security-analysis
4
总安装量
4
周安装量
#48112
全站排名
安装命令
npx skills add https://github.com/5dlabs/cto --skill security-analysis
Agent 安装分布
claude-code
3
opencode
2
codex
2
gemini-cli
2
trae
1
Skill 文档
Security Analysis
Security audit patterns for identifying and remediating vulnerabilities.
Core Specialization
- Vulnerability Management: Dependabot, CodeQL, Trivy, Semgrep
- Secret Management: External Secrets Operator, OpenBao (Vault)
- Auth: OAuth2, JWT, OIDC, BetterAuth
- Crypto: Proper key management, secure algorithms
- Compliance: OWASP Top 10, CIS Benchmarks
- Supply Chain: SBOM, signed images, provenance
Execution Rules
- Defense in depth. Multiple layers of security
- Principle of least privilege. Minimal permissions always
- No secrets in code. Ever. Use secret managers
- Input validation. Trust nothing from outside
- Secure defaults. Opt-in to less secure, not opt-out
Security Checklist
For every security review, verify:
- No hardcoded secrets or API keys
- Input validation on all user data
- Output encoding to prevent XSS
- Parameterized queries (no SQL injection)
- HTTPS enforced everywhere
- CORS properly configured
- Rate limiting on sensitive endpoints
- Audit logging for security events
- Dependencies scanned and updated
- Auth/authz checks on all endpoints
Language-Specific Security
Rust
cargo audit
cargo deny check advisories
Memory Safety Checks:
- Verify no
unsafeblocks without proper documentation - Check for proper lifetime annotations
- Ensure no use-after-free patterns
- Verify bounds checking on array/slice access
Common Rust Vulnerabilities:
- Panic in production (use
Resultinstead ofunwrap()) - Integer overflow (use
checked_*methods) - Race conditions (verify
Send/Syncbounds) - Improper error disclosure (don’t expose internal errors)
Input Validation Pattern:
use validator::Validate;
#[derive(Validate)]
struct UserInput {
#[validate(email)]
email: String,
#[validate(length(min = 8, max = 100))]
password: String,
}
TypeScript
pnpm audit
npm audit --audit-level=high
XSS Prevention:
- Verify proper output encoding
- Check for dangerouslySetInnerHTML usage
- Ensure Content-Security-Policy headers
Effect Schema Validation (Required):
import { Schema } from "effect"
// Use Schema.decodeUnknown for ALL external input
const validateUser = Schema.decodeUnknown(UserSchema)
// Define allowed values with Schema.Literal
const RoleSchema = Schema.Literal("user", "admin")
Security Headers (Next.js):
const securityHeaders = [
{ key: 'Strict-Transport-Security', value: 'max-age=63072000' },
{ key: 'X-Content-Type-Options', value: 'nosniff' },
{ key: 'X-Frame-Options', value: 'DENY' },
];
Go
govulncheck ./...
go list -m all | nancy sleuth
Common Go Vulnerabilities:
- Goroutine leaks (verify context cancellation)
- Race conditions (run
go test -race) - SQL injection (use parameterized queries)
- Path traversal (validate file paths)
Input Validation:
func validateEmail(email string) error {
if !emailRegex.MatchString(email) {
return errors.New("invalid email format")
}
return nil
}
Secure Defaults:
- Set timeouts on HTTP clients/servers
- Validate TLS certificates
- Use secure random number generation
General Security Scans
# Scan for secrets
trufflehog git file://. --since-commit HEAD~10
# Run Semgrep
semgrep scan --config auto
OWASP Top 10 Mitigations
| Vulnerability | Mitigation |
|---|---|
| Injection | Parameterized queries, input validation |
| Broken Auth | Strong passwords, MFA, session management |
| Sensitive Data | Encryption at rest and transit |
| XXE | Disable external entities |
| Broken Access | Role-based access control |
| Security Misconfig | Secure defaults, minimal exposure |
| XSS | Output encoding, CSP |
| Insecure Deserial | Input validation, type checking |
| Known Vulns | Dependency scanning, updates |
| Logging | Audit logs, monitoring |
Guidelines
- Follow OWASP Top 10 mitigations
- Use parameterized queries (no raw SQL)
- Validate and sanitize all inputs
- Use secure defaults
- Minimize attack surface
- Log security events (without sensitive data)