jordan/slack5-1770606136
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6a692ff795
slack5-1770606136/.claude/commands/audit-feature.md
jordan 6a692ff795
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Details
ci/woodpecker/manual/woodpecker Pipeline was successful
Details
Initialize project from skeleton template
2026-02-09 03:02:16 +00:00

120 lines
3.2 KiB
Markdown
Raw Blame History

---
description: Perform a security and quality audit of a feature
argument-hint: <feature-slug>
allowed-tools: Bash, Read, Glob, Grep, Write
---
Audit feature: $ARGUMENTS
## Instructions
### 1. Load Feature Context
```bash
sdlc feature show $ARGUMENTS --json
```
Read the spec and design to understand the feature security surface:
- `.sdlc/features/$ARGUMENTS/spec.md`
- `.sdlc/features/$ARGUMENTS/design.md`
### 2. Run Static Analysis
```bash
go vet ./... 2>/dev/null || true
golangci-lint run ./... 2>/dev/null || true
```
Capture any warnings or errors related to the feature files.
### 3. OWASP Top 10 Check
For each applicable category, search the feature code:
| Category | What to Check |
|----------|--------------|
| **Injection** | SQL queries, command execution, template rendering |
| **Broken Auth** | Token handling, session management, credential storage |
| **Sensitive Data** | Secrets in code, logging PII, unencrypted storage |
| **XXE / Deserialization** | XML parsing, JSON unmarshaling of untrusted input |
| **Broken Access Control** | Authorization checks, resource ownership validation |
| **Misconfiguration** | Default credentials, debug modes, permissive CORS |
| **XSS** | User input rendered without escaping |
| **Insecure Components** | Known vulnerable dependencies |
| **Logging Gaps** | Missing audit logs, excessive debug logging |
| **SSRF** | User-controlled URLs, internal network access |
### 4. Verify Auth Boundaries
- Every endpoint has authentication
- Authorization checks match the resource being accessed
- No privilege escalation paths
### 5. Check for Hardcoded Secrets
```bash
grep -rn "password\|secret\|token\|api_key\|apikey" --include="*.go" [feature files]
```
### 6. Write Audit Report
Write to `.sdlc/features/$ARGUMENTS/audit.md`:
```markdown
# Security Audit: [Feature Title]
## Summary
[Overall assessment: PASS / NEEDS_REMEDIATION]
## Static Analysis Results
[Findings from vet/lint]
## OWASP Assessment
| Category | Status | Notes |
|----------|--------|-------|
| Injection | PASS/FAIL | [details] |
| ... | ... | ... |
## Critical Findings
- [Finding with severity and remediation guidance]
## High Findings
- [Finding]
## Medium/Low Findings
- [Finding]
## Recommendations
[Ordered list of actions to take]
```
### 7. Register and Evaluate the Artifact
Create the artifact:
```bash
sdlc artifact create $ARGUMENTS audit
```
Then evaluate the audit results and set the appropriate status:
- If the audit has **no critical or high findings**: mark as passed
```bash
sdlc artifact pass $ARGUMENTS audit
```
- If the audit has **critical or high findings**: mark as needs-fix
```bash
sdlc artifact needs-fix $ARGUMENTS audit
```
This status drives the SDLC classifier to either advance to QA or trigger remediate-audit.
## Critical Rules
- NEVER skip OWASP checks -- even if the feature seems low-risk
- ALWAYS check for hardcoded secrets, tokens, and credentials
- ALWAYS verify authentication and authorization boundaries
- NEVER mark an audit as passed if it has unresolved critical or high findings
- ALWAYS run static analysis tools before manual review
- ALWAYS set the artifact status (pass or needs-fix) after writing the audit
Reference in New Issue View Git Blame Copy Permalink