jordan/feat-dev-e2e2
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
74e0e28cac
feat-dev-e2e2/.claude/commands/remediate-audit.md
jordan 74e0e28cac
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Details
ci/woodpecker/manual/woodpecker Pipeline was successful
Details
Initialize project from skeleton template
2026-02-03 02:20:35 +00:00

71 lines
2.0 KiB
Markdown
Raw Blame History

---
description: Remediate security audit findings
argument-hint: <feature-slug>
allowed-tools: Bash, Read, Write, Edit, Glob, Grep, Task
---
Remediate audit findings for feature: $ARGUMENTS
## Instructions
### 1. Load Audit Findings
Read `.sdlc/features/$ARGUMENTS/audit.md` to get the full security audit report.
### 2. Parse Findings by Severity
Collect all security findings:
1. **CRITICAL** -- immediate risk, must fix before any progress
2. **HIGH** -- significant risk, must fix before merge
3. **MEDIUM** -- moderate risk, should fix
4. **LOW** -- minor risk, fix if straightforward
### 3. Fix Critical Findings
For each critical finding:
1. Read the affected code
2. Understand the vulnerability and attack vector
3. Apply the proper remediation (input validation, auth check, etc.)
4. Verify the fix addresses the root cause, not just the symptom
### 4. Fix High Findings
After all critical findings are resolved, address high severity issues using the same disciplined approach.
### 5. Fix Medium and Low Findings
Address remaining findings in priority order.
### 6. Run Security Checks
Re-run the checks that originally found the issues:
```bash
go vet ./... 2>/dev/null || true
grep -rn "password\|secret\|token\|api_key" --include="*.go" [feature files] || true
```
### 7. Update Audit Report
Update `.sdlc/features/$ARGUMENTS/audit.md` with remediation notes:
```markdown
## Remediation Log
| Finding | Severity | Status | Resolution |
|---------|----------|--------|------------|
| [description] | CRITICAL | REMEDIATED | [what was done] |
```
### 8. Report
Summarize: findings remediated by severity, remaining items, verification results.
## Critical Rules
- ALWAYS fix all critical findings -- no exceptions
- NEVER leave high-severity security issues unresolved
- ALWAYS run security checks after applying fixes
- NEVER fix security issues with workarounds -- address root causes
- ALWAYS update the audit report with remediation details
- NEVER remove security findings from the report -- mark them as remediated
Reference in New Issue View Git Blame Copy Permalink