levnikolaevich/ln-621-security-auditor

Paths: File paths (shared/, references/, ../ln-*) are relative to skills repo root. If not found at CWD, locate this SKILL.md directory and go up one level for repo root. If shared/ is missing, fetch files via WebFetch from https://raw.githubusercontent.com/levnikolaevich/claude-code-skills/master/skills/{path}.

Security Auditor (L3 Worker)

Type: L3 Worker

Specialized worker auditing security vulnerabilities in codebase.

Purpose & Scope

• Audit codebase for security vulnerabilities (Category 1: Critical Priority)
• Scan for hardcoded secrets, SQL injection, XSS, insecure dependencies, missing input validation
• Return structured findings to coordinator with severity, location, effort, recommendations
• Calculate compliance score (X/10) for Security category

Inputs

MANDATORY READ: Load shared/references/audit_worker_core_contract.md. MANDATORY READ: Load shared/references/mcp_tool_preferences.md and shared/references/mcp_integration_patterns.md

Receives contextStore with: tech_stack, best_practices, principles, codebase_root, output_dir.

Use hex-graph first when dataflow or cross-file reference analysis materially improves confidence. Use hex-line first for local code reads when available. If MCP is unavailable, unsupported, or not indexed, continue with built-in Read/Grep/Glob/Bash and state the fallback in the report.

Workflow

MANDATORY READ: Load shared/references/two_layer_detection.md for detection methodology.

1. Parse Context: Extract tech stack, best practices, codebase root, output_dir from contextStore
2. Scan Codebase (Layer 1): Run security checks using Glob/Grep patterns (see Audit Rules below)
3. Analyze Context (Layer 2): For each candidate, read surrounding code to classify:
   • Secrets: test fixture / example / template -> FP. Production code -> confirmed
   • SQL injection: ORM parameterization nearby -> FP. Raw string concat with user input -> confirmed
   • XSS: framework auto-escapes (React JSX, Go templates) -> FP. Unsafe context (innerHTML, | safe) -> confirmed
   • Deps: vulnerable API not called in project -> downgrade. Exploitable path -> confirmed
   • Validation: internal service-to-service endpoint -> downgrade. Public API -> confirmed
4. Collect Findings: Record confirmed violations with severity, location (file:line), effort estimate (S/M/L), recommendation
5. Calculate Score: Count violations by severity, calculate compliance score (X/10)
6. Write Report: Build full markdown report in memory per shared/templates/audit_worker_report_template.md, write to {output_dir}/ln-621--global.md in single Write call
7. Return Summary: Return minimal summary to coordinator (see Output Format)

Audit Rules (Priority: CRITICAL)

1. Hardcoded Secrets

What: API keys, passwords, tokens, private keys in source code

Detection:

• Search patterns: API_KEY = "...", password = "...", token = "...", SECRET = "..."
• File extensions: .ts, .js, .py, .go, .java, .cs
• Exclude: .env.example, README.md, test files with mock data

Severity:

• CRITICAL: Production credentials (AWS keys, database passwords, API tokens)
• HIGH: Development/staging credentials
• MEDIUM: Test credentials in non-test files

Recommendation: Move to environment variables (.env), use secret management (Vault, AWS Secrets Manager)

Effort: S (replace hardcoded value with process.env.VAR_NAME)

2. SQL Injection Patterns

What: String concatenation in SQL queries instead of parameterized queries

Detection:

• Patterns: query = "SELECT * FROM users WHERE id=" + userId, db.execute(f"SELECT * FROM {table}"), `SELECT * FROM ${table}`
• Languages: JavaScript, Python, PHP, Java

Severity:

• CRITICAL: User input directly concatenated without sanitization
• HIGH: Variable concatenation in production code
• MEDIUM: Concatenation with internal variables only

Recommendation: Use parameterized queries (prepared statements), ORM query builders

Effort: M (refactor query to use placeholders)

3. XSS Vulnerabilities

What: Unsanitized user input rendered in HTML/templates

Detection:

• Patterns: innerHTML = userInput, dangerouslySetInnerHTML={{__html: data}}, echo $userInput;
• Template engines: Check for unescaped output ({{ var | safe }}, <%- var %>)

Severity:

• CRITICAL: User input directly inserted into DOM without sanitization
• HIGH: User input with partial sanitization (insufficient escaping)
• MEDIUM: Internal data with potential XSS if compromised

Recommendation: Use framework escaping (React auto-escapes, use textContent), sanitize with DOMPurify

Effort: S-M (replace innerHTML with textContent or sanitize)

4. Insecure Dependencies

What: Dependencies with known CVEs (Common Vulnerabilities and Exposures)

Detection:

• Run npm audit (Node.js), pip-audit (Python), cargo audit (Rust), dotnet list package --vulnerable (.NET)
• Check for outdated critical dependencies

Severity:

• CRITICAL: CVE with exploitable vulnerability in production dependencies
• HIGH: CVE in dev dependencies or lower severity production CVEs
• MEDIUM: Outdated packages without known CVEs but security risk

Recommendation: Update to patched versions, replace unmaintained packages

Effort: S-M (update package.json, test), L (if breaking changes)

5. Missing Input Validation

What: Missing validation at system boundaries (API endpoints, user forms, file uploads)

Detection:

• API routes without validation middleware
• Form handlers without input sanitization
• File uploads without type/size checks
• Missing CORS configuration

Severity:

• CRITICAL: File upload without validation, authentication bypass potential
• HIGH: Missing validation on sensitive endpoints (payment, auth, user data)
• MEDIUM: Missing validation on read-only or internal endpoints

Recommendation: Add validation middleware (Joi, Yup, express-validator), implement input sanitization

Effort: M (add validation schema and middleware)

Scoring Algorithm

MANDATORY READ: Load shared/references/audit_worker_core_contract.md and shared/references/audit_scoring.md.

Output Format

MANDATORY READ: Load shared/references/audit_worker_core_contract.md and shared/templates/audit_worker_report_template.md.

Write JSON summary per shared/references/audit_summary_contract.md. In managed mode the caller passes both runId and summaryArtifactPath; in standalone mode the worker generates its own run-scoped artifact path per shared contract.

Write report to {output_dir}/ln-621--global.md with category: "Security" and checks: hardcoded_secrets, sql_injection, xss_vulnerabilities, insecure_dependencies, missing_input_validation.

Return summary per shared/references/audit_summary_contract.md.

Standalone mode still writes the same JSON summary to a worker-owned run-scoped artifact path per shared contract.

Critical Rules

MANDATORY READ: Load shared/references/audit_worker_core_contract.md.

• Do not auto-fix: Report violations only; coordinator creates task for user to fix
• Tech stack aware: Use contextStore to apply framework-specific patterns (e.g., React XSS vs PHP XSS)
• False positive reduction: Exclude test files, example configs, documentation
• Effort realism: S = <1 hour, M = 1-4 hours, L = >4 hours
• Location precision: Always include file:line for programmatic navigation

Definition of Done

MANDATORY READ: Load shared/references/audit_worker_core_contract.md.

• [ ] contextStore parsed successfully (including output_dir)
• [ ] All 5 security checks completed (secrets, SQL injection, XSS, deps, validation)
• [ ] Findings collected with severity, location, effort, recommendation
• [ ] Score calculated using penalty algorithm
• [ ] Report written to {output_dir}/ln-621--global.md (atomic single Write call)
• [ ] Summary written per contract

Reference Files

• Audit output schema: shared/references/audit_output_schema.md
• Security audit rules: references/security_rules.md

---

Version: 3.0.0 Last Updated: 2025-12-23