auditing-security
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseSecurity Audit
安全审计
Use this skill when the user asks to audit security, check for vulnerabilities, review code for security issues, or harden an application.
当用户要求进行安全审计、检查漏洞、审查代码中的安全问题或加固应用程序时,使用此技能。
Steps
步骤
-
Scan for hardcoded secrets — search for API keys, tokens, passwords, and connection strings in source files. Check for patterns like:
- ,
password=,secret=,token=api_key= - Base64-encoded credentials
- AWS keys (), Stripe keys (
AKIA...), GitHub tokens (sk_live_...)ghp_... - Files: committed to git,
.envwith credentialsconfig.json
-
Check authentication & authorization
- Verify all API routes check authentication before processing.
- Ensure role-based access control is enforced server-side, not just in the UI.
- Check that password hashing uses bcrypt/argon2 (not MD5/SHA1).
- Verify session tokens are HTTP-only, secure, and have reasonable expiry.
-
Check for injection vulnerabilities
- SQL injection: look for string concatenation in SQL queries instead of parameterized queries.
- XSS: look for ,
dangerouslySetInnerHTML, or unescaped user input rendered in templates.innerHTML - Command injection: look for ,
exec(),eval()with user input.child_process.exec() - Path traversal: check file operations for unsanitized user input in paths.
-
Review dependency security
- Run or
npm auditto check for known vulnerabilities.pip audit - Flag outdated dependencies with known CVEs.
- Check for overly permissive dependency ranges.
- Run
-
Check CORS and CSP configuration
- Verify CORS doesn't use in production.
Access-Control-Allow-Origin: * - Check for Content Security Policy headers.
- Verify ,
X-Frame-Options, andX-Content-Type-Optionsheaders.Strict-Transport-Security
- Verify CORS doesn't use
-
Review data exposure
- Check API responses for leaking sensitive fields (password hashes, internal IDs, PII).
- Verify error messages don't expose stack traces or internal details in production.
- Check logging for sensitive data being written to logs.
-
Generate report — produce a summary with severity ratings (Critical / High / Medium / Low) for each finding, with the file path, line number, and recommended fix.
-
扫描硬编码密钥 — 在源文件中搜索API密钥、令牌、密码和连接字符串。检查以下模式:
- ,
password=,secret=,token=api_key= - Base64编码的凭证
- AWS keys (), Stripe keys (
AKIA...), GitHub tokens (sk_live_...)ghp_... - 文件:提交至git的文件、包含凭证的
.envconfig.json
-
检查身份验证与授权
- 验证所有API路由在处理前都会检查身份验证。
- 确保基于角色的访问控制在服务器端强制执行,而不仅仅是在UI中。
- 检查密码哈希是否使用bcrypt/argon2(而非MD5/SHA1)。
- 验证会话令牌是HTTP-only、安全的,并且有合理的过期时间。
-
检查注入漏洞
- SQL injection:查找SQL查询中使用字符串拼接而非参数化查询的情况。
- XSS:查找,
dangerouslySetInnerHTML, 或模板中渲染未转义用户输入的情况。innerHTML - Command injection:查找使用,
exec(),eval()处理用户输入的情况。child_process.exec() - Path traversal:检查文件操作中是否存在路径未经过滤的用户输入。
-
审查依赖项安全性
- 运行或
npm audit检查已知漏洞。pip audit - 标记存在已知CVE的过时依赖项。
- 检查是否存在过于宽松的依赖项版本范围。
- 运行
-
检查CORS和CSP配置
- 验证生产环境中CORS未使用。
Access-Control-Allow-Origin: * - 检查是否存在Content Security Policy头。
- 验证,
X-Frame-Options, 和X-Content-Type-Options头。Strict-Transport-Security
- 验证生产环境中CORS未使用
-
审查数据泄露情况
- 检查API响应是否泄露敏感字段(密码哈希、内部ID、PII)。
- 验证生产环境中错误消息不会泄露堆栈跟踪或内部细节。
- 检查日志中是否写入了敏感数据。
-
生成报告 — 生成包含每个问题严重程度评级(Critical / High / Medium / Low)的摘要,附带文件路径、行号和修复建议。
Notes
注意事项
- This is a code review, not a penetration test. Recommend tools like ,
npm audit, ortrivyfor automated scanning.snyk - Always check to ensure
.gitignore, credentials, and key files are excluded..env - For comprehensive auditing, recommend the OWASP Testing Guide.
- 这是代码审查,而非渗透测试。推荐使用,
npm audit, 或trivy等工具进行自动化扫描。snyk - 务必检查以确保
.gitignore、凭证和密钥文件被排除在外。.env - 如需全面审计,推荐参考OWASP Testing Guide。