Refactor high-complexity React components in Dify frontend. Use when `pnpm analyze-component...
security-audit
250
28
# Install this skill:
npx skills add TheDecipherist/claude-code-mastery --skill "security-audit"
Install specific skill from multi-skill repository
# Description
Audit code and dependencies for security vulnerabilities. Use when reviewing PRs, checking dependencies, preparing for deployment, or when user mentions security, vulnerabilities, or audit.
# SKILL.md
name: security-audit
description: Audit code and dependencies for security vulnerabilities. Use when reviewing PRs, checking dependencies, preparing for deployment, or when user mentions security, vulnerabilities, or audit.
Security Audit Skill
Perform comprehensive security audits on codebases to identify vulnerabilities before they reach production.
When to Use This Skill
- User mentions "security", "audit", "vulnerability", "CVE"
- Before deployment commands
- During PR reviews
- User asks about dependencies
- Periodic security checks
Audit Checklist
1. Secrets Exposure
Check for hardcoded secrets:
# Search for common secret patterns
grep -rn "API_KEY\|SECRET\|TOKEN\|PASSWORD" --include="*.{js,ts,py,go,rb,java}" .
grep -rn "sk-\|pk_\|api_\|secret_" --include="*.{js,ts,py,go,rb,java}" .
Verify .gitignore:
# Ensure sensitive files are ignored
cat .gitignore | grep -E "\.env|secret|credential|\.pem|\.key"
Check git history for leaked secrets:
# Search recent commits (requires git-secrets or truffleHog)
git log -p --all -S "API_KEY" --since="30 days ago"
✅ Pass criteria:
- No hardcoded API keys, tokens, or passwords
- .env files in .gitignore
- No secrets in git history
2. Dependency Vulnerabilities
Node.js:
npm audit
# or
yarn audit
# or
pnpm audit
Python:
pip-audit
# or
safety check
Go:
govulncheck ./...
Rust:
cargo audit
✅ Pass criteria:
- No critical vulnerabilities
- No high vulnerabilities > 30 days old
- Dependencies updated within last 90 days
3. Input Validation
Check for:
- User inputs sanitized before use
- SQL queries use parameterized statements
- File paths validated and sandboxed
- HTML content escaped before rendering
- Command injection prevention
Common vulnerable patterns:
// BAD: SQL injection
db.query(`SELECT * FROM users WHERE id = ${userId}`)
// GOOD: Parameterized query
db.query('SELECT * FROM users WHERE id = ?', [userId])
# BAD: Command injection
os.system(f"convert {user_file}")
# GOOD: Use subprocess with list
subprocess.run(["convert", user_file], check=True)
4. Authentication & Authorization
Check for:
- Passwords hashed with bcrypt/argon2 (not MD5/SHA1)
- Session tokens are cryptographically random
- Sessions expire appropriately
- CSRF protection on state-changing endpoints
- Rate limiting on auth endpoints
- Account lockout after failed attempts
Look for:
// BAD: Weak hashing
crypto.createHash('md5').update(password)
// GOOD: Bcrypt
bcrypt.hash(password, 12)
5. HTTPS & Transport Security
Check for:
- HTTPS enforced (HSTS header)
- Secure cookie flags (Secure, HttpOnly, SameSite)
- No mixed content warnings
- TLS 1.2+ required
6. Error Handling
Check for:
- Stack traces not exposed in production
- Generic error messages for users
- Detailed errors only in logs
- Sensitive data not in error messages
// BAD: Exposes internals
res.status(500).send({ error: err.stack })
// GOOD: Generic message
res.status(500).send({ error: 'An unexpected error occurred' })
7. File Upload Security
If file uploads exist:
- Validate file type server-side (not just extension)
- Limit file size
- Scan for malware
- Store outside webroot
- Rename uploaded files
8. API Security
- Authentication required on all sensitive endpoints
- Authorization checks per resource
- Rate limiting implemented
- CORS configured restrictively
- API versioning in place
Severity Levels
| Level | Description | Action Required |
|---|---|---|
| 🔴 Critical | Actively exploitable | Block deployment |
| 🟠 High | Exploitable with effort | Fix within 7 days |
| 🟡 Medium | Requires conditions | Fix within 30 days |
| 🟢 Low | Minimal impact | Fix when convenient |
Output Format
## Security Audit Results
**Project:** [name]
**Date:** [date]
**Auditor:** Claude (automated)
### Summary
| Severity | Count |
|----------|-------|
| 🔴 Critical | 0 |
| 🟠 High | 1 |
| 🟡 Medium | 2 |
| 🟢 Low | 3 |
### Findings
#### 1. [🟠 High] Hardcoded API Key
**Location:** `src/config.js:15`
**Description:** API key for payment provider is hardcoded
**Risk:** If source code is leaked, attackers gain API access
**Recommendation:** Move to environment variable
```diff
- const STRIPE_KEY = 'sk_live_abc123...'
+ const STRIPE_KEY = process.env.STRIPE_SECRET_KEY
2. [🟡 Medium] Missing Rate Limiting
Location: src/routes/auth.js
Description: Login endpoint has no rate limiting
Risk: Enables brute force attacks
Recommendation: Add rate limiting middleware
Recommendations
- [ ] Fix critical and high issues before next deployment
- [ ] Schedule medium issues for next sprint
- [ ] Add low issues to backlog
- [ ] Re-run audit after fixes
```
Commands to Run
After completing the audit, provide the user with:
- Summary of findings
- Prioritized fix list
- Commands to address each issue
- Timeline recommendation
# Related Skills
Trigger when the user requests a review of frontend files (e.g., `.tsx`, `.ts`, `.js`). Support...
Generate Vitest + React Testing Library tests for Dify frontend components, hooks, and...
Guide for implementing oRPC contract-first API patterns in Dify frontend. Triggers when creating...
# Supported AI Coding Agents
This skill is compatible with the SKILL.md standard and works with all major AI coding agents:
Amp
Antigravity
Claude Code
Clawdbot
Codex
Cursor
Droid
Gemini CLI
GitHub Copilot
Goose
Kilo Code
Kiro CLI
OpenCode
Roo Code
Trae
Windsurf
Learn more about the SKILL.md standard and how to use these skills with your preferred AI coding agent.