Checks hardcoded secrets, SQL injection, XSS, insecure dependencies, missing input validation. Returns findings with severity, location, effort, recommendations.
apm install @levnikolaevich/ln-621-security-auditor
[](https://apm-p1ls2dz87-atlamors-projects.vercel.app/packages/@levnikolaevich/ln-621-security-auditor)---
name: ln-621-security-auditor
description: Checks hardcoded secrets, SQL injection, XSS, insecure dependencies, missing input validation. Returns findings with severity, location, effort, recommendations.
allowed-tools: Read, Grep, Glob, Bash
license: MIT
---
> **Paths:** File paths (`shared/`, `references/`, `../ln-*`) are relative to skills repo root. If not found at CWD, locate this SKILL.md directory and go up one level for repo root.
# Security Auditor (L3 Worker)
Specialized worker auditing security vulnerabilities in codebase.
## Purpose & Scope
- **Worker in ln-620 coordinator pipeline** - invoked by ln-620-codebase-auditor
- Audit codebase for **security vulnerabilities** (Category 1: Critical Priority)
- Scan for hardcoded secrets, SQL injection, XSS, insecure dependencies, missing input validation
- Return structured findings to coordinator with severity, location, effort, recommendations
- Calculate compliance score (X/10) for Security category
## Inputs (from Coordinator)
**MANDATORY READ:** Load `shared/references/audit_worker_core_contract.md`.
Receives `contextStore` with: `tech_stack`, `best_practices`, `principles`, `codebase_root`, `output_dir`.
## Workflow
**MANDATORY READ:** Load `shared/references/two_layer_detection.md` for detection methodology.
1) **Parse Context:** Extract tech stack, best practices, codebase root, output_dir from contextStore
2) **Scan Codebase (Layer 1):** Run security checks using Glob/Grep patterns (see Audit Rules below)
3) **Analyze Context (Layer 2):** For each candidate, read surrounding code to classify:
- Secrets: test fixture / example / template → FP. Production code → confirmed
- SQL injection: ORM parameterization nearby → FP. Raw string concat with user input → confirmed
- XSS: framework auto-escapes (React JSX, Go templates) → FP. Unsafe context (`innerHTML`, `| safe`) → confirmed
- Deps: vulnerable API not called in project → downgrade. Exploitable path → confirmed
- Validation: internal service-to-service endpoint → downgrade. Public API → confirmed
4) **Collect Findings:** Record confirmed violations with severity, location (file:line), effort estimate (S/M/L), recommendation
5) **Calculate Score:** Count violations by severity, calculate compliance score (X/10)
6) **Write Report:** Build full markdown report in memory per `shared/templates/audit_worker_report_template.md`, write to `{output_dir}/621-security.md` in single Write call
7) **Return Summary:** Return minimal summary to coordinator (see Output Format)
## Audit Rules (Priority: CRITICAL)
### 1. Hardcoded Secrets
**What:** API keys, passwords, tokens, private keys in source code
**Detection:**
- Search patterns: `API_KEY = "..."`, `password = "..."`, `token = "..."`, `SECRET = "..."`
- File extensions: `.ts`, `.js`, `.py`, `.go`, `.java`, `.cs`
- Exclude: `.env.example`, `README.md`, test files with mock data
**Severity:**
- **CRITICAL:** Production credentials (AWS keys, database passwords, API tokens)
- **HIGH:** Development/staging credentials
- **MEDIUM:** Test credentials in non-test files
**Recommendation:** Move to environment variables (.env), use secret management (Vault, AWS Secrets Manager)
**Effort:** S (replace hardcoded value with `process.env.VAR_NAME`)
### 2. SQL Injection Patterns
**What:** String concatenation in SQL queries instead of parameterized queries
**Detection:**
- Patterns: `query = "SELECT * FROM users WHERE id=" + userId`, `db.execute(f"SELECT * FROM {table}")`, `` `SELECT * FROM ${table}` ``
- Languages: JavaScript, Python, PHP, Java
**Severity:**
- **CRITICAL:** User input directly concatenated without sanitization
- **HIGH:** Variable concatenation in production code
- **MEDIUM:** Concatenation with internal variables only
