--- description: Perform a security and quality audit of a feature argument-hint: allowed-tools: Bash, Read, Glob, Grep, Write --- Audit feature: $ARGUMENTS ## Instructions ### 1. Load Feature Context ```bash sdlc feature show $ARGUMENTS --json ``` Read the spec and design to understand the feature security surface: - `.sdlc/features/$ARGUMENTS/spec.md` - `.sdlc/features/$ARGUMENTS/design.md` ### 2. Run Static Analysis ```bash go vet ./... 2>/dev/null || true golangci-lint run ./... 2>/dev/null || true ``` Capture any warnings or errors related to the feature files. ### 3. OWASP Top 10 Check For each applicable category, search the feature code: | Category | What to Check | |----------|--------------| | **Injection** | SQL queries, command execution, template rendering | | **Broken Auth** | Token handling, session management, credential storage | | **Sensitive Data** | Secrets in code, logging PII, unencrypted storage | | **XXE / Deserialization** | XML parsing, JSON unmarshaling of untrusted input | | **Broken Access Control** | Authorization checks, resource ownership validation | | **Misconfiguration** | Default credentials, debug modes, permissive CORS | | **XSS** | User input rendered without escaping | | **Insecure Components** | Known vulnerable dependencies | | **Logging Gaps** | Missing audit logs, excessive debug logging | | **SSRF** | User-controlled URLs, internal network access | ### 4. Verify Auth Boundaries - Every endpoint has authentication - Authorization checks match the resource being accessed - No privilege escalation paths ### 5. Check for Hardcoded Secrets ```bash grep -rn "password\|secret\|token\|api_key\|apikey" --include="*.go" [feature files] ``` ### 6. Write Audit Report Write to `.sdlc/features/$ARGUMENTS/audit.md`: ```markdown # Security Audit: [Feature Title] ## Summary [Overall assessment: PASS / NEEDS_REMEDIATION] ## Static Analysis Results [Findings from vet/lint] ## OWASP Assessment | Category | Status | Notes | |----------|--------|-------| | Injection | PASS/FAIL | [details] | | ... | ... | ... | ## Critical Findings - [Finding with severity and remediation guidance] ## High Findings - [Finding] ## Medium/Low Findings - [Finding] ## Recommendations [Ordered list of actions to take] ``` ### 7. Register and Evaluate the Artifact Create the artifact: ```bash sdlc artifact create $ARGUMENTS audit ``` Then evaluate the audit results and set the appropriate status: - If the audit has **no critical or high findings**: mark as passed ```bash sdlc artifact pass $ARGUMENTS audit ``` - If the audit has **critical or high findings**: mark as needs-fix ```bash sdlc artifact needs-fix $ARGUMENTS audit ``` This status drives the SDLC classifier to either advance to QA or trigger remediate-audit. ## Critical Rules - NEVER skip OWASP checks -- even if the feature seems low-risk - ALWAYS check for hardcoded secrets, tokens, and credentials - ALWAYS verify authentication and authorization boundaries - NEVER mark an audit as passed if it has unresolved critical or high findings - ALWAYS run static analysis tools before manual review - ALWAYS set the artifact status (pass or needs-fix) after writing the audit