陌讯skills聚合平台

security-secure-coding

📁 kentoshimizu/sw-agent-skills 📅 1 day ago
0
总安装量
1
周安装量
安装命令
npx skills add https://github.com/kentoshimizu/sw-agent-skills --skill security-secure-coding

Agent 安装分布

amp 1
cline 1
opencode 1
cursor 1
continue 1
kimi-cli 1

Skill 文档

Security Secure Coding

Overview

Use this skill to prevent introducing exploitable code patterns and to enforce explicit security invariants during implementation.

Scope Boundaries

  • New endpoints, parsers, deserializers, or command execution paths are added.
  • Sensitive data handling or trust-boundary crossing logic changes.
  • High-risk dependency or framework behavior needs secure usage decisions.

Templates And Assets

  • Secure coding review checklist:
    • assets/secure-coding-review-checklist.md

Inputs To Gather

  • Trust boundaries and untrusted input entry points.
  • Sensitive data flows and storage/transmission requirements.
  • Language/framework-specific risk patterns.
  • Existing test coverage and security tooling signals.

Deliverables

  • Security invariants for the changed code path.
  • Mitigation mapping for relevant threat classes.
  • Targeted secure coding checks and tests.
  • Residual risk notes for deferred hardening work.

Workflow

  1. Identify attack surfaces for the change (input parsing, file/network access, auth context, templating).
  2. Run checklist from assets/secure-coding-review-checklist.md.
  3. Apply allowlist validation and context-appropriate encoding/sanitization at boundaries.
  4. Remove or harden dangerous patterns (shell concatenation, unsafe deserialization, path traversal gaps, SSRF primitives).
  5. Enforce explicit authorization checks in server-side handlers for sensitive operations.
  6. Protect secrets and PII in logs, errors, and telemetry outputs.
  7. Add or update negative tests for malicious payload classes.
  8. Verify dependencies and transitive packages for known critical vulnerabilities.

Quality Standard

  • Security-relevant assumptions are explicit in code and tests.
  • Error paths fail closed for sensitive operations.
  • No sensitive data leaks through logs or debug output.
  • High-risk operations are wrapped with deliberate validation and policy checks.

Failure Conditions

  • Stop when trust-boundary validation is missing or implicit.
  • Stop when privileged operations execute without explicit authorization checks.
  • Escalate when unresolved critical vulnerabilities remain in production-bound paths.
GitHub 仓库 ↗ ← 返回陌讯 Skills 聚合平台
本页面由 陌讯 Skills 聚合平台 收录整理,数据定期更新。