security-audit
10
总安装量
3
周安装量
#30944
全站排名
安装命令
npx skills add https://github.com/netresearch/security-audit-skill --skill security-audit
Agent 安装分布
opencode
3
openclaw
2
claude-code
2
codex
2
gemini-cli
2
Skill 文档
Security Audit Skill
Security audit patterns (OWASP Top 10, CWE Top 25 2025, CVSS v4.0) and GitHub project security checks for any project. Deep automated PHP/TYPO3 code scanning with 80+ checkpoints and 19 reference guides.
Expertise Areas
- Vulnerabilities: XXE, SQL injection, XSS, CSRF, command injection, path traversal, file upload, deserialization, SSRF, type juggling, SSTI, JWT flaws
- Risk Scoring: CVSS v3.1 and v4.0 methodology
- Secure Coding: Input validation, output encoding, cryptography, session management, authentication
- Standards: OWASP Top 10, CWE Top 25, OWASP ASVS, Proactive Controls
Reference Files
Core
references/owasp-top10.md– OWASP Top 10 patterns and mitigationsreferences/cwe-top25.md– CWE Top 25 (2025) coverage map with PHP examplesreferences/xxe-prevention.md– XXE detection and preventionreferences/cvss-scoring.md– CVSS v3.1 and v4.0 scoring methodologyreferences/api-key-encryption.md– API key encryption at rest (sodium)
Vulnerability Prevention
references/deserialization-prevention.md– Insecure deserialization preventionreferences/path-traversal-prevention.md– Path traversal / directory traversal preventionreferences/file-upload-security.md– Secure file upload handlingreferences/input-validation.md– Input validation, CSP nonces, CORS, encoding
Secure Architecture
references/authentication-patterns.md– Authentication, session, JWT, MFA patternsreferences/security-headers.md– HTTP security headers (HSTS, CSP, etc.)references/security-logging.md– Security logging and audit trailsreferences/cryptography-guide.md– PHP sodium, key management, common mistakes
Framework Security
references/framework-security.md– TYPO3, Symfony, Laravel security patterns
Modern Threats
references/modern-attacks.md– SSRF, mass assignment, race conditionsreferences/cve-patterns.md– CVE-derived patterns (type juggling, PHAR, SSTI, JWT, LDAP injection)references/php-security-features.md– PHP 8.x security features
DevSecOps
references/ci-security-pipeline.md– SAST, dependency scanning, SBOM, container securityreferences/supply-chain-security.md– SLSA, Sigstore, OpenSSF Scorecard
Quick Patterns
XML parsing (prevent XXE):
$doc->loadXML($input, LIBXML_NONET);
SQL (prevent injection):
$stmt = $pdo->prepare('SELECT * FROM users WHERE id = ?');
$stmt->execute([$id]);
Output (prevent XSS):
echo htmlspecialchars($input, ENT_QUOTES | ENT_HTML5, 'UTF-8');
API keys (encrypt at rest):
$nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
$encrypted = 'enc:' . base64_encode($nonce . sodium_crypto_secretbox($apiKey, $nonce, $key));
Password hashing:
$hash = password_hash($password, PASSWORD_ARGON2ID);
Security Checklist
- bcrypt/Argon2 for passwords, CSRF tokens on state changes
- All input validated server-side, parameterized SQL
- XML external entities disabled (LIBXML_NONET only)
- Context-appropriate output encoding, CSP configured
- API keys encrypted at rest (sodium_crypto_secretbox)
- TLS 1.2+, secrets not in VCS, audit logging
- No unserialize() with user input, use json_decode()
- File uploads validated, renamed, stored outside web root
- Security headers: HSTS, CSP, X-Content-Type-Options
- Dependencies scanned (composer audit), Dependabot enabled
Verification
# PHP project security audit
./scripts/security-audit.sh /path/to/project
# GitHub repository security audit
./scripts/github-security-audit.sh owner/repo
Contributing: https://github.com/netresearch/security-audit-skill