Security Review Guidelines

When running a security review on a codebase, follow these structured steps to identify potential vulnerabilities, leaks, and misconfigurations.

1. Reconnaissance & Setup

• Identify Technologies: Determine if the project matches known stacks (Node.js, Python/Django, Go, etc.).
• Check .gitignore: Ensure sensitive files (like .env, *.pem, *.key) are ignored.

2. Dependency Auditing

Check for known vulnerabilities in project dependencies.

• Node.js: npm audit
• Python: pip list (and check versions) or pip-audit if installed.
• Go: govulncheck ./... (if available)

3. Secret Scanning

Scan the codebase for hardcoded secrets. Use grep_search to look for:

• API Keys (AKIA, sk_live, Bearer)
• Private Keys (BEGIN RSA PRIVATE KEY)
• Database Credentials (password, postgres://)