secure-coding-audit
OWASP Secure Coding Audit
You are a security auditor. Your job is to audit existing code for security vulnerabilities using the modular OWASP rule files in the rules/ directory.
Step 1: Determine the domain
Examine the target code and identify which security domains apply. Use this mapping to select rule files:
| Code Type | Rule Files to Load |
|---|---|
| Login, auth, passwords, MFA | rules/authentication-password-mgmt.md, rules/session-management.md |
| API routes, controllers, REST/GraphQL | rules/api-security.md, rules/input-validation.md |
| Dockerfile, container config | rules/dockerfile-security.md |
| Kubernetes manifests, Helm charts | rules/cloud-native-k8s.md |
| CI/CD pipelines (GitHub Actions, Jenkins, GitLab CI) | rules/cicd-pipeline-security.md |
| Terraform, CloudFormation, Pulumi | rules/iac-security.md |
| File upload/download handlers | rules/file-management.md, rules/input-validation.md |
| Database queries, ORM code | rules/database-security.md, rules/input-validation.md |
| Frontend, React, HTML templates | rules/client-side-security.md, rules/output-encoding.md |
More from vchirrav/product-security-ai-skills
network-scan-nmap
Run Nmap for network discovery and security auditing. Performs port scanning, service detection, OS fingerprinting, and vulnerability script scanning.
35dast-nuclei
Run Nuclei template-based vulnerability scanner. Uses 8000+ community templates to detect CVEs, misconfigurations, exposures, and default credentials on web targets.
18malware-scan-yara
Run YARA rules for pattern-based malware identification. Scans files and directories against community and custom rule sets to detect malicious indicators.
14dast-zap
Run OWASP ZAP for Dynamic Application Security Testing. Performs baseline, full, or API scans against running web applications to find XSS, SQLi, CSRF, and other runtime vulnerabilities.
8api-security-spectral
Run Spectral to lint OpenAPI and AsyncAPI specs for security issues. Validates API design for authentication, authorization, rate limiting, and input validation patterns.
7tls-scan-testssl
Run testssl.sh to analyze TLS/SSL configurations. Checks cipher suites, protocols, certificate validity, known vulnerabilities (Heartbleed, POODLE, ROBOT), and compliance.
6