Security Audit
You are the security-engineer for {{PROJECT_NAME}}. Analyze PR #$ARGUMENTS for security vulnerabilities.
Step 1: Gather PR Context
bash
# Get PR metadata gh pr view $ARGUMENTS --json title,body,files,additions,deletions,baseRefName,headRefName # Get full diff gh pr diff $ARGUMENTS
If the PR number is invalid or the diff is empty, print an error and stop:
code
Error: PR #$ARGUMENTS not found or has no file changes.
Step 2: Classify Changed Files
Categorize each changed file by security risk tier:
| Risk Tier | File Patterns | Priority |
|---|---|---|
| Critical | **/auth/**, **/tokens/**, **/crypto/**, **/*secret*, **/*credential*, **/.env*, **/services/api/** | Analyze first |
| High | **/services/**, **/database/**, **/sync/**, **/stores/**, **/*fetch*, **/*request*, **/hooks/useAuth* | Analyze second |
| Medium | **/features/**, **/app/**, **/components/**, **/utils/** | Check for input handling |
| Low | **/__tests__/**, **/__mocks__/**, **/design-system/**, **/*.md, **/.claude/** | Scan for leaked secrets only |
| Config | **/package.json, **/*.lockb, **/*.lock, **/*.config.*, **/.github/** | Check dependency and CI changes |
For files not matching any pattern, default to Medium.
Step 3: Security Analysis
For each changed file, run these checks in priority order:
3a: Secret Detection (ALL files)
Scan for patterns that indicate hardcoded secrets:
- •API keys:
(api[_-]?key|apikey)\s*[:=]\s*['"][^'"]+['"] - •Tokens:
(token|bearer|jwt)\s*[:=]\s*['"][^'"]+['"] - •Passwords:
(password|passwd|pwd)\s*[:=]\s*['"][^'"]+['"] - •Connection strings:
(connection[_-]?string|database[_-]?url)\s*[:=] - •Private keys:
-----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY----- - •Cloud credentials:
(AKIA|az_|gcp_|sk-live_|sk_test_)
Exclude: test fixtures, mock data, documentation examples, __mocks__/ files.
3b: OWASP Checks
Apply the appropriate OWASP checklist based on the type of files changed:
For mobile/client files:
| OWASP | What to Check | Red Flags |
|---|---|---|
| M1: Credential Usage | Token storage, credential handling | Insecure storage for tokens |
| M2: Supply Chain | New dependencies | Unvetted packages, no lockfile update |
| M3: Auth/AuthZ | Auth flow changes, permission checks | Missing token validation, no expiry check |
| M4: Input Validation | User input handling, URL parsing | No schema validation, eval(), innerHTML, dynamic require() |
| M5: Communication | Network requests, URL construction | HTTP (not HTTPS), missing cert pinning discussion |
| M6: Privacy | Data collection, analytics events | New PII collection without privacy policy update |
| M7: Binary Protections | Build config, debugging flags | Debug checks missing, debug logging in production |
| M8: Misconfiguration | App config, permissions | Over-broad permissions, debug mode in release |
| M9: Data Storage | Local data persistence | Sensitive data in local DB without encryption |
| M10: Cryptography | Encryption usage, hashing | Weak algorithms (MD5, SHA1 for security), hardcoded IVs/salts |
For API/backend files:
| OWASP | What to Check | Red Flags |
|---|---|---|
| API1: Broken Object Level Authorization | Resource access checks | Missing ownership validation |
| API2: Broken Authentication | Auth endpoints, token handling | Weak password policy, no rate limiting |
| API3: Broken Object Property Level Authorization | Field-level access | Mass assignment, exposing internal fields |
| API4: Unrestricted Resource Consumption | Rate limits, pagination | No pagination, unbounded queries |
| API5: Broken Function Level Authorization | Admin endpoints | Missing role checks |
3c: Dependency Analysis (Config files)
For changes to dependency files:
- •Flag new dependencies for manual review
- •Check if removed dependencies might break security features
- •Note major version bumps that might change security behavior
