jordan/feat-dev-e2e3
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
806f0ae1a7
feat-dev-e2e3/.claude/commands/audit-feature.md
jordan 806f0ae1a7
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Details
ci/woodpecker/manual/woodpecker Pipeline was successful
Details
Initialize project from skeleton template
2026-02-03 02:58:22 +00:00

104 lines
2.7 KiB
Markdown
Raw Blame History

---
description: Perform a security and quality audit of a feature
argument-hint: <feature-slug>
allowed-tools: Bash, Read, Glob, Grep, Write
---
Audit feature: $ARGUMENTS
## Instructions
### 1. Load Feature Context
```bash
sdlc feature show $ARGUMENTS --json
```
Read the spec and design to understand the feature security surface:
- `.sdlc/features/$ARGUMENTS/spec.md`
- `.sdlc/features/$ARGUMENTS/design.md`
### 2. Run Static Analysis
```bash
go vet ./... 2>/dev/null || true
golangci-lint run ./... 2>/dev/null || true
```
Capture any warnings or errors related to the feature files.
### 3. OWASP Top 10 Check
For each applicable category, search the feature code:
| Category | What to Check |
|----------|--------------|
| **Injection** | SQL queries, command execution, template rendering |
| **Broken Auth** | Token handling, session management, credential storage |
| **Sensitive Data** | Secrets in code, logging PII, unencrypted storage |
| **XXE / Deserialization** | XML parsing, JSON unmarshaling of untrusted input |
| **Broken Access Control** | Authorization checks, resource ownership validation |
| **Misconfiguration** | Default credentials, debug modes, permissive CORS |
| **XSS** | User input rendered without escaping |
| **Insecure Components** | Known vulnerable dependencies |
| **Logging Gaps** | Missing audit logs, excessive debug logging |
| **SSRF** | User-controlled URLs, internal network access |
### 4. Verify Auth Boundaries
- Every endpoint has authentication
- Authorization checks match the resource being accessed
- No privilege escalation paths
### 5. Check for Hardcoded Secrets
```bash
grep -rn "password\|secret\|token\|api_key\|apikey" --include="*.go" [feature files]
```
### 6. Write Audit Report
Write to `.sdlc/features/$ARGUMENTS/audit.md`:
```markdown
# Security Audit: [Feature Title]
## Summary
[Overall assessment: PASS / NEEDS_REMEDIATION]
## Static Analysis Results
[Findings from vet/lint]
## OWASP Assessment
| Category | Status | Notes |
|----------|--------|-------|
| Injection | PASS/FAIL | [details] |
| ... | ... | ... |
## Critical Findings
- [Finding with severity and remediation guidance]
## High Findings
- [Finding]
## Medium/Low Findings
- [Finding]
## Recommendations
[Ordered list of actions to take]
```
### 7. Register the Artifact
```bash
sdlc artifact create $ARGUMENTS audit
```
## Critical Rules
- NEVER skip OWASP checks -- even if the feature seems low-risk
- ALWAYS check for hardcoded secrets, tokens, and credentials
- ALWAYS verify authentication and authorization boundaries
- NEVER pass an audit with critical or high severity findings unresolved
- ALWAYS run static analysis tools before manual review
Reference in New Issue View Git Blame Copy Permalink