All skills
Skillintermediate

Security Audit (Comprehensive)

**Single source of truth for ALL security checks.** Output to `.claude/audits/AUDIT_SECURITY.md`.

Claude Code Knowledge Pack7/10/2026

Overview

Security Audit (Comprehensive)

Single source of truth for ALL security checks. Output to .claude/audits/AUDIT_SECURITY.md.

Status Block (Required)

Every output MUST start with:

---
agent: security-auditor
status: COMPLETE | PARTIAL | SKIPPED | ERROR
timestamp: [ISO timestamp]
duration: [seconds]
findings: [count]
critical_count: [count]
high_count: [count]
errors: []
skipped_checks: []
---

Scope (SINGLE AUTHORITY)

security-auditor is the ONLY agent that checks:

  • Injection attacks (SQL, NoSQL, Command, XSS, LDAP)
  • Authentication & session management
  • Authorization & access control
  • Secrets & credential exposure
  • Security headers & configuration
  • CSRF protection
  • Rate limiting
  • Data exposure risks

Other agents do NOT check security:

  • bug-auditor: Runtime bugs only (not security)
  • code-auditor: Code quality only (not security)

1. Injection Attacks

SQL Injection

# Raw queries with string interpolation
grep -rn "\\$queryRaw\\|\\$executeRaw" src --include="*.ts" | head -10
grep -rn "query\\s*(" src --include="*.ts" | grep -v "prisma\\." | head -10
grep -rn '`.*\\$\\{.*\\}.*`' src --include="*.ts" | grep -i "select\\|insert\\|update\\|delete" | head -10

NoSQL Injection

# MongoDB query manipulation
grep -rn "\\.find\\s*(\\s*{" src --include="*.ts" | head -10
grep -rn "\\$where\\|\\$regex" src --include="*.ts" | head -5

Command Injection

# Shell command execution
grep -rn "exec\\|spawn\\|execSync" src --include="*.ts" | head -10
grep -rn "child_process" src --include="*.ts" | head -5

XSS (Cross-Site Scripting)

# Dangerous HTML rendering
grep -rn "dangerouslySetInnerHTML\\|innerHTML\\|outerHTML" src --include="*.tsx" --include="*.ts" | head -10
# Unsanitized output
grep -rn "\\.html\\s*(" src --include="*.ts" | head -5

2. Authentication & Session

# Unprotected API routes (no auth check)
grep -rn "export.*GET\\|export.*POST" src/app/api --include="*.ts" | head -20

# Check for auth in routes
for file in $(find src/app/api -name "route.ts" 2>/dev/null); do
  grep -L "getServerSession\\|auth\\|verify\\|middleware" "$file" 2>/dev/null
done | head -10

# Password handling
grep -rn "password" src --include="*.ts" | grep -v "hash\\|bcrypt\\|argon" | head -10

# Session configuration
grep -rn "maxAge\\|expires\\|secure\\|httpOnly" src --include="*.ts" | head -10

3. Authorization

# Direct object references without validation
grep -rn "params\\.\\|params\\[" src/app/api --include="*.ts" | head -10

# Missing ownership checks
grep -rn "findUnique\\|findFirst" src --include="*.ts" | grep -v "where.*userId\\|where.*ownerId" | head -10

# Role checks
grep -rn "role\\|admin\\|isAdmin" src --include="*.ts" | head -10

4. Secrets & Configuration

# Hardcoded secrets
grep -rn "sk_live\\|sk_test\\|api_key\\|apikey\\|secret" src --include="*.ts" | grep -v "process.env\\|import" | head -10

# Secrets in client code
grep -rn "process.env\\." src --include="*.tsx" | grep -v "NEXT_PUBLIC" | head -10

# .env files in git
ls -la .env .env.local .env.production 2>/dev/null

# Check for example env
diff .env.example .env 2>/dev/null | head -20

5. Security Headers & CORS

# Missing security headers in next.config
grep -rn "headers\\|contentSecurityPolicy\\|strictTransportSecurity" next.config.* 2>/dev/null | head -10

# CORS configuration
grep -rn "Access-Control\\|cors" src --include="*.ts" | head -10

# Cookie settings
grep -rn "cookie\\|setCookie" src --include="*.ts" | grep -v "httpOnly\\|secure\\|sameSite" | head -10

6. CSRF & Rate Limiting

# CSRF tokens
grep -rn "csrf\\|csrfToken\\|_token" src --include="*.ts" | head -10

# Rate limiting
grep -rn "rateLimit\\|rate-limit\\|limiter\\|throttle" src --include="*.ts" | head -5

# Auth endpoint protection
grep -rn "login\\|signin\\|signup\\|register" src/app/api --include="*.ts" | head -10

7. Data Exposure

# Sensitive data in responses
grep -rn "password\\|secret\\|token\\|apiKey" src --include="*.ts" | grep "return\\|Response\\|json" | head -10

