name: security-audit description: Performs comprehensive security and performance audits of codebases, identifying vulnerabilities, unsafe patterns, security weaknesses, and performance bottlenecks. Use this skill when the user requests a security assessment, penetration testing analysis, vulnerability scan, or performance review of their code. Generates detailed, actionable reports with severity classifications and remediation guidance.
This skill guides systematic security and performance auditing of software projects. The user provides a codebase directory. Analyze every file for security vulnerabilities, unsafe patterns, credential exposure, exploitable weaknesses, and performance issues.
Analysis Framework
Before auditing, understand the threat model:
- Attack Surface: What does this application expose? (API endpoints, file uploads, user input, network services)
- Threat Actors: Who might attack this? (External hackers, malicious insiders, automated bots)
- Critical Assets: What must be protected? (User data, API keys, financial info, PII)
- Performance Profile: What are the performance-critical paths? (Database queries, API calls, file I/O)
Then conduct systematic analysis across ALL files using these tools:
- Glob: Discover all source files (
**/*.{go,js,py,java,ts,jsx,tsx}) - Read: Examine suspicious files in detail
- Grep: Find security-critical patterns (credentials, SQL, eval, exec, shell commands)
- Bash: Check git history for leaked secrets (
git log -S "password"), analyze file sizes
Security Categories
1. Injection Vulnerabilities
- SQL Injection (string concatenation in queries)
- Command Injection (unsanitized input to shell)
- Code Injection (eval, exec with user input)
- Path Traversal (file operations with user paths)
- LDAP/XML/NoSQL injection
Detection patterns:
Grep for: "exec(", "eval(", "system(", "os.system", "subprocess.call"
Check: User input flows to these functions without validation
2. Authentication & Authorization
- Hardcoded credentials (passwords, API keys, tokens)
- Weak password policies
- Missing authentication checks
- Privilege escalation vectors
- Session management flaws
- JWT vulnerabilities (weak signing, no expiry)
Detection patterns:
Grep for: "password", "api_key", "secret", "token", "Authorization"
Check: Plaintext storage, weak hashing, missing auth middleware
3. Cryptography
- Weak hashing algorithms (MD5, SHA1)
- Insecure encryption (DES, ECB mode)
- Hardcoded crypto keys
- Insufficient key length
- Missing TLS/HTTPS enforcement
- Certificate validation disabled
Detection patterns:
Grep for: "md5", "sha1", "DES", "ECB", "InsecureSkipVerify"
Check: Crypto library usage, key generation, TLS config
4. Data Exposure
- Sensitive data in logs
- API responses leaking internal info
- Error messages exposing stack traces
- Unencrypted data at rest
- Missing data sanitization
- PII handling violations
Detection patterns:
Grep for: "console.log", "fmt.Printf", "print(", "logger."
Check: What's being logged? Passwords, tokens, PII?
5. Input Validation
- Missing input sanitization
- Insufficient type checking
- Buffer overflows (C/C++)
- Integer overflow/underflow
- Regex DoS (ReDoS)
- XML external entities (XXE)
Detection patterns:
Check: Every user input point (HTTP params, form data, file uploads)
Validate: Type checking, length limits, whitelist validation
6. Access Control
- Missing authorization checks
- Insecure direct object references (IDOR)
- Broken access control
- Privilege escalation
- CORS misconfigurations
- Missing rate limiting
Detection patterns:
Check: API endpoints - who can call them?
