security-audit-quick
1
总安装量
1
周安装量
#77104
全站排名
安装命令
npx skills add https://github.com/yusuketsunoda/ppt-trans --skill security-audit-quick
Agent 安装分布
amp
1
cline
1
opencode
1
cursor
1
continue
1
kimi-cli
1
Skill 文档
/security-audit-quick – é«ééçã»ãã¥ãªãã£ã¹ãã£ã³
Goal
grep ãã¼ã¹ã®éçãã§ãã¯ã§æ¢ç¥ã®å±éºãã¿ã¼ã³ãé«éæ¤åºããã æ¯ååãæé ã§å®è¡ããçµæãä¸è¦§åºåããã
/security-hardeningã¨ã®éã:
/security-hardening= åä¸è å¨ã®æ·±æãï¼è å¨ã¢ãã«âç·©åâãã¹ãâã²ã¼ãï¼/security-audit-quick= æ¢ç¥ãã¿ã¼ã³ã®ç¶²ç¾ çæ¤åºï¼grep ã§ä¸æ¬ã¹ãã£ã³ï¼
Input
| å¼æ° | 説æ | ããã©ã«ã |
|---|---|---|
| (ãªã) | ãªãã¸ããªå ¨ä½ãã¹ãã£ã³ | src/ + supabase/ |
--diff |
å¤æ´ãã¡ã¤ã«ã®ã¿ã¹ãã£ã³ | git diff --name-only origin/main...HEAD |
Checks (5ã¤)
Check 1: ãã¹ãã¢ã¼ããããã¼ã¬ã¼ã
æ¤åº: X-E2E-Test / X-Bypass-Rate-Limit ãããã¼åç
§ã§ isProductionRuntime() ã¬ã¼ããªã
# X-E2E-Test / X-Bypass-Rate-Limit ã使ã£ã¦ãããã¡ã¤ã«ãæ¤åº
grep -rn 'X-E2E-Test\|X-Bypass-Rate-Limit' $TARGET --include='*.ts' --include='*.tsx'
# åä¸ãã¡ã¤ã«ã§ isProductionRuntime ãå¼ã°ãã¦ããªããã®ã BLOCKER
for f in $(grep -rl 'X-E2E-Test\|X-Bypass-Rate-Limit' $TARGET --include='*.ts' --include='*.tsx'); do
if ! grep -q 'isProductionRuntime' "$f"; then
echo "BLOCKER: $f"
fi
done
SEVERITY: BLOCKER (æ¬çªã§ã»ãã¥ãªãã£ãã¤ãã¹å¯è½)
Check 2: ãã°å PII
æ¤åº: logger.*() å¼ã³åºã㧠email/token ãçå¤ã§æ¸¡ãã¦ãã
# email ã maskEmail ãªãã§æ¸¡ãã¦ããã±ã¼ã¹
grep -rn 'logger\.\(info\|warn\|error\|debug\)' $TARGET --include='*.ts' --include='*.tsx' \
| grep 'email:' | grep -v 'maskEmail\|email:.*mask\|email:.*redact'
# token ã maskToken ãªãã§æ¸¡ãã¦ããã±ã¼ã¹
grep -rn 'logger\.\(info\|warn\|error\|debug\)' $TARGET --include='*.ts' --include='*.tsx' \
| grep 'token:' | grep -v 'maskToken\|tokenPresent\|tokenValid\|csrf-token\|tokenRotat'
SEVERITY: WARNING (GDPR/CCPA ãªã¹ã¯)
Check 3: SECURITY DEFINER + REVOKE/GRANT
æ¤åº: PostgreSQL é¢æ°ã§ SECURITY DEFINER 使ç¨æã« REVOKE ALL + GRANT EXECUTE ããªã
# SECURITY DEFINER ã使ã£ã¦ãã SQL ãã¡ã¤ã«ãæ¤åº
for f in $(grep -rl 'SECURITY DEFINER' supabase/migrations/ --include='*.sql' 2>/dev/null); do
# åä¸ãã¡ã¤ã«ã§ REVOKE ALL 㨠GRANT EXECUTE ãããã
has_revoke=$(grep -c 'REVOKE ALL' "$f" 2>/dev/null || echo 0)
has_grant=$(grep -c 'GRANT EXECUTE' "$f" 2>/dev/null || echo 0)
if [ "$has_revoke" = "0" ] || [ "$has_grant" = "0" ]; then
echo "WARNING: $f - SECURITY DEFINER without REVOKE/GRANT"
fi
done
SEVERITY: WARNING (権éææ ¼ãªã¹ã¯)
Check 4: Cookie ãã¼ãã³ã¼ãã£ã³ã°
æ¤åº: Supabase Cookie åãç´æ¥ãã¼ãã³ã¼ããã¦ããï¼Cookie åå¤æ´æã«ä¸æ´åï¼
# sb-*-auth-token ã®ãã¼ãã³ã¼ããæ¤åº
grep -rn 'sb-.*-auth-token\|supabase.*cookie' $TARGET --include='*.ts' --include='*.tsx' \
