renolation/english
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

init

Browse Source
This commit is contained in:
renolation
2026-04-12 01:06:31 +07:00
commit 10d660cbcb
1066 changed files with 228596 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

144
.opencode/skills/ck-security/SKILL.md Normal file
View File

@@ -0,0 +1,144 @@
---
name: ck:security
description: "STRIDE + OWASP-based security audit with optional auto-fix. Scans code for vulnerabilities, categorizes by severity, and can iteratively fix findings using ck:autoresearch pattern."
argument-hint: "<scope glob or 'full'> [--fix] [--iterations N]"
metadata:
author: claudekit
attribution: "Security audit pattern adapted from autoresearch by Udit Goenka (MIT)"
license: MIT
version: "1.0.0"
---
# ck:security — Security Audit
Runs a structured STRIDE + OWASP security audit on a given scope. Produces a severity-ranked findings report. With `--fix`, applies fixes iteratively using the ck:autoresearch guard pattern.
## When to Use
- Before a release or major deployment
- After adding auth, payment, or data-handling features
- Periodic security review (monthly/quarterly)
- Compliance check (SOC 2, GDPR, PCI-DSS prep)
## When NOT to Use
- Purely cosmetic changes (CSS, copy edits)
- No user-facing code or data handling involved
---
## Modes
| Mode | Invocation | Behavior |
|------|-----------|----------|
| Audit only | `/ck:security <scope>` | Scan → categorize → report |
| Audit + Fix | `/ck:security <scope> --fix` | Scan → categorize → fix iteratively |
| Bounded fix | `/ck:security <scope> --fix --iterations N` | Limit fix iterations to N |
---
## Audit Methodology
### 1. Scope Resolution
Expand the provided glob or `full` keyword into a file list. Read all in-scope files before analysis.
### 2. STRIDE Analysis
Evaluate each threat category systematically:
- **S**poofing — identity/authentication weaknesses
- **T**ampering — input validation, integrity controls
- **R**epudiation — audit logging gaps
- **I**nformation Disclosure — data leakage, secret exposure
- **D**enial of Service — rate limits, resource exhaustion
- **E**levation of Privilege — broken access control, RBAC gaps
### 3. OWASP Top 10 Check
Map findings to OWASP categories (A01A10). See `references/stride-owasp-checklist.md` for per-category checks.
### 4. Dependency Audit
Run the appropriate package audit tool for the detected stack:
- Node.js: `npm audit`
- Python: `pip-audit`
- Go: `govulncheck`
- Ruby: `bundle audit`
### 5. Secret Detection
Scan for hardcoded API keys, passwords, tokens, and private keys using regex patterns. See `references/stride-owasp-checklist.md` → Secret Patterns.
### 6. Finding Categorization
Assign each finding a severity level (see Severity Definitions below).
---
## Output Format
```
## Security Audit Report
### Summary
- Files scanned: N
- Findings: X critical, Y high, Z medium, W low, V info
### Findings
| # | Severity | Category | File:Line | Description | Fix Recommendation |
|---|----------|----------|-----------|-------------|-------------------|
| 1 | Critical | Injection | api/users.ts:45 | SQL string concatenation | Use parameterized queries |
| 2 | High | Auth | auth/login.ts:12 | No rate limiting | Add express-rate-limit |
```
---
## Fix Mode (--fix)
When `--fix` is provided, apply fixes iteratively after the audit:
1. Sort all findings by severity (Critical → High → Medium → Low)
2. For each finding:
a. Apply one targeted fix
b. Run guard (tests or lint) to verify no regression
c. Commit: `security(fix-N): <short description>`
d. Advance to next finding
3. Stop early if guard fails — report the failure instead of proceeding
4. Uses `ck:autoresearch` guard pattern for regression prevention
> Tip: Use `--iterations N` to cap total fix iterations when scope is large.
---
## Severity Definitions
| Severity | Description | Fix Priority |
|----------|-------------|-------------|
| Critical | Exploitable now, data breach or RCE risk | Immediate — block release |
| High | Exploitable with moderate effort, significant impact | This sprint |
| Medium | Limited exploitability or impact | Next sprint |
| Low | Theoretical risk, defense-in-depth improvement | Backlog |
| Info | Best practice suggestion, no direct risk | Optional |
---
## Integration with Other Skills
- Run after `ck:predict` when the security persona flags concerns
- Feed Critical/High findings into `ck:autoresearch --fix` for automated remediation
- Use `ck:scenario` with `--focus authorization` for deeper auth flow testing
- Pair with `ck:plan` to schedule Medium/Low findings as sprint tasks
---
## Example Invocations
```bash
# Audit API layer only
/ck:security src/api/**/*.ts
# Audit entire src/ and auto-fix, max 15 iterations
/ck:security src/ --fix --iterations 15
# Full codebase audit (no fix)
/ck:security full
```
---
See `references/stride-owasp-checklist.md` for the detailed per-category checklist and secret detection regex patterns.