**Recommendation:** Use parameterized queries (prepared statements), ORM query builders
**Effort:** M (refactor query to use placeholders)
### 3. XSS Vulnerabilities
**What:** Unsanitized user input rendered in HTML/templates
**Detection:**
- Patterns: `innerHTML = userInput`, `dangerouslySetInnerHTML={{__html: data}}`, `echo $userInput;`
- Template engines: Check for unescaped output (`{{ var | safe }}`, `<%- var %>`)
**Severity:**
- **CRITICAL:** User input directly inserted into DOM without sanitization
- **HIGH:** User input with partial sanitization (insufficient escaping)
- **MEDIUM:** Internal data with potential XSS if compromised
**Recommendation:** Use framework escaping (React auto-escapes, use `textContent`), sanitize with DOMPurify
**Effort:** S-M (replace `innerHTML` with `textContent` or sanitize)
### 4. Insecure Dependencies
**What:** Dependencies with known CVEs (Common Vulnerabilities and Exposures)
**Detection:**
- Run `npm audit` (Node.js), `pip-audit` (Python), `cargo audit` (Rust), `dotnet list package --vulnerable` (.NET)
- Check for outdated critical dependencies
**Severity:**
- **CRITICAL:** CVE with exploitable vulnerability in production dependencies
- **HIGH:** CVE in dev dependencies or lower severity production CVEs
- **MEDIUM:** Outdated packages without known CVEs but security risk
**Recommendation:** Update to patched versions, replace unmaintained packages
**Effort:** S-M (update package.json, test), L (if breaking changes)
### 5. Missing Input Validation
**What:** Missing validation at system boundaries (API endpoints, user forms, file uploads)
**Detection:**
- API routes without validation middleware
- Form handlers without input sanitization
- File uploads without type/size checks
- Missing CORS configuration
**Severity:**
- **CRITICAL:** File upload without validation, authentication bypass potential
- **HIGH:** Missing validation on sensitive endpoints (payment, auth, user data)
- **MEDIUM:** Missing validation on read-only or internal endpoints
**Recommendation:** Add validation middleware (Joi, Yup, express-validator), implement input sanitization
**Effort:** M (add validation schema and middleware)
## Scoring Algorithm
**MANDATORY READ:** Load `shared/references/audit_worker_core_contract.md` and `shared/references/audit_scoring.md`.
## Output Format
**MANDATORY READ:** Load `shared/references/audit_worker_core_contract.md` and `shared/templates/audit_worker_report_template.md`.
Write report to `{output_dir}/621-security.md` with `category: "Security"` and checks: hardcoded_secrets, sql_injection, xss_vulnerabilities, insecure_dependencies, missing_input_validation.
Return summary to coordinator:
```
Report written: docs/project/.audit/ln-620/{YYYY-MM-DD}/621-security.md
Score: X.X/10 | Issues: N (C:N H:N M:N L:N)
```
## Critical Rules
**MANDATORY READ:** Load `shared/references/audit_worker_core_contract.md`.
- **Do not auto-fix:** Report violations only; coordinator creates task for user to fix
- **Tech stack aware:** Use contextStore to apply framework-specific patterns (e.g., React XSS vs PHP XSS)
- **False positive reduction:** Exclude test files, example configs, documentation
- **Effort realism:** S = <1 hour, M = 1-4 hours, L = >4 hours
- **Location precision:** Always include `file:line` for programmatic navigation
## Definition of Done
**MANDATORY READ:** Load `shared/references/audit_worker_core_contract.md`.
- contextStore parsed successfully (including output_dir)
- All 5 security checks completed (secrets, SQL injection, XSS, deps, validation)
- Findings collected with severity, location, effort, recommendation
- Score calculated using penalty algorithm
- Report written to `{output_dir}/621-security.md` (atomic single Write call)
- Summary returned to coordinator
## Reference Files
- **Audit output schema:** `shared/references/audit_output_schema.md`
- Security audit rules: [references/security_rules.md](references/security_rules.md)
---
**Version:** 3.0.0
**Last Updated:** 2025-12-23