/security-scan — Security Audit
Comprehensive security audit combining agent-based code review with automated scans.
Process
1. Launch security-reviewer agent
Launch the security-reviewer agent to perform a full 8-category scored security audit of the codebase.
2. Automated scans
Run these scans in parallel with the agent review:
npm audit:
npm audit --json 2>/dev/null || true
Review results for high/critical vulnerabilities. Flag any with known exploits.
Environment variable scan: Check for proper env var handling:
- Scan for hardcoded secrets in source files (API keys, passwords, tokens)
- Verify
.envis in.gitignore - Check
NEXT_PUBLIC_prefix usage (only truly public values) - Verify server-only secrets are not imported in client code
Secrets-in-source scan: Search for patterns that indicate leaked secrets:
sk_live_,sk_test_(Stripe secret keys)service_rolekey valuespassword,secret,tokenin string literals- Base64-encoded credentials
- Private keys or certificates
3. Unified report
Combine the security-reviewer agent's scored report with automated scan findings:
## Security Scan Report
**Date:** YYYY-MM-DD
**Overall Risk Level:** CRITICAL / HIGH / MEDIUM / LOW
### Agent Security Audit
[Include the full security-reviewer agent report]
### Automated Scan Results
#### npm audit
| Severity | Count | Details |
|----------|-------|---------|
| Critical | X | ... |
| High | X | ... |
| Moderate | X | ... |
#### Secrets Scan
- [ ] No hardcoded secrets found
- [ ] .env in .gitignore
- [ ] NEXT_PUBLIC_ used correctly
- [ ] Server secrets not in client code
### Action Items
1. **[CRITICAL]** ...
2. **[HIGH]** ...
3. **[MEDIUM]** ...
### Summary
- Security audit score: X/80
- npm vulnerabilities: X critical, Y high
- Secrets found: X
- Total action items: X
Rules
- Do NOT modify any files — audit only
- Run
npm auditbut do NOT auto-fix (let the user decide) - Flag any finding with a concrete fix recommendation
- Prioritize by real-world exploitability
- If no issues found in a category, explicitly mark it as clear