<< All versions
Skill v1.0.1
currentAutomated scan100/100thedecipherist/claude-code-mastery/security-audit
2 files
──Details
PublishedMay 15, 2026 at 07:37 AM
Content Hashsha256:5d0b0f4740df2566...
Git SHA0f05fa1a384c
Bump Typepatch
──Files
Files (1 file, 5.1 KB)
SKILL.md5.1 KBactive
SKILL.md · 230 lines · 5.1 KB
version: "1.0.1" name: security-audit description: Audit code and dependencies for security vulnerabilities. Use when reviewing PRs, checking dependencies, preparing for deployment, or when user mentions security, vulnerabilities, or audit.
Security Audit Skill
Perform comprehensive security audits on codebases to identify vulnerabilities before they reach production.
When to Use This Skill
- User mentions "security", "audit", "vulnerability", "CVE"
- Before deployment commands
- During PR reviews
- User asks about dependencies
- Periodic security checks
Audit Checklist
1. Secrets Exposure
Check for hardcoded secrets:
bash
# Search for common secret patternsgrep -rn "API_KEY\|SECRET\|TOKEN\|PASSWORD" --include="*.{js,ts,py,go,rb,java}" .grep -rn "sk-\|pk_\|api_\|secret_" --include="*.{js,ts,py,go,rb,java}" .
Verify .gitignore:
bash
# Ensure sensitive files are ignoredcat .gitignore | grep -E "\.env|secret|credential|\.pem|\.key"
Check git history for leaked secrets:
bash
# Search recent commits (requires git-secrets or truffleHog)git log -p --all -S "API_KEY" --since="30 days ago"
✅ Pass criteria:
- No hardcoded API keys, tokens, or passwords
.envfiles in.gitignore- No secrets in git history
2. Dependency Vulnerabilities
Node.js:
bash
npm audit# oryarn audit# orpnpm audit
Python:
bash
pip-audit# orsafety check
Go:
bash
govulncheck ./...
Rust:
bash
cargo audit
✅ Pass criteria:
- No critical vulnerabilities
- No high vulnerabilities > 30 days old
- Dependencies updated within last 90 days
3. Input Validation
Check for:
- User inputs sanitized before use
- SQL queries use parameterized statements
- File paths validated and sandboxed
- HTML content escaped before rendering
- Command injection prevention
Common vulnerable patterns:
javascript
// BAD: SQL injectiondb.query(`SELECT * FROM users WHERE id = ${userId}`)// GOOD: Parameterized querydb.query('SELECT * FROM users WHERE id = ?', [userId])
python
# BAD: Command injectionos.system(f"convert {user_file}")# GOOD: Use subprocess with listsubprocess.run(["convert", user_file], check=True)
4. Authentication & Authorization
Check for:
- Passwords hashed with bcrypt/argon2 (not MD5/SHA1)
- Session tokens are cryptographically random
- Sessions expire appropriately
- CSRF protection on state-changing endpoints
- Rate limiting on auth endpoints
- Account lockout after failed attempts
Look for:
javascript
// BAD: Weak hashingcrypto.createHash('md5').update(password)// GOOD: Bcryptbcrypt.hash(password, 12)
5. HTTPS & Transport Security
Check for:
- HTTPS enforced (HSTS header)
- Secure cookie flags (
Secure,HttpOnly,SameSite) - No mixed content warnings
- TLS 1.2+ required
6. Error Handling
Check for:
- Stack traces not exposed in production
- Generic error messages for users
- Detailed errors only in logs
- Sensitive data not in error messages
javascript
// BAD: Exposes internalsres.status(500).send({ error: err.stack })// GOOD: Generic messageres.status(500).send({ error: 'An unexpected error occurred' })
7. File Upload Security
If file uploads exist:
- Validate file type server-side (not just extension)
- Limit file size
- Scan for malware
- Store outside webroot
- Rename uploaded files
8. API Security
- Authentication required on all sensitive endpoints
- Authorization checks per resource
- Rate limiting implemented
- CORS configured restrictively
- API versioning in place
Severity Levels
| Level | Description | Action Required | |
|---|---|---|---|
| 🔴 Critical | Actively exploitable | Block deployment | |
| 🟠 High | Exploitable with effort | Fix within 7 days | |
| 🟡 Medium | Requires conditions | Fix within 30 days | |
| 🟢 Low | Minimal impact | Fix when convenient |
Output Format
markdown
## Security Audit Results**Project:** [name]**Date:** [date]**Auditor:** Claude (automated)### Summary| Severity | Count ||----------|-------|| 🔴 Critical | 0 || 🟠 High | 1 || 🟡 Medium | 2 || 🟢 Low | 3 |### Findings#### 1. [🟠 High] Hardcoded API Key**Location:** `src/config.js:15`**Description:** API key for payment provider is hardcoded**Risk:** If source code is leaked, attackers gain API access**Recommendation:** Move to environment variable
- const STRIPE_KEY = 'sk_live_abc123...'
- const STRIPE_KEY = process.env.STRIPE_SECRET_KEY
#### 2. [🟡 Medium] Missing Rate Limiting**Location:** `src/routes/auth.js`**Description:** Login endpoint has no rate limiting**Risk:** Enables brute force attacks**Recommendation:** Add rate limiting middleware### Recommendations1. [ ] Fix critical and high issues before next deployment2. [ ] Schedule medium issues for next sprint3. [ ] Add low issues to backlog4. [ ] Re-run audit after fixes
Commands to Run
After completing the audit, provide the user with:
- Summary of findings
- Prioritized fix list
- Commands to address each issue
- Timeline recommendation