srstomp

security-audit

Use when reviewing code security, auditing dependencies for CVEs, checking configuration or secret security, assessing authentication and authorization patterns, identifying OWASP vulnerabilities (injection, XSS, CSRF), or addressing security concerns about implementations.

srstomp 7 2 Updated 3mo ago

Resources

1
GitHub

Install

npx skillscat add srstomp/pokayokay/security-audit

Install via the SkillsCat registry.

SKILL.md

Security Audit

Systematic security review for application code, dependencies, and configuration.

Not a replacement for professional penetration testing. Identifies common vulnerabilities within scope of code review.

Audit Types

Type Focus When to Use
Code Review OWASP Top 10, injection, auth New features, PRs, suspicious code
Dependency CVEs, outdated packages Before deploy, periodic, CI/CD
Configuration Secrets, permissions, hardening Infrastructure changes, new envs
Architecture Attack surface, data flow Design phase, major refactors
API Security Auth, authz, rate limiting New endpoints, public APIs

When NOT to Use

  • Designing new auth flows — Use api-design for designing OAuth2/JWT endpoints from scratch
  • Performance issues — Use performance-optimization even if caused by auth overhead
  • CI/CD pipeline security — Use ci-cd for pipeline hardening (secret management, permissions)

Key Principles

  • Scope first — Define audit area, depth, and constraints before scanning
  • Classify severity — Critical (24-48h), High (1 week), Medium (2-4 weeks), Low (backlog)
  • Remediate or track — Fix critical issues immediately, create ohno tasks for the rest
  • No secrets in code — Scan for hardcoded credentials, API keys, connection strings

Quick Start Checklist

  1. Define audit scope and type (code, dependency, config, architecture, API)
  2. Run automated scans (npm audit, grep patterns, secret detection)
  3. Review findings and classify severity using decision tree in references
  4. Remediate critical/high findings immediately
  5. Create ohno tasks for medium/low findings with appropriate priority
  6. Document findings in audit report

References

Reference Description
owasp-top-10.md OWASP vulnerabilities with detection and fixes
dependency-security.md npm audit, pip-audit, Snyk, CI/CD integration
auth-patterns.md Secure authentication and authorization patterns
api-security.md API-specific security concerns
secrets-management.md Handling sensitive configuration

Categories

Auth Code Review Security
GitHub

Install

npx skillscat add srstomp/pokayokay/security-audit

Install via the SkillsCat registry.

Recommended Skills

Yeachan-Heo
security-review by Yeachan-Heo
35.2K 3mo ago
markdown-viewer
security by markdown-viewer
2.9K 1mo ago
mukul975
analyzing-heap-spray-exploitation by mukul975
11.4K 1mo ago
garrytan
cso by garrytan
104K 2mo ago
alirezarezvani
code-reviewer by alirezarezvani
16.4K 2mo ago
NousResearch
code-review by NousResearch
170.9K 2mo ago