/security - Security Audit Workflow

When to Use

• The user asks for a security audit / vulnerability review ("is this secure?", "check for vulns").
• The code touches authn/authz, payments, secrets, PII, file upload/download, webhooks, admin actions, deserialization, or command execution.
• The user wants a scan + verification loop (audit findings → fixes → re-check).

When NOT to Use

• The user wants a general code review, debugging, refactor, or style improvements.
• The code is clearly non-sensitive (toy scripts, local-only utilities) and the user isn’t asking about security.

Defaults / Guardrails

• Report CRITICAL/HIGH only. If none exist, explicitly report none.
• Treat "possession implies compromise" as non-finding unless you show a feasible token/secret acquisition path.
• Prefer exploit-chain depth over breadth. Drop noise that can’t reach material impact.

• references/triage-and-prereqs.md

• references/report-templates.md

Workflow

0) Confirm Scope

• Full codebase:

  /security

• Area:

  /security auth

  (or similar)
• Single file:

  /security path/to/file

• Dependencies only:

  /security --deps

1) Static Audit (Phase 1)

• Injection: SQL/NoSQL, command/OS, template injection, SSRF, XSS.
• Authz failures: IDOR, missing checks, privilege escalation.
• Authn/session: token validation mistakes that increase attacker capability.
• Secrets: hardcoded credentials, leaked tokens/keys, unsafe secret handling.
• Insecure deserialization, unsafe file handling (path traversal), dangerous eval.
• Supply chain: obviously vulnerable deps or unsafe install/build hooks.

• Attacker-controlled source → security-sensitive sink (show the path).
• Concrete exploit narrative and prerequisites.
• Containment + long-term remediation steps.

2) Runtime Verification (When Runnable)

• Only test instances you control / are authorized to test (prefer

  localhost

  ).
• Avoid DoS-like loops, mass writes, or destructive behavior.
• Prefer repo-native commands (README, Makefile, Docker, package scripts).

• Find how to run: README, Dockerfile, docker-compose, Makefile, package scripts.
• Start the service in minimal config.
• Prove impact with 1–3 deterministic requests/steps.

3) Fix Guidance

• Parameterize queries; avoid shell; escape/encode; strong allowlists for URLs/paths.
• Enforce deny-by-default authorization.
• Remove secrets from repo; use env/secret store; rotate compromised keys.

4) Re-Verify (Phase 2)

Triage Rules (Noise to Skip Unless Chained)

• CORS/OPTIONS “bypass” without protected response body or state change.
• Missing rate limiting/lockout by itself.
• Account enumeration without a takeover/privileged action path.
• Timing side-channels without a feasible remote measurement model.
• Swagger/UI exposure gated to non-prod.
• Token-type confusion unless it meaningfully increases capability beyond intended flows.

references/triage-and-prereqs.md

Subagent Prompts

Phase 1:

aegis

(Audit)

Security audit: [SCOPE]

Find CRITICAL/HIGH only. For each finding include:
- severity (CRITICAL/HIGH)
- attacker prerequisites
- source → sink evidence (file/function references)
- minimal repro steps (safe)
- remediation (containment first, then long-term)

If no CRITICAL/HIGH exist, explicitly output: NONE.

Deprioritize noise categories unless chained to material impact.

Phase 2:

arbiter

(Verify)

Verify security fixes: [SCOPE]

- Re-run minimal repro steps for each previously reported CRITICAL/HIGH
- Run the repo’s test/build checks relevant to the changed area
- Run dependency audit appropriate to stack (e.g., npm/pip/go)

Output: verification report (fixed/not fixed) and any regressions.

Flags

• --deps

  : dependencies-only audit

• --verify

  : post-fix verification run

• --secrets

  : prioritize secret detection and leakage paths