Security Audit
1. Red Flags (Anti-Rationalization)
STOP and READ THIS if you are thinking:
- "I'll skip the script because I just checked the code manually" -> WRONG. Humans miss regex patterns. EXECUTE the script.
- "This is an internal tool, so AuthZ doesn't matter" -> WRONG. Zero Trust applies everywhere.
- "Dependencies are probably fine" -> WRONG. Supply chain attacks are the #1 vector in 2025.
- "I don't have time for a full audit" -> WRONG. Breach cleanup takes 100x longer.
2. Automated Detection
EXECUTE the unified audit script to detect vulnerabilities:
python3 .agent/skills/security-audit/scripts/run_audit.py [project_path] [--scan-type all|deps|secrets|patterns|config|external]
- Analysis: Review the output. If tools fail or report Critical/High issues, they are BLOCKERS.
- Scope: The script checks Secrets (OWASP A02), Dependencies (A06), Code Patterns / Injection (A03), and Config / Misconfiguration (A05).
- External Tools: It also auto-runs
slither,bandit,npm audit, orcargo auditif project types are detected. - Self-Exclusion: The scanner skips its own source files to prevent false positives.
3. "Think Like a Hacker" (Adversarial Review)
Refuse to merge/approve until you have manually verified the code against the relevant checklist.
π‘οΈ Smart Contracts (Solidity)
MANDATORY: Read references/checklists/solidity_security.md.
Top 3 Checks:
- Reentrancy: Are checks-effects-interactions followed?
nonReentrantused? - Access Control: Who owns the contract?
onlyOwnerchecks? - Price Manipulation: Are spot prices used? (Use Oracles).
- Fuzzing: See
references/checklists/fuzzing_invariants.md.
π¦ Smart Contracts (Solana/Rust)
MANDATORY: Read references/checklists/solana_security.md.
Top 3 Checks:
- Account Validation: Are ALL accounts checked for ownership and signer status?
- PDA bumps: Are bumps strictly validated?
- Arithmetic: Is
overflow_checkson?
π Web/API (OWASP Top 10:2025)
MANDATORY: Read references/checklists/owasp_top_10.md.
Top 3 Checks:
- Broken Access Control (A01): Can user A access user B's data? (IDOR).
- Supply Chain (A03): Are lock files committed? Are deps pinned?
- Exceptional Conditions (A10): Does it fail secure?
4. Attack Surface Mapping
Before declaring "Secure", map the surface:
- Entry Points: APIs, forms, file uploads, webhooks.
- Data Flows: Where does user input go? (Logs? DB? Shell?).
- Assets: Secrets, PII, Money.
5. Reporting
- Critical: Immediate Blocker (RCE, Auth Bypass, Secrets). Fix immediately.
- High: Must fix before release (XSS, CSRF, Dep Vulns).
- Medium: Document in Backlog (Missing headers, best practices).
6. Rationalization Table
| Agent Excuse | Reality / Counter-Argument |
|---|---|
| "The script reported [OK], so it's clean" | Check skipped_files count. Silent skips = false negatives. |
| "This is a test/dev environment" | Attackers pivot from dev to prod. Zero Trust applies everywhere. |
| "Dependencies are only dev dependencies" | devDependencies run during build. Supply chain attacks don't discriminate. |
| "The flag is a false positive" | Verify manually. Never dismiss without proof. |
| "I'll fix it later" | Later = Never. Critical/High = Blocker NOW. |