jordan/feat-dev-e2e3
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
f4e333abd7
feat-dev-e2e3/.claude/commands/audit-feature.md
jordan 806f0ae1a7
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Details
ci/woodpecker/manual/woodpecker Pipeline was successful
Details
Initialize project from skeleton template
2026-02-03 02:58:22 +00:00

2.7 KiB
Raw Blame History

description argument-hint allowed-tools
Perform a security and quality audit of a feature <feature-slug> Bash, Read, Glob, Grep, Write

Audit feature: $ARGUMENTS

Instructions

1. Load Feature Context

sdlc feature show $ARGUMENTS --json

Read the spec and design to understand the feature security surface:

  • .sdlc/features/$ARGUMENTS/spec.md
  • .sdlc/features/$ARGUMENTS/design.md

2. Run Static Analysis

go vet ./... 2>/dev/null || true
golangci-lint run ./... 2>/dev/null || true

Capture any warnings or errors related to the feature files.

3. OWASP Top 10 Check

For each applicable category, search the feature code:

Category What to Check
Injection SQL queries, command execution, template rendering
Broken Auth Token handling, session management, credential storage
Sensitive Data Secrets in code, logging PII, unencrypted storage
XXE / Deserialization XML parsing, JSON unmarshaling of untrusted input
Broken Access Control Authorization checks, resource ownership validation
Misconfiguration Default credentials, debug modes, permissive CORS
XSS User input rendered without escaping
Insecure Components Known vulnerable dependencies
Logging Gaps Missing audit logs, excessive debug logging
SSRF User-controlled URLs, internal network access

4. Verify Auth Boundaries

  • Every endpoint has authentication
  • Authorization checks match the resource being accessed
  • No privilege escalation paths

5. Check for Hardcoded Secrets

grep -rn "password\|secret\|token\|api_key\|apikey" --include="*.go" [feature files]

6. Write Audit Report

Write to .sdlc/features/$ARGUMENTS/audit.md:

# Security Audit: [Feature Title]

## Summary
[Overall assessment: PASS / NEEDS_REMEDIATION]

## Static Analysis Results
[Findings from vet/lint]

## OWASP Assessment
| Category | Status | Notes |
|----------|--------|-------|
| Injection | PASS/FAIL | [details] |
| ... | ... | ... |

## Critical Findings
- [Finding with severity and remediation guidance]

## High Findings
- [Finding]

## Medium/Low Findings
- [Finding]

## Recommendations
[Ordered list of actions to take]

7. Register the Artifact

sdlc artifact create $ARGUMENTS audit

Critical Rules

  • NEVER skip OWASP checks -- even if the feature seems low-risk
  • ALWAYS check for hardcoded secrets, tokens, and credentials
  • ALWAYS verify authentication and authorization boundaries
  • NEVER pass an audit with critical or high severity findings unresolved
  • ALWAYS run static analysis tools before manual review