| grep -v 'node_modules\|\.test\.\|__tests__'
SEVERITY: WARNING (Cookie åå¤æ´æã«å£ãã)
Check 5: dangerouslySetInnerHTML / console.*
æ¤åº: XSS èå¼±æ§ã¨ä¸é©åãªãã°åºå
# dangerouslySetInnerHTML
grep -rn 'dangerouslySetInnerHTML' $TARGET --include='*.ts' --include='*.tsx' \
| grep -v 'node_modules\|\.test\.\|__tests__'
# console.* (logger ã使ãã¹ã)
grep -rn 'console\.\(log\|warn\|error\|debug\|info\)' $TARGET --include='*.ts' --include='*.tsx' \
| grep -v 'node_modules\|\.test\.\|__tests__\|eslint\|\.config\.\|scripts/'
SEVERITY:
dangerouslySetInnerHTML: BLOCKER (XSS èå¼±æ§)console.*: INFO (ãã°åºç¤çµ±ä¸)
Output Format
============================================================
Security Audit Quick - Results
============================================================
[BLOCKER] Check 1: Test Mode Header Guard
src/lib/security/api-security.ts:98 - X-E2E-Test without isProductionRuntime()
Why: æ¬çªç°å¢ã§ãããã¼å½è£
ã«ããã»ãã¥ãªãã£ãã§ãã¯ããã¤ãã¹å¯è½
Fix: !isProductionRuntime() && request.headers.get("X-E2E-Test") ã«å¤æ´
[WARNING] Check 2: PII in Logs
src/app/api/auth/reset-password/route.ts:156 - email logged without maskEmail()
Why: GDPR/CCPA éåãªã¹ã¯ããã°åºç¤ã«ã¡ã¼ã«ã¢ãã¬ã¹ãå¹³æä¿åããã
Fix: logger.info("...", { email: maskEmail(user.email) })
[OK] Check 3: SECURITY DEFINER - No issues found
[OK] Check 4: Cookie Hardcoding - No issues found
[INFO] Check 5: console.* usage
src/components/auth-provider.tsx:50 - console.debug found
Why: logger ã¢ã¸ã¥ã¼ã«ã使ãã¹ãï¼ãã°ã¬ãã«å¶å¾¡ã»æ§é åãã°ï¼
Fix: import logger from "@/lib/logger"; logger.debug(...)
============================================================
Summary: 1 BLOCKER, 1 WARNING, 0 INFO
============================================================
Workflow
Step 1: ã¹ã³ã¼ã決å®
# --diff ãªãã·ã§ã³ã®å ´å
TARGET_FILES=$(git diff --name-only origin/main...HEAD | grep -E '\.(ts|tsx|sql)$')
# ããã©ã«ãï¼ãªãã¸ããªå
¨ä½ï¼
TARGET="src/ supabase/migrations/"
Step 2: 5ã¤ã®ãã§ãã¯ãé çªã«å®è¡
åãã§ãã¯ãä¸è¨ã® grep ã³ãã³ãã§å®è¡ã
Step 3: çµææ´å½¢
Output Format ã«å¾ã£ã¦çµæãæ´å½¢åºåã
Step 4: ãµããªã¼
BLOCKER / WARNING / INFO ã®ã«ã¦ã³ããéè¨ã
AI Assistant Instructions
MUST
- 5ã¤ã®ãã§ãã¯ãã¹ã¦ãå®è¡ããï¼ã¹ãããç¦æ¢ï¼
- çµæ㯠Output Format ã«å³å¯ã«å¾ãï¼SEVERITY / file:line / why / fixï¼
--diffãæå®ãããå ´åã¯å¤æ´ãã¡ã¤ã«ã®ã¿ã対象ã«ãã- ãã¹ããã¡ã¤ã« (
tests/**,e2e/**,__tests__/) ã¯é¤å¤ãã - åãã§ãã¯ã®çµæã 0 件ã®å ´åã¯
[OK]ã¨åºåãã
NEVER
- ãã§ãã¯çµæã主観ã§çç¥ããªãï¼å ¨ä»¶åºåï¼
- ä¿®æ£ãèªåå®è¡ããªãï¼ã¬ãã¼ãã®ã¿ï¼
/security-hardeningã®è å¨ã¢ããªã³ã°ãæ··ããªãï¼ã¹ã³ã¼ãå¤ï¼