Security Auditor

1---2name: security-auditor3description: Continuous security vulnerability scanning for OWASP Top 10, common vulnerabilities, and insecure patterns. Use when reviewing code, before deployments, or on file changes. Scans for SQL injection, XSS, secrets exposure, auth issues. Triggers on file changes, security mentions, deployment prep.4allowed-tools: Read, Grep, Bash5---6 7# Security Auditor Skill8 9Automatic security vulnerability detection.10 11## When I Activate12 13- ✅ Code files modified (especially auth, API, database)14- ✅ User mentions security or vulnerabilities15- ✅ Before deployments or commits16- ✅ Dependency changes17- ✅ Configuration file changes18 19## What I Scan For20 21### OWASP Top 10 Patterns22 23**1. SQL Injection**24```javascript25// CRITICAL: SQL injection26const query = `SELECT * FROM users WHERE id = ${userId}`;27 28// SECURE: Parameterized query29const query = 'SELECT * FROM users WHERE id = ?';30db.query(query, [userId]);31```32 33**2. XSS (Cross-Site Scripting)**34```javascript35// CRITICAL: XSS vulnerability36element.innerHTML = userInput;37 38// SECURE: Use textContent or sanitize39element.textContent = userInput;40// or41element.innerHTML = DOMPurify.sanitize(userInput);42```43 44**3. Authentication Issues**45```javascript46// CRITICAL: Weak JWT secret47const token = jwt.sign(payload, 'secret123');48 49// SECURE: Strong secret from environment50const token = jwt.sign(payload, process.env.JWT_SECRET);51```52 53**4. Sensitive Data Exposure**54```python55# CRITICAL: Exposed password56password = "admin123"57 58# SECURE: Environment variable59password = os.getenv("DB_PASSWORD")60```61 62**5. Broken Access Control**63```javascript64// CRITICAL: No authorization check65app.delete('/api/users/:id', (req, res) => {66  User.delete(req.params.id);67});68 69// SECURE: Authorization check70app.delete('/api/users/:id', auth, checkOwnership, (req, res) => {71  User.delete(req.params.id);72});73```74 75### Additional Security Checks76 77- **Insecure Deserialization**78- **Security Misconfiguration**79- **Insufficient Logging**80- **CSRF Protection Missing**81- **CORS Misconfiguration**82 83## Alert Format84 85```86🚨 CRITICAL: [Vulnerability type]87📍 Location: file.js:4288🔧 Fix: [Specific remediation]89📖 Reference: [OWASP/CWE link]90```91 92### Severity Levels93 94- 🚨 **CRITICAL**: Must fix immediately (exploitable vulnerabilities)95- ⚠️ **HIGH**: Should fix soon (security weaknesses)96- 📋 **MEDIUM**: Consider fixing (potential issues)97- 💡 **LOW**: Best practice improvements98 99## Real-World Examples100 101### SQL Injection Detection102 103```javascript104// You write:105app.get('/users', (req, res) => {106  const sql = `SELECT * FROM users WHERE name = '${req.query.name}'`;107  db.query(sql, (err, results) => res.json(results));108});109 110// I alert:111🚨 CRITICAL: SQL injection vulnerability (line 2)112📍 File: routes/users.js, Line 2113🔧 Fix: Use parameterized queries114  const sql = 'SELECT * FROM users WHERE name = ?';115  db.query(sql, [req.query.name], ...);116📖 https://owasp.org/www-community/attacks/SQL_Injection117```118 119### Password Storage120 121```python122# You write:123def create_user(username, password):124    user = User(username=username, password=password)125    user.save()126 127# I alert:128🚨 CRITICAL: Storing plain text password (line 2)129📍 File: models.py, Line 2130🔧 Fix: Hash passwords before storing131  from bcrypt import hashpw, gensalt132  hashed = hashpw(password.encode(), gensalt())133  user = User(username=username, password=hashed)134📖 Use bcrypt, scrypt, or argon2 for password hashing135```136 137### API Key Exposure138 139```javascript140// You write:141const stripe = require('stripe')('sk_live_abc123...');142 143// I alert:144🚨 CRITICAL: Hardcoded API key detected (line 1)145📍 File: payment.js, Line 1146🔧 Fix: Use environment variables147  const stripe = require('stripe')(process.env.STRIPE_SECRET_KEY);148📖 Never commit API keys to version control149```150 151## Dependency Scanning152 153I can run security audits on dependencies:154 155```bash156# Node.js157npm audit158 159# Python160pip-audit161 162# Results flagged with severity163```164 165## Relationship with @code-reviewer Sub-Agent166 167**Me (Skill):** Quick vulnerability pattern detection168**@code-reviewer (Sub-Agent):** Deep security audit with threat modeling169 170### Workflow1711. I detect vulnerability pattern1722. I flag: "🚨 SQL injection detected"1733. You want full analysis → Invoke **@code-reviewer** sub-agent1744. Sub-agent provides comprehensive security audit175 176## Common Vulnerability Patterns177 178### Authentication179- Weak password policies180- Missing MFA181- Session fixation182- Insecure password storage183 184### Authorization185- Missing access control186- Privilege escalation187- IDOR (Insecure Direct Object Reference)188 189### Data Protection190- Unencrypted sensitive data191- Weak encryption algorithms192- Missing HTTPS193- Insecure cookies194 195### Input Validation196- SQL injection197- Command injection198- XSS199- Path traversal200 201## Sandboxing Compatibility202 203**Works without sandboxing:** ✅ Yes204**Works with sandboxing:** ✅ Yes205 206**Optional: For dependency scanning**207```json208{209  "network": {210    "allowedDomains": [211      "registry.npmjs.org",212      "pypi.org",213      "api.github.com"214    ]215  }216}217```218 219## Integration with Tools220 221### With secret-scanner Skill222```223security-auditor: Checks code patterns224secret-scanner: Checks for exposed secrets225Together: Comprehensive security coverage226```227 228### With /review Command229```bash230/review --scope staged --checks security231 232# Workflow:233# 1. My automatic security findings234# 2. @code-reviewer sub-agent deep audit235# 3. Comprehensive security report236```237 238## Customization239 240Add company-specific security patterns:241 242```bash243cp -r ~/.claude/skills/security/security-auditor \244      ~/.claude/skills/security/company-security-auditor245 246# Edit SKILL.md to add:247# - Internal API patterns248# - Company security policies249# - Custom vulnerability checks250```251 252## Learn More253 254- [OWASP Top 10](https://owasp.org/www-project-top-ten/)255- [CWE Top 25](https://cwe.mitre.org/top25/)256- [Security Best Practices](../../standards/security/)