security-and-vulnerability-management
skillInstructions for security and vulnerability management.
apm::install
apm install @kreuzberg-dev/security-and-vulnerability-managementapm::skill.md
---
name: security-and-vulnerability-management
description: "Instructions for security and vulnerability management."
---
______________________________________________________________________
## priority: critical
# Security & Vulnerability Management
## Dependency Auditing
- `cargo audit` on every CI run (fail on known vulns)
- `cargo deny check advisories bans sources` for comprehensive checks
- Pin critical deps to known-safe versions
## Fuzzing
- `cargo-fuzz` with targets in `fuzz/fuzz_targets/` for each public API surface
- Run in CI with timeout limits
- Save failing inputs as regression tests
## Unsafe Code
- EVERY `unsafe` block needs `// SAFETY:` comment (invariant, why it holds, what breaks)
- Isolate unsafe in dedicated modules; public API must be safe
- Review checklist: valid pointers, aligned, no UAF, no double-free, no data races, type safety across FFI
## Security Testing
- No panics on untrusted input (return `Result`, never `unwrap()`)
- Test adversarial inputs: empty, max-size, null pointers, concurrency stress
- Property-based testing with `proptest`
## deny.toml
```toml
[advisories]
vulnerability = "deny"
unmaintained = "warn"
[bans]
multiple-versions = "warn"
wildcards = "warn"
[sources]
unknown-registry = "warn"
unknown-git = "warn"
```
## Release Security Checklist
- [ ] `cargo audit` + `cargo deny check` pass
- [ ] All unsafe blocks have SAFETY comments
- [ ] Fuzzing targets pass
- [ ] No panics on arbitrary input
- [ ] SECURITY.md updated
## Anti-Patterns
- No SAFETY comments on unsafe
- Unsafe in public API
- Ignoring cargo-audit warnings
- `unwrap()` on untrusted input
- No fuzzing of parsers
- Outdated dependencies