security-audit

Security Audit

Comprehensive security scan. Finds issues AND fixes them.

Process

Step 1: Dependency Audit

Detect package manager from lockfile and run audit:

• pnpm-lock.yaml → pnpm audit
• package-lock.json → npm audit
• yarn.lock → yarn audit

If critical/high vulnerabilities found, run the appropriate fix command (non-breaking only):

pnpm audit --fix  # or npm audit fix

Step 2: Secret Scanning

node ${CLAUDE_PLUGIN_ROOT}/tools/secret-scanner.mjs <project-directory>

For any findings:

• Flag the file and line number with severity
• Suggest moving secrets to environment variables
• Check if the file should be in .gitignore
• If .env is committed, add it to .gitignore

Step 3: OWASP Pattern Detection

Use Grep to scan source files for dangerous patterns:

eval(                    → Suggest safer alternatives
new Function(            → Suggest safer alternatives
.innerHTML =             → Suggest textContent or sanitized HTML
dangerouslySetInnerHTML  → Verify sanitization
SQL + variable           → Suggest parameterized queries
http://                  → Suggest https:// (mixed content)

Step 3b: Authentication & Authorization Review

Scan the codebase for auth-related weaknesses. These are the most exploited vulnerability class in web applications — a single flaw here typically means full account takeover.

• Hardcoded CORS origins: Grep for Access-Control-Allow-Origin: * or origin: '*' or cors({ origin: true }). An allow-all CORS policy lets any malicious site make authenticated requests on behalf of your users. The fix is an explicit allowlist of trusted origins, never a wildcard when credentials are involved.
• Missing rate limiting on auth endpoints: Identify login, register, password reset, and OTP verification routes. If there is no rate limiter middleware (e.g., express-rate-limit, Hono rateLimiter, Redis-backed sliding window), these endpoints are vulnerable to credential stuffing and brute force. Recommend per-IP and per-account limits (e.g., 5 attempts per minute per IP on login, 3 password resets per hour per email).
• JWT without expiry or weak signing: Grep for jwt.sign and check for missing expiresIn option — a token without expiry is a permanent credential. Check for HS256 with secrets shorter than 256 bits (32 bytes); attackers can brute-force short HS256 secrets offline. Recommend RS256/ES256 for production, or HS256 with a cryptographically random secret of at least 32 bytes. Also check that jwt.verify does not pass algorithms: ['none'] or accept unsigned tokens.
• Session fixation: After successful authentication, the session ID must be regenerated. Grep for session assignment after login — if the same session ID persists from before auth to after, an attacker who sets a known session ID (via URL parameter, cookie injection, or subdomain cookie) gains access once the victim logs in.
• Missing CSRF protection: Identify state-changing endpoints (POST, PUT, DELETE, PATCH). If there is no CSRF token validation, no SameSite=Strict or SameSite=Lax cookie attribute, and no custom header requirement (e.g., X-Requested-With), these endpoints are exploitable via cross-site request forgery. SPAs using Authorization: Bearer headers are inherently CSRF-safe, but cookie-based auth requires explicit protection.
• Privilege escalation via IDOR: Look for routes like /api/users/:id, /api/orders/:id, /api/invoices/:id where the ID comes from the URL or request body. If the handler does not verify that the authenticated user owns or has permission to access that resource (e.g., WHERE id = :id AND userId = :currentUser), any authenticated user can access any other user's data by changing the ID. This is consistently in the OWASP Top 10 as "Broken Access Control."

Step 3c: Input Validation & Injection

Scan for injection vectors beyond basic SQL concatenation. Injection flaws remain the most dangerous vulnerability class because they allow attackers to execute arbitrary operations within your application's context.

