npx claudepluginhub lgbarn/shipyard --plugin shipyardThis skill uses the workspace's default tool permissions.
<!-- TOKEN BUDGET: 110 lines / ~330 tokens -->
Performs full security audits scanning for hardcoded secrets, vulnerable dependencies, IAM misconfigs, auth flaws, SQL injection, XSS, HTTPS issues, rate limiting, public storage exposures.
Prevents silent decimal mismatch bugs in EVM ERC-20 tokens via runtime decimals lookup, chain-aware caching, bridged-token handling, and normalization. For DeFi bots, dashboards using Python/Web3, TypeScript/ethers, Solidity.
Share bugs, ideas, or general feedback.
Core principle: Assume every change introduces risk until proven otherwise.
For every code change, verify:
dangerouslySetInnerHTML without sanitizationFlag these patterns in ANY file (code, config, IaC, docs, tests):
| Pattern | What It Is |
|---|---|
AKIA[0-9A-Z]{16} | AWS Access Key |
ghp_[0-9a-zA-Z]{36} | GitHub Token |
sk-[0-9a-zA-Z]{48} | OpenAI/Stripe Secret Key |
(postgres|mysql|mongodb)://[^:]+:[^@]+@ | DB credentials in URI |
-----BEGIN.*PRIVATE KEY----- | Private key |
(password|secret|token|api_key)\s*[:=]\s*['"][^'"]{8,} | Generic secret |
Where secrets hide: .env files in git, Docker build args, Terraform tfvars, CI configs, test fixtures, comments.
Prevention: Environment variables or secret managers. Add .env, *.tfvars, *.pem to .gitignore.
npm audit / pip-audit / cargo audit / govulncheck| Area | Check |
|---|---|
| Terraform | No hardcoded secrets in .tf, remote state with encryption, IAM least privilege, no * in security groups, encryption on storage |
| Ansible | Vault for secrets, SSH key auth, become only where needed |
| Docker | Pinned base image (not latest), non-root USER, no secrets in ENV/ARG, .dockerignore configured, health check present, multi-stage build |
| Severity | Definition | Action |
|---|---|---|
| Security-Critical | Exploitable vulnerability or data exposure | Must fix before merge |
| Security-Important | Increases attack surface | Should fix |
| Security-Advisory | Best practice not followed | Note for improvement |
**[C1] SQL Injection in user search endpoint**
- **Location:** src/routes/users.py:42
- **Description:** User-supplied `q` parameter is interpolated directly into a SQL query
via f-string: `cursor.execute(f"SELECT * FROM users WHERE name = '{request.args['q']}'")`
- **Impact:** Attacker can execute arbitrary SQL via the `q` query parameter, potentially
exfiltrating the entire user database or escalating privileges.
- **Remediation:** Use parameterized query:
`cursor.execute("SELECT * FROM users WHERE name = %s", (request.args['q'],))`
- **Evidence:** `cursor.execute(f"SELECT * FROM users WHERE name = '{request.args['q']}'")`
- Missing rate limiting on `/api/login` (src/routes/auth.py:15) — add express-rate-limit middleware
- Debug logging enabled in production config (config/prod.yml:8) — set `debug: false`
Two API endpoints accept user input directly in SQL queries, creating injection
vulnerabilities that could expose the entire user database. An API key committed
to test fixtures should be rotated immediately. The remaining findings are
low-risk code quality improvements. Fix the SQL injection first — it's the most
dangerous and affects the most-used endpoints.
**Security Issue: Possible injection**
The code might have injection vulnerabilities. Consider reviewing input handling.
Referenced by: shipyard:auditor agent (comprehensive scans), shipyard:builder (awareness during implementation)
Pairs with: shipyard:infrastructure-validation (IaC tool workflows), shipyard:shipyard-verification (security claims need evidence)