Skip to content

audit.md

Latest commit

 

History

History
49 lines (40 loc) · 2.38 KB

audit.md

File metadata and controls

49 lines (40 loc) · 2.38 KB

Perform a security audit of the codebase covering common vulnerability categories.

Steps

1. Dependency Vulnerabilities

  • Run the package manager's audit: npm audit, pip audit, cargo audit, govulncheck ./....
  • List critical and high severity vulnerabilities.
  • For each, determine if the vulnerable code path is actually reachable in this project.
  • Recommend specific version upgrades or patches.

2. Secrets Scan

  • Search for hardcoded secrets, API keys, tokens, and passwords:
    • Patterns: password\s*=, api[_-]?key, secret, token, Bearer , base64-encoded strings.
    • Files: .env files committed to git, config files, source code.
  • Check .gitignore for proper exclusion of sensitive files.
  • Verify environment variables are used for all secrets.

3. OWASP Top 10 Check

  • Injection: SQL injection, command injection, XSS. Search for string concatenation in queries, eval(), innerHTML.
  • Broken Auth: Weak password policies, missing rate limiting, session fixation.
  • Sensitive Data Exposure: Unencrypted data at rest/transit, verbose error messages, logs containing PII.
  • Broken Access Control: Missing authorization checks, IDOR vulnerabilities, privilege escalation paths.
  • Security Misconfiguration: Default credentials, unnecessary features enabled, CORS wildcards.

4. Input Validation

  • Verify all user inputs are validated before processing.
  • Check for proper type coercion and boundary checking.
  • Ensure file uploads have type, size, and name validation.
  • Verify URL and redirect validation prevents open redirects.

5. Authentication and Authorization Review

  • Check password hashing (bcrypt/argon2, not MD5/SHA1).
  • Verify JWT token expiration and rotation.
  • Check for proper CSRF protection.
  • Verify role-based access control at the API layer, not just the UI.

6. Report

Produce a findings report organized by severity (Critical, High, Medium, Low, Info) with:

  • Finding description.
  • Affected file and line.
  • Recommended fix.
  • Reference (CWE number or OWASP category).

Rules

  • Prioritize findings by exploitability and impact, not just theoretical risk.
  • Include proof-of-concept for critical findings when safe to do so.
  • Do not just list tools to run. Actually analyze the output and provide actionable recommendations.
  • Check both the application code and infrastructure configuration (Dockerfiles, CI configs, cloud configs).