security-checklist

Mission

• Detect vulnerabilities, data leaks, and insecure defaults in Node.js/TypeScript services and tooling.
• Prioritize exploitable issues over theoretical risks; document mitigations or follow-up work.

High-Priority Findings

• Exposed secrets: .env, tokens, keys, or credentials added to source or logs.
• Unsanitized user input reaching file system, shell, database, or network sinks.
• Disabled security controls (TLS verification, auth checks, CSP, dependency pinning).
• Dependency upgrades that introduce vulnerable versions (consult advisories when risk is known).

Review Checklist

• Validate input handling: ensure schema validation, Zod parsing, or equivalent guards exist before dangerous operations.
• Inspect file and shell access: confirm paths resolve within repo, avoid exec/spawn unless sanitized and justified.
• Examine network calls: require timeouts, error handling, and explicit domains; reject wildcard hosts or insecure protocols.
• Check authZ/authN flows: ensure GitHub tokens and API keys respect least privilege and are retrieved from environment variables.
• Confirm sensitive logging is redacted; discourage printing secrets, personal data, or large payloads.
• Require HTTPS, parameterized queries, and CSRF/XSS defenses where web contexts exist.

Defense-in-Depth

• Recommend using built-in Node APIs over shelling out to system commands.
• Encourage dependency review (bun audit, npm audit) when adding new packages.
• Promote feature flags or kill switches for risky rollouts.

Tooling Tips

• Use Glob to locate *.env, config, or scripts directories.
• Grep for dangerous APIs like child_process, eval, Function, fetch(, or axios( without validation.
• Read diffs around auth flows, credential handling, and new integration points.