3d: CI/CD Security (Workflow files)
For changes to .github/workflows/:
- •Check
permissions:block is minimal (notwrite-all) - •Verify actions are pinned to SHA (not just major version tag)
- •Check for secret exposure in logs (
echo ${{ secrets.* }}) - •Verify
--no-verifyis not used to skip hooks
3e: Navigation Safety (Route files)
For changes to routing/navigation:
- •Check for unvalidated deep links / URL parameters
- •Verify authentication guards on protected routes
- •Check for open redirects via URL parameters
Step 4: Rate Findings
Apply severity levels:
| Severity | Criteria | Action Required |
|---|---|---|
| Critical | Credentials in code, SQL injection, RCE | Block merge, fix immediately |
| High | Missing auth checks, insecure storage, unvalidated redirects | Block merge, fix before merge |
| Medium | Missing input validation, verbose errors, weak rate limiting | Should fix, can defer with tracking |
| Low | Missing audit logging, hardcoded non-secret URLs, outdated patterns | Informational, fix when convenient |
| Info | Defense-in-depth suggestions, style improvements | Optional, no action required |
Step 5: Produce Findings Report
Save the report to .architecture/security/audit-findings-pr-$ARGUMENTS.md:
markdown
# Security Audit: PR #$ARGUMENTS — {PR Title}
**Date:** YYYY-MM-DD
**Auditor:** security-engineer (agent)
**PR:** #{number} — {title}
**Branch:** {head} -> {base}
**Files analyzed:** {count}
## Summary
| Severity | Count |
|----------|-------|
| Critical | N |
| High | N |
| Medium | N |
| Low | N |
| Info | N |
| **Total** | **N** |
**Verdict:** {PASS | FAIL — N Critical/High findings must be resolved}
## File Classification
| File | Risk Tier | Findings |
|------|-----------|----------|
| path/to/file.ts | Critical | 2 |
| path/to/other.ts | Medium | 0 |
## Findings
### [SEVERITY] FINDING-NNN: {Title}
**File:** `{path}:{line}`
**OWASP:** {reference, e.g., M1: Credential Usage}
**Description:** {what the issue is}
**Evidence:** {code snippet or pattern found}
**Recommendation:** {how to fix}
**Backlog:** `/bug {ready-to-file description}` (for Medium+ deferred findings)
---
## Dependency Changes
| Package | Change | Action |
|---------|--------|--------|
| {name} | Added v{x.y.z} | Manual review required |
| {name} | Upgraded {old} -> {new} | Verify changelog for security fixes |
## OWASP Coverage
| OWASP Item | Checked | Finding? |
|------------|---------|----------|
| M1-M10 / API1-API10 | Yes/No/N/A | {finding ref or "Clear"} |
## Notes
{Any additional context, limitations, or observations}
Step 6: Present Summary
code
Security Audit: PR #{number}
=============================
Files analyzed: {count} ({critical tier}: {n}, {high tier}: {n}, {medium tier}: {n})
Verdict: {PASS / FAIL}
Findings: {total}
Critical: {n}
High: {n}
Medium: {n}
Low: {n}
Info: {n}
{If FAIL:}
Merge blocked: {n} Critical/High findings require resolution.
{Top findings:}
1. [SEVERITY] {title} — {file}:{line}
2. [SEVERITY] {title} — {file}:{line}
Report: .architecture/security/audit-findings-pr-{number}.md
Step 7: CI Integration Output
When invoked from CI, also output a machine-readable JSON summary to stdout:
json
{
"pr": "$ARGUMENTS",
"verdict": "PASS|FAIL",
"critical": 0,
"high": 0,
"medium": 0,
"low": 0,
"info": 0,
"findings": [
{
"id": "FINDING-001",
"severity": "critical",
"title": "...",
"file": "...",
"line": 0,
"owasp": "M1"
}
]
}
Edge Cases
- •PR with no security-relevant files (only
.md,__tests__/, design-system): Produce a report with "No findings. All changes are in low-risk categories (docs, tests, design system)." - •Very large PR (>50 files): Focus on Critical and High tier files first. Note in the report if Medium/Low files were not fully analyzed.
- •Mixed file types (client + backend + CI): Apply appropriate rules per file type.