security-guidelines
1
总安装量
1
周安装量
#53817
全站排名
安装命令
npx skills add https://github.com/asakuno/template-repository --skill security-guidelines
Agent 安装分布
amp
1
opencode
1
kimi-cli
1
codex
1
github-copilot
1
gemini-cli
1
Skill 文档
Security Guidelines
IPAæºæ ã®ã»ãã¥ãªãã£è¨ºæã»ã¬ãã¥ã¼ã¹ãã«ãLaravel + Reactã¢ããªã±ã¼ã·ã§ã³ã®å®è£ æã»ã¬ãã¥ã¼æã«11種é¡ã®èå¼±æ§ã診æããå®å ¨ãªã³ã¼ãä¾ãæä¾ããã
Overview
ãã®ã¹ãã«ã¯ãIPAã®ãå®å ¨ãªã¦ã§ããµã¤ãã®ä½ãæ¹ ç¬¬7çãã«åºã¥ãã以ä¸ã®æ©è½ãæä¾ãã:
- èå¼±æ§è¨ºæ: ã³ã¼ãã®èå¼±æ§ã11ã®ã«ãã´ãªã§æ¤è¨¼
- å®å ¨ãªã³ã¼ãä¾æä¾: Laravel/Reactåºæã®å®å ¨ãªå®è£ ãã¿ã¼ã³
- ãã§ãã¯ãªã¹ããã¼ã¹æ¤è¨¼: å®è£ æ¼ãã®é²æ¢
- ã«ã¼ã«é£æº:
.claude/rules/security/ã¨é£æºããå æ¬çãªã¬ã¤ãã³ã¹
éè¦: ãã®ã¹ãã«ã¯ .claude/rules/security/ ã®ã«ã¼ã«ã¨å調åä½ãããrulesããå®ãã¹ãè¦ç´ããæä¾ããæ¬ã¹ãã«ã¯ãå®è¡ãã診æã¯ã¼ã¯ããã¼ããæä¾ããã
Diagnostic Workflow
ã»ãã¥ãªãã£è¨ºæã¯ä»¥ä¸ã®ã¯ã¼ã¯ããã¼ã§å®è¡ãã:
Phase 1: Scope Identification
対象ã³ã¼ãã®ã¹ã³ã¼ããç¹å®:
-
ã³ã¼ã種å¥ã®å¤å®
- Backend (Laravel): Controller, UseCase, Repository, Model
- Frontend (React): Component, Hook, Form
- API: Endpoint, Middleware
-
é¢é£ããèå¼±æ§ã«ãã´ãªã®ç¹å®
- å ¥åå¦ç â SQLã¤ã³ã¸ã§ã¯ã·ã§ã³ãOSã³ãã³ãããã£ã¬ã¯ããªãã©ãã¼ãµã«
- åºåå¦ç â XSS
- ãã©ã¼ã â CSRF
- èªè¨¼/èªå¯ â ã»ãã·ã§ã³ç®¡çãã¢ã¯ã»ã¹å¶å¾¡
- ãã¡ã¤ã«æä½ â ãã£ã¬ã¯ããªãã©ãã¼ãµã«
- HTTPã¬ã¹ãã³ã¹ â HTTPãããã¤ã³ã¸ã§ã¯ã·ã§ã³
Phase 2: Vulnerability Analysis
ç¹å®ãããã«ãã´ãªãã¨ã«è¨ºæ:
診ææ¹æ³:
- 該å½ãã
references/*.mdãèªã¿è¾¼ã - èå¼±ãªãã¿ã¼ã³ã¨ç §å
- å®å ¨ãªãã¿ã¼ã³ã¨ã®å·®åãç¹å®
診æ対象ã®11ã«ãã´ãª:
- SQL Injection
- OS Command Injection
- Directory Traversal
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- Session Management
- HTTP Header Injection
- Mail Header Injection
- Clickjacking
- Access Control (IDOR)
- Authentication & Password Management
詳細㯠references/vulnerability-catalog.md ãåç §ã
Phase 3: Report & Remediation
診æçµæãã¬ãã¼ã:
ã¬ãã¼ãå½¢å¼:
## ã»ãã¥ãªãã£è¨ºæçµæ
### æ¤åºãããåé¡
#### [èå¼±æ§å] (éè¦åº¦: é«/ä¸/ä½)
**åé¡ç®æ**:
[ãã¡ã¤ã«ãã¹:è¡çªå·]
**èå¼±æ§ã®èª¬æ**:
[ãªãå±éºãªã®ã]
**ç¾å¨ã®ã³ã¼ã**:
```[language]
[èå¼±ãªã³ã¼ã]
æ¨å¥¨ãããä¿®æ£:
[å®å
¨ãªã³ã¼ã]
åè: references/[該å½ãã¡ã¤ã«].md
### Phase 4: Checklist Verification
æçµç¢ºèªã¨ãã¦ãã§ãã¯ãªã¹ããå®è¡:
1. [references/checklist.md](references/checklist.md) ãèªã¿è¾¼ã
2. 該å½ããã«ãã´ãªã®ãã§ãã¯ãªã¹ãã確èª
3. æªå®æ½é
ç®ãããã°è¿½å ã§ææ
## Quick Start
### ã³ã¼ãå®è£
æã®ä½¿ç¨
ããã®ãã°ã¤ã³å¦çã®ã»ãã¥ãªãã£ããã§ãã¯ãã¦ã â ã»ãã·ã§ã³ç®¡çãCSRFããã¹ã¯ã¼ã管çã診æ
### ã³ã¼ãã¬ãã¥ã¼æã®ä½¿ç¨
ããã®PRå ¨ä½ã®ã»ãã¥ãªãã£ã¬ãã¥ã¼ããã¦ã â å¤æ´ããããã¡ã¤ã«ãåæããé¢é£ããèå¼±æ§ã診æ
### ç¹å®ã®èå¼±æ§ã«å¯¾ãããã§ãã¯
ãXSS対çãã§ãã¦ããã確èªãã¦ã â references/xss.md ãåç §ãã¦è¨ºæ
## Vulnerability Categories
11種é¡ã®èå¼±æ§ã®è©³ç´°ã¯ã以ä¸ã®referencesãã¡ã¤ã«ãåç
§:
### Injection Vulnerabilities
- **SQL Injection**: See [references/injection.md](references/injection.md#sql-injection)
- **OS Command Injection**: See [references/injection.md](references/injection.md#os-command-injection)