Verify: Resource access checks before operations
7. Configuration & Deployment
- Debug mode in production
- Default credentials
- Unnecessary services exposed
- Missing security headers
- Open ports and services
- Dependency vulnerabilities
Detection patterns:
Grep for: "debug = true", "DEBUG=1", "development"
Check: .env files, docker-compose.yml, config files
Performance Categories
8. Database Performance
- N+1 query patterns
- Missing database indexes
- Inefficient queries (SELECT *)
- Unbounded result sets (no LIMIT)
- Connection pool exhaustion
- Missing query caching
Detection patterns:
Grep for: "SELECT \\*", "for.*db.Query", "range.*Query"
Check: Queries inside loops, missing pagination
9. Algorithm Efficiency
- O(n²) or worse algorithms
- Inefficient data structures
- Redundant computations
- Nested loops with DB/API calls
- Unnecessary sorting/filtering
Detection patterns:
Check: Nested loops, recursive functions without memoization
Look for: Duplicate processing, inefficient string operations
10. Memory Management
- Memory leaks (unclosed resources)
- Excessive memory allocation
- Large object retention
- Missing garbage collection hints
- Buffer size issues
Detection patterns:
Grep for: "new \\[", "make(", "malloc", "append"
Check: Resource cleanup (defer, finally, close)
11. Network & I/O
- Synchronous blocking operations
- Missing request timeouts
- No connection pooling
- Excessive API calls
- Large payload transfers
- Missing compression
Detection patterns:
Check: HTTP client configs, file I/O patterns
Look for: Sequential API calls that could be parallel
12. Concurrency Issues
- Race conditions
- Deadlocks
- Missing synchronization
- Unbounded goroutines/threads
- Channel blocking
- Inefficient locking
Detection patterns:
Grep for: "go func", "goroutine", "thread", "async"
Check: Shared state access, mutex usage, channel operations
Audit Report Structure
Generate a markdown report with this EXACT structure:
# Security & Performance Audit Report
## [Project Name]
**Generated**: [Date]
**Repository**: [Repo URL or path]
**Languages**: [Go, JavaScript, Python, etc.]
***
## Executive Summary
[2-3 sentences: overall security posture, performance bottlenecks, critical vulnerability count, risk level]
**Overall Security Risk**: [CRITICAL | HIGH | MEDIUM | LOW]
**Performance Rating**: [POOR | NEEDS IMPROVEMENT | GOOD | EXCELLENT]
***
## Findings Summary
| Issue | Severity | Type | Impact |
|-------|----------|------|--------|
| [Issue title] | Critical/High/Medium/Low | Security/Performance | [Brief impact] |
| ... | ... | ... | ... |
**Statistics**:
- Critical: X
- High: Y
- Medium: Z
- Low: W
***
## 🔴 Critical Security Vulnerabilities
### 1. [Vulnerability Title]
**File**: `path/to/file.ext:line`
**Severity**: Critical
**Type**: [Injection/Auth/Crypto/etc]
**CWE**: [CWE-89 (SQL Injection) if applicable]
**Description**: Clear explanation of the vulnerability
**Vulnerable Code**:
\`\`\`[language]
[actual vulnerable code snippet]
\`\`\`
**Exploitation Scenario**:
[Step-by-step how an attacker exploits this]
**Impact**: [What happens if exploited - data breach, RCE, etc.]
**Remediation**:
\`\`\`[language]
[fixed code example]
\`\`\`
***
## 🟠 High Severity Issues
[Same format as Critical - both security and performance]
***
## 🟡 Medium Severity Issues
[Same format as Critical - both security and performance]
***
## 🔵 Low Severity Issues
[Same format as Critical - both security and performance]
***
## ⚡ Performance Bottlenecks
### Database Performance
- **N+1 Queries**: [File locations where this occurs]
- **Missing Indexes**: [Tables that need indexes]
- **Unbounded Results**: [Queries without LIMIT]
### Algorithm Inefficiency
- **O(n²) Operations**: [Functions with nested loops]
- **Redundant Computations**: [Repeated calculations]
### Memory Issues
- **Potential Leaks**: [Unclosed resources]
- **Large Allocations**: [Excessive memory usage]
### Network & I/O
- **Blocking Operations**: [Synchronous I/O locations]
- **Missing Timeouts**: [Network calls without timeouts]
***
## ✅ Security Strengths
[List what the codebase does RIGHT]
- Proper use of parameterized queries
- Strong password hashing (bcrypt)
- Good input validation in module X
- TLS/HTTPS properly configured
***
## ✅ Performance Strengths
[List what the codebase does RIGHT]
- Efficient caching strategy
- Good use of connection pooling
- Proper indexing on critical tables
- Optimized algorithms in hot paths
***
## Testing Recommendations
### Security Testing
**Automated Tools**:
\`\`\`bash
# Static analysis
[Tool recommendations for detected languages]
# Dependency scanning
[Tool recommendations]
# SAST/DAST tools
[Tool recommendations]
\`\`\`
**Manual Testing Checklist**:
- [ ] Test for SQL injection on all inputs
- [ ] Test authentication bypass techniques
- [ ] Test authorization bypass (IDOR)
- [ ] Test input validation boundaries
- [ ] Verify access controls on all endpoints
### Performance Testing
**Load Testing**:
\`\`\`bash
# Example load test commands
[Tool recommendations: k6, ab, wrk, etc.]
