AI Agent

Security Agent - Full Reference Patterns

Security agent providing OWASP reference patterns for vulnerability scanning, auth/authorization, secure coding, cryptography, API/mobile/infra security, testing, and compliance. Delegate for security reviews, audits, and best practices.

Semgrep

Docker

npx claudepluginhub nguyenthienthanh/aura-frog --plugin aura-frog

Details

Tool AccessAll tools

RequirementsPower tools

Prompt Preview

**Source Agent:** `agents/security.md` **Load:** On-demand when deep security expertise needed --- - Dependency scanning (npm audit, Snyk, OWASP Dependency-Check) - Static code analysis (SonarQube, Semgrep, Bandit) - Dynamic scanning (OWASP ZAP, Burp Suite) - Container scanning (Trivy, Anchore) - Secret scanning (GitGuardian, TruffleHog) - OAuth 2.0 / OpenID Connect implementation review - JWT ...

Agent Content

Similar Agents

Security Operations

Runtime security operations agent for dependency scanning, supply chain analysis, secrets detection, OWASP compliance, and incident response. Delegate operational security tasks, excluding code audits and architecture reviews.

10 tools

bopen-tools

security-auditor

Expert security auditor for DevSecOps, vulnerability assessment, threat modeling, OWASP standards, secure authentication (OAuth2/OIDC/JWT), container/Kubernetes security, secrets management, and compliance (GDPR/HIPAA/SOC2). Delegate for audits, pipeline integration, and incident response.

all tools

dev-accelerator

octo-security-auditor

3.2k

Security auditor specializing in DevSecOps, OWASP Top 10 compliance, vulnerability assessment with CVSS scoring, threat modeling, and remediation plans for apps and infrastructure.

1 tools

octo

Stats

Parent Repo Stars14

Parent Repo Forks2

Last CommitMar 24, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Security Agent - Full Reference Patterns

Source Agent: agents/security.md Load: On-demand when deep security expertise needed

Detailed OWASP Competencies

Vulnerability Scanning

Dependency scanning (npm audit, Snyk, OWASP Dependency-Check)
Static code analysis (SonarQube, Semgrep, Bandit)
Dynamic scanning (OWASP ZAP, Burp Suite)
Container scanning (Trivy, Anchore)
Secret scanning (GitGuardian, TruffleHog)

Authentication & Authorization

OAuth 2.0 / OpenID Connect implementation review
JWT security (algorithm confusion, signature validation)
Session management (secure cookies, CSRF tokens)
Password policies (hashing, salting, bcrypt, argon2)
Multi-factor authentication (MFA) implementation
Role-Based Access Control (RBAC)
Attribute-Based Access Control (ABAC)

Secure Coding Practices

Input validation and sanitization
Output encoding (prevent XSS)
Parameterized queries (prevent SQL injection)
Secure file uploads
Content Security Policy (CSP)
Security headers (Helmet.js, HSTS, X-Frame-Options)
Rate limiting and throttling

Cryptography

Encryption at rest (AES-256, database encryption)
Encryption in transit (TLS 1.3, HTTPS)
Key management (KMS, Vault, env variables)
Hashing (SHA-256, bcrypt, argon2)
Digital signatures
Certificate management

API Security

API authentication (API keys, OAuth, JWT)
Rate limiting and quotas
Input validation
CORS configuration
API versioning security
GraphQL security (query depth limiting, cost analysis)

Mobile Security

Certificate pinning
Secure storage (Keychain, Keystore)
Code obfuscation
Root/jailbreak detection
Secure communication
Biometric authentication

Infrastructure Security

Cloud security (AWS IAM, GCP IAM, Azure RBAC)
Network security (firewalls, security groups)
Container security (Docker, Kubernetes)
Secrets management (AWS Secrets Manager, HashiCorp Vault)
Environment separation

Security Testing

Penetration testing basics
Threat modeling (STRIDE, DREAD)
Security test cases
Fuzzing
Security regression testing

Compliance & Standards

GDPR compliance
HIPAA compliance
PCI DSS compliance
SOC 2 Type II
ISO 27001
NIST Cybersecurity Framework

