Security Audit

Perform a comprehensive security review of the codebase.

Step 1: Dependency Audit

Check for known vulnerabilities in dependencies:

# Node.js
npm audit
npx better-npm-audit audit

# Python
pip-audit
safety check

# Ruby
bundle audit check --update

# Go
govulncheck ./...

# Rust
cargo audit

Step 2: Secret Detection

Scan for accidentally committed secrets:

Patterns to detect:

• API keys: [A-Za-z0-9_]{20,}
• AWS keys: AKIA[0-9A-Z]{16}
• Private keys: -----BEGIN (RSA|EC|OPENSSH) PRIVATE KEY-----
• Tokens: ghp_, gho_, github_pat_, sk-, Bearer
• Passwords in config: password\s*[:=]\s*["']?[^"'\s]+
• Connection strings: mongodb://, postgres://, mysql://

Files to check:

• .env* files
• Config files (.json, .yaml, .toml)
• Source code (hardcoded credentials)
• Git history (git log -p | grep -E "password|secret|key")

Step 3: OWASP Top 10 Check

A01: Broken Access Control

• Authorization checks on all endpoints
• No direct object references without validation
• CORS properly configured
• Directory listing disabled

A02: Cryptographic Failures

• Sensitive data encrypted at rest
• TLS 1.2+ for data in transit
• Strong hashing for passwords (bcrypt, argon2)
• No weak algorithms (MD5, SHA1, DES)

A03: Injection

• Parameterized queries (no string concatenation)
• Input validation and sanitization
• Output encoding for XSS prevention
• Command injection prevention

A04: Insecure Design

• Rate limiting implemented
• Account lockout after failed attempts
• Secure session management
• Input length limits

A05: Security Misconfiguration

• Debug mode disabled in production
• Default credentials changed
• Unnecessary features disabled
• Security headers configured

A06: Vulnerable Components

• Dependencies up to date
• No known CVEs in dependencies
• Unused dependencies removed

A07: Authentication Failures

• Strong password requirements
• MFA supported/required
• Secure password reset flow
• Session timeout configured

A08: Software and Data Integrity

• CI/CD pipeline secured
• Dependencies from trusted sources
• Code signing for releases
• Integrity checks for downloads

A09: Security Logging

• Authentication events logged
• Authorization failures logged
• Input validation failures logged
• Logs don't contain sensitive data

A10: SSRF

• URL validation for external requests
• Allowlisted domains only
• No internal network access from user input

Step 4: Code-Level Review

SQL Injection

// BAD
const query = `SELECT * FROM users WHERE id = ${userId}`;

// GOOD
const query = `SELECT * FROM users WHERE id = $1`;
await db.query(query, [userId]);

XSS Prevention

// BAD
element.innerHTML = userInput;

// GOOD
element.textContent = userInput;
// or use DOMPurify
element.innerHTML = DOMPurify.sanitize(userInput);

Path Traversal

// BAD
const file = path.join(baseDir, userInput);

// GOOD
const file = path.join(baseDir, path.basename(userInput));
if (!file.startsWith(baseDir)) throw new Error('Invalid path');

Step 5: Security Headers

Check for essential headers:

Content-Security-Policy: default-src 'self'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), microphone=()

Output: Security Report

# Security Audit Report

## Summary
- Critical: X
- High: X
- Medium: X
- Low: X

## Critical Findings
[Immediate action required]

## High Priority
[Fix before next release]

## Medium Priority
[Address in next sprint]

## Low Priority
[Technical debt backlog]

## Recommendations
1. ...
2. ...

Severity Definitions

Level	Description	Example
Critical	Active exploit possible	SQL injection, RCE
High	Data exposure likely	Auth bypass, IDOR
Medium	Conditional risk	Missing headers, weak crypto
Low	Best practice	Verbose errors, old TLS