igorwarzocha/security-fastapi
agents/security-reviewer/.opencode/skill/security-fastapi/SKILL.md
Review FastAPI security audit patterns for dependencies and middleware. Use for auditing auth dependencies, CORS configuration, and TrustedHost middleware. Use proactively when reviewing FastAPI apps. Examples: - user: "Audit FastAPI route security" → check for Depends() and Security() usage - user: "Check FastAPI CORS setup" → verify origins when allow_credentials=True - user: "Review FastAPI middleware" → check TrustedHost and HTTPSRedirect config - user: "Secure FastAPI API keys" → move from query params to header schemes - user: "Scan for FastAPI footguns" → check starlette integration and dependency order
$ install --global
skillsauthnpx skillsauth add igorwarzocha/opencode-workflows security-fastapiInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 5, 2026, 8:06 PM7.5s2 files scanned
SKILL.md
- name:
- security-fastapi
- description:
- |-
- - user:
- Scan for FastAPI footguns" → check starlette integration and dependency order
<overview>
Security audit patterns for FastAPI applications covering authentication dependencies, CORS configuration, and middleware security.
</overview> <vulnerabilities>Core Risks to Check
Missing Auth on Routes
FastAPI expects authentication/authorization via dependencies on routes or routers. If no Depends()/Security() usage exists, review every route for unintended public access.
from fastapi import Depends, Security
@app.get("/private")
async def private_route(user=Depends(get_current_user)):
return {"ok": True}
@app.get("/scoped")
async def scoped_route(user=Security(get_current_user, scopes=["items"])):
return {"ok": True}
API Key Schemes
If using API keys, SHOULD prefer header-based schemes (APIKeyHeader) and validate the key server-side.
from fastapi import Depends, FastAPI
from fastapi.security import APIKeyHeader
api_key = APIKeyHeader(name="x-api-key")
@app.get("/items")
async def read_items(key: str = Depends(api_key)):
return {"key": key}
CORS: Avoid Wildcards with Credentials
Using allow_origins=["*"] excludes credentialed requests (cookies/Authorization). For authenticated browser clients, MUST explicitly list allowed origins.
from fastapi.middleware.cors import CORSMiddleware
app.add_middleware(
CORSMiddleware,
allow_origins=["https://app.example.com"],
allow_credentials=True,
allow_methods=["*"],
allow_headers=["*"],
)
Host Header and HTTPS Enforcement
SHOULD use Starlette middleware to prevent host-header attacks and enforce HTTPS in production.
from starlette.middleware.trustedhost import TrustedHostMiddleware
from starlette.middleware.httpsredirect import HTTPSRedirectMiddleware
app.add_middleware(TrustedHostMiddleware, allowed_hosts=["example.com", "*.example.com"])
app.add_middleware(HTTPSRedirectMiddleware)
Quick Audit Commands
# Detect FastAPI usage
rg -n "fastapi" pyproject.toml requirements*.txt
# Find routes
rg -n "@app\.(get|post|put|patch|delete)" . -g "*.py"
# Check for auth dependencies
rg -n "Depends\(|Security\(" . -g "*.py"
# CORS config and wildcards
rg -n "CORSMiddleware|allow_origins|allow_credentials" . -g "*.py"
# TrustedHost/HTTPS middleware
rg -n "TrustedHostMiddleware|HTTPSRedirectMiddleware" . -g "*.py"
Hardening Checklist
- [ ] All sensitive routes require
Depends()orSecurity()auth dependencies - [ ] API key schemes use headers (
APIKeyHeader), not query params - [ ]
allow_originsis explicit whenallow_credentials=True - [ ]
TrustedHostMiddlewareconfigured for production domains - [ ]
HTTPSRedirectMiddlewareenabled in production (or enforced by proxy)
Scripts
scripts/scan.sh- First-pass FastAPI security scan
Related Skills
igorwarzocha/writing
development
VerifiedTrustedCommunity
Handle structured co-authoring of professional documentation. Use for proposals, technical specs, and RFCs. Use proactively when a collaborative drafting process (Gathering -> Refinement -> Testing) is needed. Examples: - user: "Draft a technical RFC for the new API" -> follow Stage 1 context gathering - user: "Refine the introduction of this proposal" -> use iterative surgical edits - user: "Test if this document is clear for readers" -> run reader testing workflow
100SKILL.mdUpdated Apr 5, 2026
igorwarzocha/word
development
VerifiedTrustedCommunity
Handle Word document (.docx) creation, editing, and analysis with high-fidelity visual review. Use for professional reports, legal documents, and tracked changes. Use proactively when quality and precise formatting are critical. Examples: - user: "Create a professional report in Word" -> use python-docx with render loops - user: "Draft a legal contract with redlines" -> use ooxml redlining workflow - user: "Extract text from this DOCX while preserving structure" -> use pandoc markdown conversion
100SKILL.mdUpdated Apr 5, 2026
igorwarzocha/themes
testing
VerifiedTrustedCommunity
Apply professional visual themes to documents and presentations. Use for styling artifacts with consistent color palettes and font pairings. Use proactively to quickly improve the aesthetic quality of deliverables. Examples: - user: "Apply a modern theme to this deck" -> use Modern Minimalist theme - user: "I want a tech aesthetic for this doc" -> apply Tech Innovation theme - user: "Create a custom theme for my project" -> generate new color/font specification
100SKILL.mdUpdated Apr 5, 2026
igorwarzocha/skill-creator
tools
VerifiedTrustedCommunity
Guide for creating effective opencode skills. Use for creating or updating skills that extend agent capabilities with specialized knowledge, workflows, or tool integrations. Examples: - user: "Create a skill for git workflows" → define SKILL.md with instructions and examples - user: "Add examples to my skill" → follow the user: "query" → action pattern - user: "Update skill description" → use literal block scalar and trigger contexts - user: "Structure a complex skill" → organize with scripts/ and references/ directories - user: "Validate my skill" → check structure, frontmatter, and discovery triggers
100SKILL.mdUpdated Apr 5, 2026