- **Directory Traversal**: See [references/injection.md](references/injection.md#directory-traversal)
### XSS Vulnerabilities
- **Cross-Site Scripting**: See [references/xss.md](references/xss.md)
- Laravel/Blade XSS prevention
- React XSS prevention
- Content Security Policy (CSP)
### CSRF & Session
- **CSRF**: See [references/csrf-session.md](references/csrf-session.md#csrf)
- **Session Management**: See [references/csrf-session.md](references/csrf-session.md#session-management)
### HTTP Header Vulnerabilities
- **HTTP Header Injection**: See [references/http-headers.md](references/http-headers.md#http-header-injection)
- **Mail Header Injection**: See [references/http-headers.md](references/http-headers.md#mail-header-injection)
- **Clickjacking**: See [references/http-headers.md](references/http-headers.md#clickjacking)
### Access Control & Authentication
- **Access Control (IDOR)**: See [references/access-control.md](references/access-control.md#idor)
- **Password Management**: See [references/access-control.md](references/access-control.md#password-management)
### Comprehensive Checklist
- **Implementation Checklist**: See [references/checklist.md](references/checklist.md)
## Integration with Rules
ãã®ã¹ãã«ã¯ `.claude/rules/security/` ã®ã«ã¼ã«ã¨ä»¥ä¸ã®ããã«é£æºãã:
| Rules | Skills |
|-------|--------|
| 常ã«ã³ã³ããã¹ãã«èªã¿è¾¼ã¾ãã | 診ææã«ããªã¬ã¼ããã |
| ãå®ãã¹ãè¦ç´ããå®ç¾© | ãå®è¡ãã診æã¯ã¼ã¯ããã¼ããæä¾ |
| éçãªã¬ã¤ãã©ã¤ã³ | åçãªè¨ºæããã»ã¹ |
| ã³ã¼ãã£ã³ã°æã®åç
§ | ã¬ãã¥ã¼æã®å®è¡ |
**使ãåã**:
- **å®è£
ä¸**: Rules ãèªåçã«é©ç¨ããã
- **ã¬ãã¥ã¼æ**: ãã®ã¹ãã«ãæ示çã«èµ·åãã¦è¨ºæãå®è¡
## Best Practices
### 診æã®åªå
é ä½
**é«åªå
度** (é大ãªå½±é¿):
1. SQL Injection
2. XSS
3. CSRF
4. Access Control (IDOR)
5. Session Management
**ä¸åªå
度** (éè¦):
6. OS Command Injection
7. Directory Traversal
8. Password Management
**ä½åªå
度** (æ¨å¥¨):
9. HTTP Header Injection
10. Mail Header Injection
11. Clickjacking
### 診æã®ç¯å²
**æå°ã¹ã³ã¼ã**: åä¸ã®é¢æ°/ã¡ã½ãã
**æ¨å¥¨ã¹ã³ã¼ã**: åä¸ã®ãã¡ã¤ã«ã¾ãã¯æ©è½
**æ大ã¹ã³ã¼ã**: Pull Requestå
¨ä½
**注æ**: ã¹ã³ã¼ãã大ããããå ´åã¯ãæ©è½ãã¨ã«åå²ãã¦è¨ºæãããã¨ãæ¨å¥¨ã
### False Positive ã®åé¿
以ä¸ã®ã±ã¼ã¹ã§ã¯èª¤æ¤ç¥ãé¿ãã:
1. **Laravel ã®æ¨æºæ©è½ãæ£ãã使ç¨ãã¦ããå ´å**:
- `{{ }}` ã«ããã¨ã¹ã±ã¼ã
- `@csrf` ãã£ã¬ã¯ãã£ã
- `Hash::make()` ã«ãããã¹ã¯ã¼ãããã·ã¥
- Laravel Policy ã«ããèªå¯ãã§ãã¯
2. **React ã®æ¨æºæ©è½ãæ£ãã使ç¨ãã¦ããå ´å**:
- JSX ã®ããã©ã«ãã¨ã¹ã±ã¼ã
- DOMPurify ã«ãããµãã¿ã¤ãº
ããããæ£ãã使ç¨ããã¦ããå ´åã¯ãâ
å®å
¨ãã¨å¤å®ããã
## Resources
### references/
èå¼±æ§ã«ãã´ãªãã¨ã®è©³ç´°è³æ:
- `vulnerability-catalog.md`: 11種é¡ã®èå¼±æ§ã®æ¦è¦
- `injection.md`: SQLã¤ã³ã¸ã§ã¯ã·ã§ã³ãOSã³ãã³ãããã£ã¬ã¯ããªãã©ãã¼ãµã«
- `xss.md`: XSS対çï¼Laravel/Reactï¼
- `csrf-session.md`: CSRFãã»ãã·ã§ã³ç®¡ç
- `http-headers.md`: HTTPãããç³»èå¼±æ§
- `access-control.md`: ã¢ã¯ã»ã¹å¶å¾¡ãèªè¨¼ããã¹ã¯ã¼ã管ç
- `checklist.md`: å
æ¬çãªå®è£
ãã§ãã¯ãªã¹ã