--- name: security-audit description: Comprehensive security audit of a repository. Scans for common vulnerabilities across auth, data, API routes, dependencies, and AI integration. Returns a categorized report with severity and fixes. user-invocable: true --- # /security-audit Comprehensive security audit of the current repository. Scans for vulnerabilities across authentication, data handling, API routes, dependencies, and AI integration. Returns a categorized report with severity levels and fix guidance. ## Usage ``` /security-audit /security-audit fix ``` - `/security-audit` — scan and report only - `/security-audit fix` — scan, report, and fix critical issues ## When to Activate - User says `/security-audit` - User is preparing for launch and wants a security check - User asks "is this secure?" or "check for vulnerabilities" ## Process ### Phase 1: Dependency Scan 1. Check for known vulnerabilities in dependencies (`npm audit`, etc.) 2. Flag outdated packages with security patches available 3. Check for unnecessary dependencies that expand attack surface ### Phase 2: Authentication & Authorization Scan for: - Hardcoded credentials or API keys - Missing auth on protected routes - Insecure session management - Missing CSRF protection - Weak password policies ### Phase 3: Data Handling Check for: - SQL injection vulnerabilities - XSS (cross-site scripting) vectors - Unvalidated user input - Sensitive data in logs or error messages - Missing input sanitization - Insecure data storage (localStorage for tokens, etc.) ### Phase 4: API Security Review: - Missing rate limiting - Exposed internal endpoints - CORS misconfiguration - Missing request validation - Information leakage in error responses ### Phase 5: AI Integration If the project uses AI/LLM APIs: - Prompt injection vulnerabilities - API key exposure - Missing output sanitization - Cost control (rate limits, token caps) - Data privacy in prompts ### Phase 6: Infrastructure Check: - Environment variable handling - `.env` files in version control - HTTPS enforcement - Security headers (CSP, HSTS, etc.) - File upload validation ## Output A categorized security report: | Severity | Category | Issue | Location | Fix | |----------|----------|-------|----------|-----| | Critical | Auth | Hardcoded API key | `.env` committed | Add to `.gitignore`, rotate key | | High | Data | XSS in user input | `components/Form.tsx:45` | Sanitize with DOMPurify | | Medium | API | Missing rate limit | `api/submit/route.ts` | Add rate limiting middleware | | Low | Deps | Outdated package | `package.json` | Update `next` to latest | With `/security-audit fix`, critical and high issues are patched automatically.