128
.opencode/skills/ck-security/references/stride-owasp-checklist.md Normal file
View File

@@ -0,0 +1,128 @@
# STRIDE + OWASP Security Checklist
Reference checklist for `ck:security` audits. Use during Step 2 (STRIDE Analysis) and Step 3 (OWASP Top 10 Check).
---
## STRIDE Checklist
### Spoofing (Authentication)
- [ ] All endpoints require authentication (unless intentionally public)
- [ ] Passwords hashed with bcrypt/argon2 — not MD5 or SHA1
- [ ] JWT tokens have expiration (`exp`) and are validated server-side
- [ ] Session management uses `Secure`, `HttpOnly`, `SameSite` cookie flags
- [ ] Multi-factor auth available for sensitive operations
- [ ] OAuth/OIDC flows use `state` parameter to prevent CSRF
- [ ] Default credentials removed from all services and dependencies
### Tampering (Integrity)
- [ ] Input validation on all user-supplied data (type, length, format)
- [ ] Parameterized queries used — no string concatenation for SQL/NoSQL
- [ ] CSRF tokens present on all state-changing forms
- [ ] Request signing for API-to-API calls (HMAC or mTLS)
- [ ] File uploads validated for type (magic bytes), size, and content
- [ ] Deserialization of untrusted data avoided or sandboxed
- [ ] HTTP methods restricted per endpoint (no GET for mutations)
### Repudiation (Logging)
- [ ] Authentication events logged: login, logout, failures
- [ ] Authorization failures logged with user/resource context
- [ ] Data modification events logged with actor and timestamp
- [ ] Logs do not contain sensitive data (passwords, tokens, PII)
- [ ] Log integrity protected — append-only storage or centralized sink
- [ ] Logs retained per compliance requirements (90 days minimum)
### Information Disclosure
- [ ] Error messages do not leak stack traces in production
- [ ] API responses exclude internal IDs, system paths, or version strings
- [ ] Sensitive data encrypted at rest (AES-256 or equivalent)
- [ ] All transport uses TLS 1.2+ — no HTTP for sensitive endpoints
- [ ] No hardcoded secrets in source code (see Secret Patterns below)
- [ ] `.env` files and credential files listed in `.gitignore`
- [ ] API responses filtered to minimum necessary fields (no over-fetching)
### Denial of Service
- [ ] Rate limiting on authentication and sensitive endpoints
- [ ] Request body size limits configured at server/gateway level
- [ ] Pagination enforced on all list endpoints (no unbounded queries)
- [ ] Timeouts set on all external API and database calls
- [ ] Connection pools sized and cleaned up properly
- [ ] Regex patterns reviewed for catastrophic backtracking (ReDoS)
- [ ] Background jobs have concurrency limits and dead-letter queues
### Elevation of Privilege
- [ ] Role-based access control (RBAC) enforced server-side, not client-side
- [ ] Horizontal privilege checks: user A cannot access user B's resources (IDOR)
- [ ] Admin endpoints have separate, stricter auth middleware
- [ ] Privilege escalation paths require re-authentication
- [ ] Service accounts use principle of least privilege
- [ ] Third-party integrations scoped to minimum required permissions
---
## OWASP Top 10 Quick Reference
| # | Category | What to Check |
|---|----------|---------------|
| A01 | Broken Access Control | Missing auth checks, IDOR vulnerabilities, CORS misconfiguration, path traversal |
| A02 | Cryptographic Failures | Weak hashing (MD5/SHA1), plaintext storage, missing TLS, weak cipher suites |
| A03 | Injection | SQL, NoSQL, OS command, LDAP, template injection via unsanitized input |
| A04 | Insecure Design | Missing threat model, business logic flaws, no abuse-case testing |
| A05 | Security Misconfiguration | Default credentials, verbose error pages, unnecessary features/ports enabled |
| A06 | Vulnerable Components | Outdated dependencies, known CVEs, unpatched libraries |
| A07 | Auth Failures | Brute force possible, credential stuffing, session fixation, weak tokens |
| A08 | Data Integrity Failures | Unsigned updates, unverified deserialization, CI/CD pipeline compromise |
| A09 | Logging Failures | Missing security event logs, no alerting, insufficient monitoring coverage |
| A10 | SSRF | Unvalidated user-supplied URLs, internal service access via fetch/curl |
---
## Secret Patterns to Detect
Scan source files for the following regex patterns. Any match is a Critical finding.
```regex
# Generic API keys
(?i)(api[_-]?key|apikey)\s*[:=]\s*['"][A-Za-z0-9\-_]{20,}['"]
# AWS access key IDs
AKIA[0-9A-Z]{16}
# AWS secret access keys
(?i)aws[_-]?secret[_-]?access[_-]?key\s*[:=]\s*['"][A-Za-z0-9/+]{40}['"]
# JSON Web Tokens
eyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+
# Generic passwords in config/code
(?i)(password|passwd|pwd)\s*[:=]\s*['"][^'"]{8,}['"]
# Private keys (PEM format)
-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----
# GitHub personal access tokens
ghp_[A-Za-z0-9]{36}
# Stripe secret keys
sk_(live|test)_[A-Za-z0-9]{24,}
# Generic bearer tokens
(?i)bearer\s+[A-Za-z0-9\-._~+/]{20,}
```
> False positive reduction: skip matches inside `*.test.*`, `*.spec.*`, `*.example`, and `*.md` files when the value is clearly a placeholder (e.g., `YOUR_KEY_HERE`, `<your-token>`).
---
## Dependency Audit Commands
Run the appropriate command for the detected stack and include output in the findings report:
| Stack | Command |
|-------|---------|
| Node.js | `npm audit --json` |
| Python | `pip-audit --format json` |
| Go | `govulncheck ./...` |
| Ruby | `bundle audit check --update` |
| Java/Maven | `mvn dependency-check:check` |
| Rust | `cargo audit` |