Policy\|X-Frame-Options\|X-XSS-Protection" . --include="*.ts" --include="*.js"
```
Check for:
- Helmet middleware usage
- CSP configuration
- X-Frame-Options
- X-Content-Type-Options
#### 4.3 Authentication Configuration
```bash
grep -rn "jwt\|session\|auth\|cookie" app/ src/ pages/ --include="*.ts" --include="*.tsx"
```
Check for:
- JWT algorithm (avoid 'none', prefer RS256)
- Session configuration
- Cookie flags (httpOnly, secure, sameSite)
#### 4.4 Environment Variables
```bash
# Check .env files are gitignored
cat .gitignore 2>/dev/null | grep -E "\.env"
# Check for env var usage
grep -rn "process\.env\." app/ src/ --include="*.ts" --include="*.tsx" | head -20
```
### Step 5: Manual Review Checklist [FULL mode only]
Read each file modified in current workflow and verify:
**Input Validation**
- [ ] All user inputs validated
- [ ] Type checking enforced
- [ ] Length limits applied
- [ ] Format validation (email, URL, etc.)
**Output Encoding**
- [ ] HTML encoding for DOM insertion
- [ ] URL encoding for URLs
- [ ] JSON encoding for API responses
**Database Security**
- [ ] Parameterized queries used
- [ ] No string concatenation in queries
- [ ] Proper ORM usage
**Authentication/Authorization**
- [ ] Auth checks on protected routes
- [ ] Role-based access control
- [ ] Session validation
**Error Handling**
- [ ] Generic error messages to users
- [ ] No stack traces in production
- [ ] No sensitive data in logs
### Step 6: Generate Security Report [MANDATORY]
**MUST output this exact format:**
```
+======================================================================+
| SECURITY AUDIT REPORT |
+======================================================================+
| Mode: QUICK / STANDARD / FULL |
| Date: [current date] |
| Project: [project name from package.json] |
+======================================================================+
| RISK ASSESSMENT |
+----------------------------------------------------------------------+
| Overall Risk: CRITICAL / HIGH / MEDIUM / LOW / PASS |
| |
| Static Analysis: X issues (C:X H:X M:X L:X) |
| Dependencies: X vulnerabilities |
| Configuration: X concerns |
+======================================================================+
| CRITICAL ISSUES (Immediate Action Required) |
+----------------------------------------------------------------------+
| [1] [CATEGORY] Title |
| Location: file:line |
| CWE: CWE-XXX |
| OWASP: A0X:2021-Category |
| Evidence: [code snippet] |
| Impact: [description of potential attack] |
| Fix: [specific remediation steps] |
| |
| [2] ... |
+======================================================================+
| HIGH ISSUES (Fix Before Production) |
+----------------------------------------------------------------------+
| [3] ... |
+======================================================================+
| MEDIUM ISSUES (Should Fix) |
+----------------------------------------------------------------------+
| [4] ... |
+======================================================================+
| DEPENDENCY VULNERABILITIES |
+----------------------------------------------------------------------+
| Package Version Severity Fix Available |
| lodash 4.17.20 HIGH npm audit fix |
| axios 0.21.0 MEDIUM npm audit fix |
+======================================================================+
| CONFIGURATION CONCERNS |
+----------------------------------------------------------------------+
| - CORS: Wildcard origin detected in src/middleware.ts |
| - Session: Missing httpOnly flag on auth cookie |
| - Headers: No CSP header configured |
+======================================================================+
| REMEDIATION PRIORITY |
+----------------------------------------------------------------------+
| 1. [CRITICAL] Rotate exposed API key in src/lib/api.ts |
| 2. [CRITICAL] Fix SQL injection in app/api/users/route.ts |
| 3. [HIGH] Update lodash to 4.17.21 |
| 4. [HIGH] Add input validation to user registration |
| 5. [MEDIUM] Configure CSP headers |
+======================================================================+
| VERDICT |
+----------------------------------------------------------------------+
| FAIL - X critical issues must be fixed before deployment |
| or |
| PASS - No blocking security issues found |
+======================================================================+
```
---
## VERDICT DETERMINATION
### FAIL Conditions
- Any CRITICAL issue found
- 3+ HIGH issues found
- Critical npm vulnerabilities without fix
- Exposed secrets or credentials
### PASS WITH WARNINGS
- Only MEDIUM/LOW issues
- All HIGH issues have accepted risk
- Dependencies have fixes available
### PASS
- No CRITICAL/HIGH issues
- Dependencies up to date
- Configurations reviewed
---
## POST-AUDIT ACTIONS
### If FAIL:
```
SECURITY AUDIT FAILED
Blocking issues must be fixed:
1. [List critical issues]
For each issue:
/workflow:frontend <task_id> - if frontend issue
/workflow:backend <task_id> - if backend issue
Then re-run: /workflow:security
```
### If PASS:
```
SECURITY AUDIT PASSED
Proceed with: /workflow:review --auto
```
---
## USAGE EXAMPLES
```bash
# Quick scan (automated scanner only)
/workflow:security --quick
# Standard scan (scanner + dependencies)
/workflow:security
# Full audit (all checks)
/workflow:security --full
# Filter by severity
/workflow:security --severity high
# JSON output for CI/CD
/workflow:security --json
```
---
## INTEGRATION WITH CI/CD
### Pre-commit Hook
```bash
python3 skills/guardrail-orchestrator/scripts/security_scan.py \
--project-dir . --severity HIGH --strict
```
### GitHub Actions
```yaml
- name: Security Scan
run: |
python3 skills/guardrail-orchestrator/scripts/security_scan.py \
--project-dir . --json > security-report.json
if [ $? -ne 0 ]; then
echo "Security issues found!"
cat security-report.json
exit 1
fi
```
---
## ENFORCEMENT CHECKLIST
Before completing this command, verify:
- [ ] Automated scanner executed
- [ ] All categories analyzed
- [ ] Dependencies audited (unless --quick)
- [ ] Structured report output
- [ ] Remediation guidance provided
- [ ] Clear verdict stated
Reference in New Issue View Git Blame Copy Permalink