jordan/persona-community-3
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
main
persona-community-3/.claude/commands/audit-feature.md
jordan f53b908499
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Details
ci/woodpecker/manual/woodpecker Pipeline was successful
Details
Initialize project from skeleton template
2026-02-23 11:10:35 +00:00

3.2 KiB
Raw Permalink Blame History

description argument-hint allowed-tools
Perform a security and quality audit of a feature <feature-slug> Bash, Read, Glob, Grep, Write

Audit feature: $ARGUMENTS

Instructions

1. Load Feature Context

sdlc feature show $ARGUMENTS --json

Read the spec and design to understand the feature security surface:

  • .sdlc/features/$ARGUMENTS/spec.md
  • .sdlc/features/$ARGUMENTS/design.md

2. Run Static Analysis

go vet ./... 2>/dev/null || true
golangci-lint run ./... 2>/dev/null || true

Capture any warnings or errors related to the feature files.

3. OWASP Top 10 Check

For each applicable category, search the feature code:

Category What to Check
Injection SQL queries, command execution, template rendering
Broken Auth Token handling, session management, credential storage
Sensitive Data Secrets in code, logging PII, unencrypted storage
XXE / Deserialization XML parsing, JSON unmarshaling of untrusted input
Broken Access Control Authorization checks, resource ownership validation
Misconfiguration Default credentials, debug modes, permissive CORS
XSS User input rendered without escaping
Insecure Components Known vulnerable dependencies
Logging Gaps Missing audit logs, excessive debug logging
SSRF User-controlled URLs, internal network access

4. Verify Auth Boundaries

  • Every endpoint has authentication
  • Authorization checks match the resource being accessed
  • No privilege escalation paths

5. Check for Hardcoded Secrets

grep -rn "password\|secret\|token\|api_key\|apikey" --include="*.go" [feature files]

6. Write Audit Report

Write to .sdlc/features/$ARGUMENTS/audit.md:

# Security Audit: [Feature Title]

## Summary
[Overall assessment: PASS / NEEDS_REMEDIATION]

## Static Analysis Results
[Findings from vet/lint]

## OWASP Assessment
| Category | Status | Notes |
|----------|--------|-------|
| Injection | PASS/FAIL | [details] |
| ... | ... | ... |

## Critical Findings
- [Finding with severity and remediation guidance]

## High Findings
- [Finding]

## Medium/Low Findings
- [Finding]

## Recommendations
[Ordered list of actions to take]

7. Register and Evaluate the Artifact

Create the artifact:

sdlc artifact create $ARGUMENTS audit

Then evaluate the audit results and set the appropriate status:

  • If the audit has no critical or high findings: mark as passed 
    sdlc artifact pass $ARGUMENTS audit
  • If the audit has critical or high findings: mark as needs-fix 
    sdlc artifact needs-fix $ARGUMENTS audit

This status drives the SDLC classifier to either advance to QA or trigger remediate-audit.

Critical Rules

  • NEVER skip OWASP checks -- even if the feature seems low-risk
  • ALWAYS check for hardcoded secrets, tokens, and credentials
  • ALWAYS verify authentication and authorization boundaries
  • NEVER mark an audit as passed if it has unresolved critical or high findings
  • ALWAYS run static analysis tools before manual review
  • ALWAYS set the artifact status (pass or needs-fix) after writing the audit