# Stack traces in production
grep -rn "stack\\|stackTrace" src --include="*.ts" | head -5

# PII logging
grep -rn "console.log\\|logger" src --include="*.ts" | grep -i "email\\|password\\|ssn\\|credit" | head -10

8. Dependency Vulnerabilities

# Run audit
npm audit 2>/dev/null | head -50 || pnpm audit 2>/dev/null | head -50 || yarn audit 2>/dev/null | head -50

Output

# Security Audit

---
agent: security-auditor
status: [COMPLETE|PARTIAL|SKIPPED]
timestamp: [ISO timestamp]
duration: [X seconds]
findings: [X]
critical_count: [X]
high_count: [X]
errors: [list any errors]
skipped_checks: [list checks that couldn't run]
---

## Risk Summary
| Category | Critical | High | Medium | Low |
|----------|----------|------|--------|-----|
| Injection | X | X | X | X |
| Auth | X | X | X | X |
| Secrets | X | X | X | X |
| Headers | X | X | X | X |
| Data | X | X | X | X |

**Total:** X Critical, X High, X Medium, X Low

## Critical Findings

### SEC-001: SQL Injection in User Search
**CVSS Score:** 9.8 (Critical)
**Location:** `src/api/users.ts:47`
**Attack Vector:**

POST /api/users?search=' OR '1'='1

**Impact:** Full database access
**Remediation:**
```typescript
// Use parameterized queries
prisma.user.findMany({ where: { name: { contains: search } } })

SEC-002: Hardcoded API Key

CVSS Score: 9.1 (Critical) Location: src/lib/stripe.ts:5 Issue: Production API key in source code

const stripe = new Stripe('sk_live_xxxxx'); // EXPOSED!

Remediation:

const stripe = new Stripe(process.env.STRIPE_SECRET_KEY!);

SEC-003: SSRF Vulnerability

CVSS Score: 8.6 (Critical) Location: src/app/api/fetch/route.ts:12 Issue: User-controlled URL in fetch

const response = await fetch(req.query.url); // SSRF!

Remediation: Validate URL against allowlist

High

SEC-004: Missing Rate Limiting on Login

CVSS Score: 7.5 (High) Location: src/app/api/auth/login/route.ts Attack Vector: Brute force password attempts Impact: Account takeover via credential stuffing Remediation: Add rate limiting middleware (5 attempts/minute)

SEC-005: Missing Security Headers

CVSS Score: 7.1 (High) Location: next.config.ts Missing:

  • Content-Security-Policy
  • X-Frame-Options
  • X-Content-Type-Options
  • Strict-Transport-Security Remediation:
// next.config.ts
headers: () => [
  {
    source: '/:path*',
    headers: [
      { key: 'X-Frame-Options', value: 'DENY' },
      { key: 'X-Content-Type-Options', value: 'nosniff' },
      { key: 'Strict-Transport-Security', value: 'max-age=31536000' },
    ],
  },
],

SEC-006: XSS via dangerouslySetInnerHTML

CVSS Score: 6.1 (High) Location: src/components/Comment.tsx:23 Issue: User content rendered without sanitization

<div dangerouslySetInnerHTML={{ __html: comment.body }} />

Remediation:


<div dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(comment.body) }} />

Medium

SEC-007: Session Token in URL

CVSS Score: 5.3 (Medium) Location: src/pages/verify.tsx:8 Attack Vector: Token visible in browser history, referrer headers Impact: Session hijacking Remediation: Use POST body or HTTP-only cookies for tokens

SEC-008: Missing CSRF Protection

CVSS Score: 4.3 (Medium) Location: src/app/api/settings/route.ts Attack Vector: Forged requests from malicious sites Impact: Unauthorized settings changes Remediation: Add CSRF tokens to forms

SEC-009: Verbose Error Messages

CVSS Score: 5.3 (Medium) Location: src/app/api/middleware/error.ts:15 Issue: Error responses include internal paths and stack traces Remediation: Return generic messages in production

Low

SEC-010: Debug Endpoints Enabled

Location: src/app/api/debug/route.ts Issue: Debug endpoint accessible in production Remediation: Remove or protect with auth

Dependency Vulnerabilities

npm audit output here

Checklist

Must Fix (Before Deploy)

  • Remove hardcoded credentials
  • Add authentication to admin routes
  • Sanitize user input for XSS
  • Use parameterized queries
  • Add rate limiting to auth endpoints

Should Fix (High Priority)

  • Add security headers
  • Implement CSRF protection
  • Add audit logging
  • Review error messages

Recommended

  • Enable Dependabot
  • Add security scanning to CI
  • Implement CSP
  • Regular penetration testing

## Execution Logging

After completing, append to `.claude/audits/EXECUTION_LOG.md`:

| [timestamp] | security-auditor | [status] | [duration] | [findings] | [errors] |


## Output Verification

Before completing:
1. Verify `.claude/audits/AUDIT_SECURITY.md` was created
2. Verify file has content beyond headers
3. If no issues found, write "No security issues detected" (not empty file)

**This agent is the SINGLE SOURCE for security findings. Other agents must NOT duplicate these checks.**