Security Audit: Multi-Pass Application Security Review

Structured, multi-pass security audit. Combines automated tooling with manual pattern analysis, maps findings to OWASP Top 10:2025, and produces a prioritized report.

Patterns drawn from real OSS incidents (unauthenticated admin endpoints, credential exfiltration, zip slip, auth bypass whitelists, Trivy supply chain compromise) and OpenSSF/SLSA/OWASP standards.

Target versions (May 2026):

• Semgrep 1.161.0, Bandit 1.9.4
• Gitleaks 8.30.1, Betterleaks 1.1.1 (successor by same author), TruffleHog 3.95.2
• Trivy 0.70.0 (0.69.4-0.69.6 was compromised - see known incidents; 0.70.x is the safe upgrade path)
• OpenSSF Scorecard 5.1.0 (v6 in proposal stage)
• OWASP Top 10:2025 (confirmed January 2026), OWASP Agentic Top 10:2026 (released December 2025)

Scope: TypeScript/JavaScript (Bun, Node.js, Deno), Python, Go, Rust web applications, CLI tools, Dockerfiles, Compose stacks, CI/CD workflows, Helm charts, Terraform, Proxmox/LXC configs, shell scripts. This skill is SAST + config + supply chain. Not DAST or network pentesting.

When to use

• Security review of application code, services, or self-hosted apps
• Secret scanning, dependency audit, auth review, or OWASP-focused assessment