feat: smart-suggest ROI script + hook tuning + guide updates (Mar 16)
- Add examples/scripts/smart-suggest-roi.py: stdlib-only analyzer correlating suggestion log with session JSONL files to measure command acceptance rate. 4 acceptance signals, tier breakdown, daily trend, --json/--since/--no-sessions CLI. - Tune Aristote smart-suggest hook: tighten 5 over-firing triggers (/tech:commit, /tech:sonarqube, /tech:dupes, /check-conventions a11y, /tech:worktree) - Guide: identity re-injection hook, context engineering maturity grid, code review workflow, 1M context window GA update, Spring Break promo, security audit patterns - Resource evaluations: Nick Tune hooks (3/5), VicKayro security audit (2/5), Karl Mazier CLAUDE.md templates, Paul Rayner ContextFlow, Siddhant agent trace, Andrew Yng context hub, JP Caparas 1M context window Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Florian BRUNIAUX
parent
d9cff74d71
commit
da8bc09f2d
19 changed files with 1963 additions and 6 deletions
|
|
@ -17,6 +17,22 @@ You are a senior application security engineer. Perform a 6-phase security audit
|
|||
|
||||
---
|
||||
|
||||
### Pre-Step: Establish Audit Context
|
||||
|
||||
**Before running any checks**, use `AskUserQuestion` to ask:
|
||||
|
||||
1. **Environment**: Is this code running in production, staging, or local development?
|
||||
2. **Scope**: Full audit or specific areas to prioritize?
|
||||
|
||||
This is critical for accurate findings:
|
||||
- **Local dev**: `DEBUG=True`, CORS `*`, HTTP without TLS, `.env` files — all normal. Do NOT flag as vulnerabilities. Mention in an "Before going to production" informational section instead.
|
||||
- **Staging**: Configs should mirror production. Flag deviations as MEDIUM.
|
||||
- **Production**: Any misconfiguration is a real finding with full severity.
|
||||
|
||||
If the user doesn't answer or is unsure, default to **production** (conservative).
|
||||
|
||||
---
|
||||
|
||||
### Phase 1: Configuration Security (via /security-check)
|
||||
|
||||
Execute all checks from `/security-check` (the `examples/commands/security-check.md` command). This covers:
|
||||
|
|
@ -59,6 +75,23 @@ find . -name ".env*" -not -path "*/node_modules/*" -not -path "*/.git/*" -type f
|
|||
}
|
||||
```
|
||||
|
||||
**Anti-false-positive rule — MANDATORY before reporting any secret finding:**
|
||||
|
||||
Before raising a secrets finding, run these verification commands:
|
||||
|
||||
```bash
|
||||
# 1. Verify .env is actually in .gitignore (if yes, local .env is NOT a finding)
|
||||
grep -n '\.env' .gitignore 2>/dev/null || echo ".env NOT in .gitignore"
|
||||
|
||||
# 2. Verify secrets were actually committed (empty output = no finding)
|
||||
git log --all -p -- '*.env' '*.key' '*.pem' '*.secret' 2>/dev/null | grep -E '^\+.*(password|secret|api_key|token)' | head -20
|
||||
|
||||
# 3. Check git history for provider-specific patterns
|
||||
git log --all -p 2>/dev/null | grep -E '^\+(sk-[a-zA-Z0-9]{20,}|AKIA[A-Z0-9]{16}|ghp_[a-zA-Z0-9]{36})' | head -10
|
||||
```
|
||||
|
||||
Only report a secret finding if you have **concrete proof from these commands**. A `.env` file present locally is not a finding if it's in `.gitignore`. Never report "secrets may be exposed" based on pattern matching alone.
|
||||
|
||||
**Scoring:**
|
||||
- 0 secrets found → +20 points
|
||||
- 1-3 secrets → +10 points
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue