# security-auditor > Performs SAST (Static Analysis Security Testing), dependency auditing, and secret scanning on the codebase. - Author: Syed Hasnain - Repository: hasnain769/neigbor-tool - Version: 20260123074842 - Stars: 0 - Forks: 0 - Last Updated: 2026-02-06 - Source: https://github.com/hasnain769/neigbor-tool - Web: https://mule.run/skillshub/@@hasnain769/neigbor-tool~security-auditor:20260123074842 --- --- name: security-auditor description: Performs SAST (Static Analysis Security Testing), dependency auditing, and secret scanning on the codebase. --- # Security Auditor ## 1. Trigger Criteria - Before code is committed to `main` branch - When dependencies are added/updated (`package.json`, `requirements.txt`) - Explicit requests: "scan for vulnerabilities", "security audit", "check for secrets" - Keywords: "security", "audit", "CVE", "vulnerability", "secrets" ## 2. Security Audit Protocol ``` ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │ Secret Scanning │────▶│ Dependency Audit│────▶│ SAST Analysis │ │ (Keys, Tokens) │ │ (CVE Check) │ │ (Code Patterns) │ └─────────────────┘ └─────────────────┘ └─────────────────┘ │ ┌─────────────────┐ ┌─────────────────┐ │ │ Security Report│◀────│ IAM Review │◀────────────┘ │ (SECURITY.md) │ │ (Permissions) │ └─────────────────┘ └─────────────────┘ ``` ### Step 1: Secret Scanning ```bash python3 scripts/secret_scanner.py ``` Detect: - Hardcoded API keys, tokens, passwords - `.env` files in git - AWS credentials, private keys - Database connection strings ### Step 2: Dependency Audit ```bash # JavaScript/TypeScript npm audit --json # Python pip-audit --format json # or: safety check # Go govulncheck ./... ``` Reference known vulnerabilities in [common-cves.md](references/common-cves.md). ### Step 3: SAST Analysis Scan code for vulnerability patterns: | Pattern | Risk | Detection | |---------|------|-----------| | SQL Injection | Critical | String concatenation in queries | | XSS | High | Unsanitized user input in HTML | | CSRF | High | Missing token validation | | Path Traversal | High | User input in file paths | | Command Injection | Critical | User input in shell commands | ### Step 4: IAM Review (if IaC exists) Check Terraform/Pulumi for: - Least privilege violations - Overly permissive policies (`*` actions) - Public S3 buckets - Unencrypted storage ### Step 5: Generate Report Output: `docs/SECURITY_REPORT.md` ## 3. Severity Classification | Severity | SLA | Action | |----------|-----|--------| | **Critical** | Block immediately | No merge/deploy until fixed | | **High** | Fix within 24h | Warn but allow with approval | | **Medium** | Fix within 7 days | Log and track | | **Low** | Best effort | Add to backlog | ## 4. Common Issues & Fixes | Issue | Example | Fix | |-------|---------|-----| | Hardcoded secret | `const API_KEY = "sk-..."` | Use env vars + secrets manager | | SQL Injection | `query("SELECT * FROM users WHERE id = " + id)` | Use parameterized queries | | Vulnerable dep | `lodash@4.17.20` | Update to patched version | | Weak crypto | MD5 for passwords | Use bcrypt/argon2 | ## 5. Principles | Principle | Description | |-----------|-------------| | **Deny by Default** | Failed security gate = blocked deployment | | **Privacy by Design** | Mask sensitive data in reports | | **Shift Left** | Catch issues in dev, not production | | **Defense in Depth** | Multiple security layers | ## 6. Downstream Integration - Integrates findings into **risk-architect** assessment - Informs **iac-provisioner** security configurations - Blocks **e2e-automation-master** if critical issues found