• SQL injection (beyond concatenation): Look for template literals in queries (\SELECT * FROM users WHERE id = ${id}`), string building with + operators near SQL keywords, and ORM raw query methods (knex.raw(), prisma.$queryRawUnsafe(), sequelize.query()` without bind parameters). Even ORMs are vulnerable when developers use raw query escape hatches.
• Path traversal: Grep for user input flowing into fs.readFile, fs.readFileSync, fs.createReadStream, path.join, path.resolve, or res.sendFile. If the input is not validated against ../ sequences (or null bytes on older Node versions), attackers can read arbitrary files from the server — /etc/passwd, .env, private keys. The fix is to resolve the path and verify it starts with the intended base directory.
• Command injection: Grep for child_process.exec, child_process.execSync, shell: true in spawn options, or any function that passes user input to a shell. An attacker who controls even part of a shell command can chain arbitrary commands with ;, &&, |, or backticks. The fix is execFile/execFileSync (no shell) with arguments as an array, never string interpolation.
• Server-Side Request Forgery (SSRF): Look for user-provided URLs passed to fetch, axios, http.get, or any HTTP client. Without validation, an attacker can make your server request internal services (http://169.254.169.254 for cloud metadata, http://localhost:6379 for Redis, internal microservices). Validate that URLs resolve to public IP addresses and use an allowlist of permitted schemes and hosts.
• XML External Entity (XXE): If the project uses XML parsing (xml2js, libxmljs, fast-xml-parser, DOMParser), check that external entity processing is disabled. XXE allows attackers to read local files, perform SSRF, or cause denial of service via billion-laughs expansion. Most modern parsers disable XXE by default, but verify the configuration explicitly.
• Prototype pollution: Grep for Object.assign({}, userInput), _.merge({}, userInput), _.defaultsDeep, JSON.parse results used in deep merge operations, and __proto__ or constructor.prototype in request bodies. Prototype pollution lets attackers inject properties into Object.prototype, which can escalate to RCE in some frameworks (e.g., via EJS template engine gadgets). The fix is Object.create(null) for dictionary objects, input schema validation, and Object.freeze(Object.prototype) in hardened environments.

Step 3d: Supply Chain Security

Modern applications pull in hundreds of transitive dependencies. A single compromised package in the dependency tree can execute arbitrary code on every developer machine and CI server.

• Postinstall scripts: Run npm pkg get scripts.postinstall or grep lockfile for "postinstall" hooks in dependencies. Malicious packages use postinstall scripts to exfiltrate environment variables, SSH keys, or install backdoors. Legitimate packages that need postinstall (e.g., esbuild, sharp for native binaries) should be audited individually.
• Typosquatting: Compare dependency names against known popular packages. Look for single-character transpositions (lodas vs lodash), scope confusion (@internal/utils vs internal-utils), and hyphen/underscore variants. Typosquatted packages typically mirror the real package's API while adding a backdoor.
• Unmaintained dependencies: Flag dependencies with no npm publish in over 2 years or GitHub repos archived/with no commits. Unmaintained packages will not receive security patches. Recommend alternatives or evaluate whether the dependency can be replaced with a small internal utility.
• Lockfile integrity: Verify that the lockfile exists and is consistent with package.json. A missing or manipulated lockfile means builds are not reproducible and dependency resolution could pull in malicious versions. Run pnpm install --frozen-lockfile (or npm ci) in CI to enforce lockfile integrity.
• CI hardening: Recommend npm config set ignore-scripts true in CI environments, then explicitly allowlist packages that need install scripts. This prevents supply chain attacks via postinstall hooks from newly added or compromised dependencies.

Step 4: HTTP Security Headers

If a dev server is running, use curl or fetch to check response headers:

• Content-Security-Policy
• X-Frame-Options
• X-Content-Type-Options
• Strict-Transport-Security
• Referrer-Policy

If missing, generate middleware snippet for the project's framework:

• Hono: app.use('*', secureHeaders())
• Express: helmet middleware
• Next.js: next.config.js headers

Step 5: Dependency Health

node ${CLAUDE_PLUGIN_ROOT}/tools/dep-doctor.mjs <project-directory>

Report:

• Unused production deps → recommend removal (reduces attack surface + install size)
• Unused dev deps → suggest cleanup
• Pinned versions → suggest using ^ for patch updates
• Outdated major versions → flag security risk of old packages

Step 5b: Cryptography Review

Weak or misused cryptography is often invisible until a breach. These checks catch the most common mistakes that silently undermine the security of authentication, token generation, and data protection.

• Deprecated hash algorithms: Grep for createHash('md5'), createHash('sha1'), or any use of MD5/SHA1 for security purposes (password hashing, token generation, integrity verification). MD5 has practical collision attacks; SHA1 is deprecated by NIST since 2011. These are acceptable only for non-security checksums (e.g., cache keys, ETags). For integrity, use SHA-256 or SHA-3. For passwords, use bcrypt or argon2 exclusively.
• Hardcoded encryption keys and IVs: Grep for createCipheriv, createDecipheriv, and check whether the key or IV is a string literal, hex constant, or imported from a non-env source. Hardcoded keys mean every deployment shares the same key, and anyone with source code access (including leaked repos) can decrypt all data. Keys must come from environment variables or a secrets manager, and IVs must be randomly generated per encryption operation.
• Insecure random for security tokens: Grep for Math.random() used anywhere near token generation, session IDs, OTP codes, password reset links, or API keys. Math.random() is not cryptographically secure — its output is predictable given enough samples. The fix is crypto.randomBytes() or crypto.randomUUID() for Node.js, or crypto.getRandomValues() for browser contexts.
• Weak password hashing: If the application stores passwords, verify it uses bcrypt (cost factor >= 12), argon2id, or scrypt. Grep for createHash used on passwords — this means passwords are hashed with a fast algorithm (SHA-256, MD5) without salting or key stretching, making them trivially crackable with rainbow tables or GPU brute force. Also check bcrypt cost factors below 10, which are insufficient for modern hardware.

Step 5c: Data Exposure

Data leakage is the silent breach — it does not trip alarms, does not require exploits, and often goes unnoticed until the data appears on a paste site. These checks catch the most common ways applications hemorrhage sensitive information.

• Stack traces in production error responses: Check error handling middleware for NODE_ENV conditional logic. If err.stack, err.message, or raw error objects are sent in HTTP responses without checking the environment, attackers get free reconnaissance — internal file paths, framework versions, database connection strings, and query structures. The fix is a generic error response in production with a correlation ID for internal log lookup.
• PII in logs: Grep for console.log, logger.info, logger.debug, and logging library calls that include request bodies, user objects, or variables named email, phone, password, ssn, token, secret, creditCard, or ip. Logs are often stored in plain text, shipped to third-party log aggregators, and retained long past their usefulness. Recommend structured logging with explicit field allowlists and automatic PII redaction.
• Internal fields in API responses: Check API response serialization — if the application returns full database objects (e.g., res.json(user) where user is a Drizzle/Prisma/Sequelize model), it likely leaks internal fields: passwordHash, resetToken, internalNotes, stripeCustomerId, createdAt metadata, or soft-delete flags. The fix is explicit response DTOs or select/pick at the query level — never return the raw model.
• Missing Content-Security-Policy: A missing or overly permissive CSP is the difference between "XSS vulnerability found" and "XSS vulnerability exploited." Check for unsafe-inline, unsafe-eval, and wildcard sources (*) in existing CSPs. A baseline CSP should at minimum set default-src 'self', script-src 'self', and object-src 'none'. Report-only mode (Content-Security-Policy-Report-Only) is a safe way to deploy CSP incrementally without breaking existing functionality.

Step 6: Apply Fixes

• Auto-fix safe dependency updates
• Add .env to .gitignore if missing
• Replace dangerous patterns with safe alternatives
• Generate security header middleware file
• Remove confirmed unused dependencies

Key Principle

Think like an attacker. For every endpoint, ask: "What happens if I send unexpected input?" For every data flow, ask: "What if this is intercepted?" For every dependency, ask: "What if this is compromised?" Fix what you find. Document what you can't fix. Treat security as a spectrum, not a checkbox.