marketing-shibata50/claude-code-ultimate-guide
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
claude-code-ultimate-guide/examples/commands/security.md
Florian BRUNIAUX a5f441bcea feat: add ecosystem positioning, install script & new commands 
Ecosystem & Positioning:
- Add README section with competitive positioning (davila7, awesome-claude-code, wesammustafa)
- Add comparison table highlighting unique features (architecture, TDD/SDD, quiz, YAML index)
- Add ecosystem section to reference.yaml

Template Installation:
- Add scripts/install-templates.sh for one-liner template installation
- Support for agents, hooks, commands, skills, memory templates

New Commands:
- catchup, explain, optimize, refactor, security, ship

New Content:
- Semantic anchors catalog and documentation
- Extended guide content (+470 lines)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-19 08:42:33 +01:00

160 lines
4.2 KiB
Markdown
Raw Blame History

# Security Quick Audit
Rapid security assessment focused on OWASP Top 10 vulnerabilities.
## Purpose
Perform a quick security scan to identify common vulnerabilities:
- Hardcoded secrets and credentials
- SQL injection risks
- XSS vulnerabilities
- Insecure dependencies
- Authentication/authorization issues
## Instructions
### Step 1: Secrets Scan
```bash
# Common secret patterns
grep -rn --include="*.{js,ts,py,go,java,rb,php,env}" \
-E "(password|secret|api_key|apikey|token|auth|credential).*[=:].*['\"][^'\"]{8,}['\"]" \
--exclude-dir={node_modules,vendor,.git,dist,build} . 2>/dev/null | head -20
# .env files that might be committed
find . -name ".env*" -not -path "*/node_modules/*" -type f 2>/dev/null
# Check if secrets are gitignored
[ -f ".gitignore" ] && grep -q "\.env" .gitignore && echo "✅ .env in .gitignore" || echo "⚠️ .env NOT in .gitignore"
```
### Step 2: Injection Vulnerabilities
```bash
# SQL injection patterns (raw queries with string concat)
grep -rn --include="*.{js,ts,py,go,java,php}" \
-E "(query|execute|raw|sql).*\+.*\$|f['\"].*SELECT|\.format\(.*SELECT" \
--exclude-dir={node_modules,vendor,.git} . 2>/dev/null | head -15
# Command injection patterns
grep -rn --include="*.{js,ts,py,go,rb,php}" \
-E "(exec|spawn|system|shell_exec|popen)\s*\(" \
--exclude-dir={node_modules,vendor,.git} . 2>/dev/null | head -15
```
### Step 3: XSS Patterns
```bash
# Dangerous innerHTML/dangerouslySetInnerHTML usage
grep -rn --include="*.{js,ts,jsx,tsx,vue}" \
-E "(innerHTML|dangerouslySetInnerHTML|v-html)" \
--exclude-dir={node_modules,.git,dist} . 2>/dev/null | head -15
# Unescaped template literals in HTML context
grep -rn --include="*.{js,ts,jsx,tsx}" \
-E "\`.*\$\{.*\}.*<" \
--exclude-dir={node_modules,.git,dist} . 2>/dev/null | head -10
```
### Step 4: Dependency Check
```bash
# Check for known vulnerabilities in npm packages
[ -f "package-lock.json" ] && npm audit --json 2>/dev/null | jq '{vulnerabilities: .metadata.vulnerabilities}' 2>/dev/null
# Check for outdated packages with security issues
[ -f "package.json" ] && npm outdated --json 2>/dev/null | jq 'to_entries | map(select(.value.current != .value.latest)) | length' 2>/dev/null
```
### Step 5: Auth & Session Issues
```bash
# Hardcoded JWT secrets
grep -rn --include="*.{js,ts,py,go}" \
-E "(jwt|JWT).*secret.*[=:].*['\"].{8,}['\"]" \
--exclude-dir={node_modules,vendor,.git} . 2>/dev/null
# Missing CSRF protection patterns
grep -rn --include="*.{js,ts,py}" \
-E "(POST|PUT|DELETE|PATCH).*fetch|axios\.(post|put|delete|patch)" \
--exclude-dir={node_modules,vendor,.git} . 2>/dev/null | head -10
```
## Output Format
---
### 🛡️ Security Audit Report
**Scan Date**: [timestamp]
**Scope**: [directory scanned]
### 🔴 Critical Issues
| Issue | Location | Description |
|-------|----------|-------------|
| [type] | [file:line] | [brief description] |
### 🟠 High Severity
| Issue | Location | Recommendation |
|-------|----------|----------------|
| [type] | [file:line] | [fix suggestion] |
### 🟡 Medium Severity
| Issue | Location | Note |
|-------|----------|------|
| [type] | [file:line] | [context] |
### 📊 Summary
- **Critical**: X issues
- **High**: X issues
- **Medium**: X issues
- **Dependencies**: X vulnerabilities
### 🔧 Quick Fixes
1. [Highest priority fix with command/code]
2. [Second priority]
3. [Third priority]
---
## Severity Levels
| Level | Examples | Action |
|-------|----------|--------|
| 🔴 Critical | Hardcoded prod secrets, SQL injection | Fix immediately |
| 🟠 High | Missing auth, XSS vectors | Fix before deploy |
| 🟡 Medium | Outdated deps, missing CSRF | Plan remediation |
| 🟢 Low | Best practice violations | Track for improvement |
## Usage
**Full audit:**
```
/security
```
**Focus on specific area:**
```
/security auth
/security deps
/security injection
```
**Specific file/directory:**
```
/security src/api/
```
## Notes
- This is a quick heuristic scan, not a comprehensive security audit
- For production systems, complement with dedicated tools (Snyk, SonarQube, OWASP ZAP)
- False positives are possible - verify findings manually
- See `examples/hooks/security-hooks.sh` for automated pre-commit security checks
$ARGUMENTS
Reference in a new issue View git blame Copy permalink