Tech Stack Expertise

Security Tools

Dependency Scanning:

npm audit (Node.js)
Snyk (multi-language)
OWASP Dependency-Check
pip-audit (Python)
bundler-audit (Ruby)
Go vulnerability scanner

Static Application Security Testing (SAST):

SonarQube / SonarCloud
Semgrep
ESLint security plugins
Bandit (Python)
Brakeman (Ruby on Rails)
gosec (Go)

Dynamic Application Security Testing (DAST):

OWASP ZAP
Burp Suite Community/Pro
Nikto
SQLMap

Secret Scanning:

GitGuardian
TruffleHog
git-secrets
detect-secrets

Container Security:

Trivy
Anchore
Clair
Docker Bench Security

Security Libraries

Node.js:

helmet (security headers)
express-rate-limit
express-validator
joi / zod (validation)
bcrypt / argon2
jsonwebtoken
passport

Python:

django-security
Flask-Security
cryptography
PyJWT
passlib

PHP:

Laravel security features
password_hash / password_verify
CSRF protection

React Native:

react-native-keychain
react-native-ssl-pinning
react-native-biometrics

Cloud Security

AWS:

AWS IAM, AWS Secrets Manager, AWS WAF
AWS Shield, AWS GuardDuty, AWS Security Hub

GCP:

GCP IAM, Secret Manager
Cloud Armor, Security Command Center

Azure:

Azure AD, Key Vault
Azure Security Center, Azure Sentinel

Security Checklists

Web Application Security Checklist

Authentication:

Passwords hashed with bcrypt/argon2 (cost factor >= 12)
Account lockout after N failed attempts
MFA available for sensitive operations
Secure password reset flow (tokens expire, one-time use)
Session timeout configured (< 30 min idle)
CSRF tokens on all state-changing operations
Secure cookie flags (HttpOnly, Secure, SameSite)

Authorization:

Principle of least privilege enforced
All routes/endpoints have access control
Horizontal privilege escalation prevented
Vertical privilege escalation prevented
Direct object references are authorized

Input Validation:

All user inputs validated (client + server)
Whitelist validation (not blacklist)
Content-Type validation for uploads
File size limits enforced
Parameterized queries (no string concatenation)
NoSQL injection prevention

Output Encoding:

XSS prevention (escape HTML, JS, CSS)
Content Security Policy (CSP) configured
JSON responses properly encoded
Error messages don't leak sensitive data

Security Headers:

Cryptography:

HTTPS enforced (TLS 1.3 preferred)
Sensitive data encrypted at rest
Secure random number generation
No hardcoded secrets in code
Secrets in environment variables or vault

API Security:

Rate limiting on public endpoints
API authentication required
CORS configured properly (not wildcard *)
API versioning implemented
Request size limits enforced
GraphQL query depth limiting

Dependencies:

Dependencies up to date
No known vulnerabilities (npm audit clean)
Dependency scanning in CI/CD
Lockfile committed (package-lock.json)

Logging & Monitoring:

Security events logged (failed auth, privilege escalation)
Logs don't contain sensitive data (passwords, tokens)
Log retention policy defined
Alerts for security anomalies
Audit trail for admin actions

Mobile App Security Checklist

Data Storage:

Sensitive data in secure storage (Keychain, Keystore)
No sensitive data in logs
No sensitive data in screenshots/backups
Database encryption enabled
Cache cleared on logout

Network:

Certificate pinning implemented
TLS 1.3 enforced
Public WiFi warnings
VPN detection (if required)

Code Protection:

Code obfuscation enabled (ProGuard, R8)
Debug mode disabled in production
No API keys hardcoded
Root/jailbreak detection (if required)
Anti-tampering checks

Authentication:

Biometric authentication available
PIN/passcode required
Token refresh implemented
Auto-logout on inactivity

Security Audit Process

Phase 1: Information Gathering

Map application architecture
Identify entry points (APIs, forms, file uploads)
List authentication mechanisms
Document sensitive data flows
Review third-party integrations

Phase 2: Automated Scanning

Run dependency scanner (npm audit, Snyk)
Run SAST (SonarQube, Semgrep)
Run secret scanner (TruffleHog)
Run container scanner (Trivy)
Collect findings

Phase 3: Manual Code Review

Review authentication logic
Review authorization checks
Check input validation
Review cryptography usage
Check security headers
Review error handling
Check logging practices

Phase 4: Dynamic Testing

Test authentication bypass
Test authorization bypass (IDOR, privilege escalation)
Test injection vulnerabilities (SQL, XSS, command)
Test file upload security
Test session management
Test API rate limiting
Test CORS configuration

Phase 5: Threat Modeling

Identify assets
Identify threats (STRIDE)
Identify vulnerabilities
Calculate risk (DREAD)
Prioritize mitigations

Phase 6: Reporting

Categorize findings (Critical, High, Medium, Low)
Provide remediation steps
Estimate effort for fixes
Create JIRA tickets for vulnerabilities
Provide security roadmap

Typical Workflows

1. Security Audit (Full)

Command: security:audit

Run automated scans (deps, SAST, secrets)
Manual code review (OWASP Top 10)
Dynamic testing (DAST)
Threat modeling
Generate comprehensive report

2. Dependency Vulnerability Scan

Command: security:deps

Run npm audit / yarn audit
Run Snyk scan
Check for outdated packages
Identify vulnerable dependencies
Provide upgrade recommendations

3. Code Security Scan

Command: security:scan

Run SAST (SonarQube, Semgrep, ESLint security)
Check for hardcoded secrets
Check for insecure patterns
Identify security hotspots
Generate report

Security Tools Installation

Node.js:

npm install helmet express-rate-limit express-validator
npm install --save-dev @microsoft/eslint-plugin-sdl
npm install --save-dev eslint-plugin-security

Python:

pip install bandit safety
pip install flask-talisman  # Security headers for Flask

Container:

# Trivy
brew install trivy
trivy image myimage:latest

Secret Scanning:

# TruffleHog
pip install trufflehog
trufflehog git https://github.com/myorg/myrepo

Common Vulnerabilities & Fixes

SQL Injection

Vulnerable:

const query = `SELECT * FROM users WHERE id = ${userId}`;
db.query(query);

Secure:

const query = 'SELECT * FROM users WHERE id = ?';
db.query(query, [userId]);

// Or with Prisma/TypeORM (safe by default)
prisma.user.findUnique({ where: { id: userId } });

XSS (Cross-Site Scripting)

Vulnerable:

res.send(`<h1>Hello ${username}</h1>`);

Secure:

import DOMPurify from 'dompurify';
res.send(`<h1>Hello ${DOMPurify.sanitize(username)}</h1>`);

// Or use templating engines with auto-escaping
res.render('hello', { username });  // EJS, Handlebars auto-escape

CSRF (Cross-Site Request Forgery)

Vulnerable:

app.post('/transfer', (req, res) => {
  // No CSRF protection
  transfer(req.body.amount, req.body.to);
});

Secure:

import csrf from 'csurf';
app.use(csrf({ cookie: true }));

app.post('/transfer', (req, res) => {
  // CSRF token validated automatically
  transfer(req.body.amount, req.body.to);
});

Weak Password Hashing

Vulnerable:

import crypto from 'crypto';
const hash = crypto.createHash('md5').update(password).digest('hex');

Secure:

import bcrypt from 'bcrypt';
const hash = await bcrypt.hash(password, 12);  // Cost factor 12
const valid = await bcrypt.compare(password, hash);

Insecure Direct Object Reference (IDOR)

Vulnerable:

app.get('/user/:id', (req, res) => {
  const user = await User.findById(req.params.id);
  res.json(user);  // No authorization check
});

Secure:

app.get('/user/:id', authenticate, (req, res) => {
  if (req.user.id !== req.params.id && !req.user.isAdmin) {
    return res.status(403).json({ error: 'Forbidden' });
  }
  const user = await User.findById(req.params.id);
  res.json(user);
});