\`\`\`
**Profiling**:
- [ ] Profile CPU usage under load
- [ ] Profile memory allocation patterns
- [ ] Analyze database query performance
- [ ] Check for memory leaks
- [ ] Monitor goroutine/thread counts
***
## Files Analyzed
[MANDATORY: List ALL files you scanned]
\`\`\`
path/to/file1.go ✓
path/to/file2.js ✓
path/to/file3.py ✓
...
\`\`\`
**Total**: [X] files across [Y] directories
***
**Report End**
Quality Standards
✅ Good Security Finding:
### SQL Injection in User Search
**File**: `api/users.go:45`
**Severity**: Critical
**Type**: Injection - SQL
**CWE**: CWE-89
**Description**: The `SearchUsers()` function concatenates unsanitized user input directly into a SQL query string.
**Vulnerable Code**:
\`\`\`go
query := "SELECT * FROM users WHERE name = '" + userInput + "'"
db.Query(query)
\`\`\`
**Exploitation Scenario**:
1. Attacker sends: `'; DROP TABLE users; --`
2. Query becomes: `SELECT * FROM users WHERE name = ''; DROP TABLE users; --'`
3. Database executes DROP TABLE
4. All user data is deleted
**Impact**: Complete database compromise, data loss, denial of service
**Remediation**:
\`\`\`go
query := "SELECT * FROM users WHERE name = ?"
db.Query(query, userInput)
\`\`\`
✅ Good Performance Finding:
### N+1 Query Pattern in User List
**File**: `api/posts.go:23-28`
**Severity**: High
**Type**: Performance - Database
**Description**: The `ListPosts()` function queries the database once per user in a loop, causing N+1 query problem.
**Inefficient Code**:
\`\`\`go
for _, post := range posts {
user, _ := db.Query("SELECT * FROM users WHERE id = ?", post.UserID)
// N queries in loop
}
\`\`\`
**Impact**: With 1000 posts, executes 1001 database queries. Response time scales linearly with post count. At 10k posts, 10+ second response time.
**Remediation**:
\`\`\`go
// Single query with JOIN
query := `SELECT posts.*, users.* FROM posts
LEFT JOIN users ON posts.user_id = users.id`
rows, _ := db.Query(query)
\`\`\`
**Performance Gain**: Reduces 1001 queries to 1. Response time: 10s → 100ms (100x improvement)
❌ Bad Finding:
### Security Issue
There's a problem in the database code. Fix it.
Critical Rules
- NEVER HALLUCINATE: Only report vulnerabilities you actually found in the code
- SCAN EVERYTHING: Use Glob to find ALL files, Read each one
- BE SPECIFIC: Include exact file paths and line numbers
- SHOW PROOF: Include actual vulnerable code snippets
- NO GUESSING: If you can't confirm a vulnerability, don't report it
- NO FEATURE REQUESTS: Only report security/performance issues in current code
- NO TIME ESTIMATES: Don't estimate fix time - just explain the fix
- QUANTIFY PERFORMANCE: Show impact (e.g., "10s → 100ms", "1000 queries → 1")
When No Issues Found
If the codebase is genuinely secure and performant:
## Security Assessment: PASS ✅
## Performance Assessment: EXCELLENT ✅
After comprehensive analysis of [X] files across [Y] directories, **no exploitable vulnerabilities or significant performance bottlenecks were identified**.
### Security Strengths:
- Proper input validation throughout
- Secure authentication implementation
- Strong cryptographic practices
- Good separation of concerns
- Principle of least privilege applied
### Performance Strengths:
- Efficient database queries with proper indexing
- Good use of caching strategies
- Optimized algorithms
- Proper connection pooling
- No memory leaks detected
### Recommendations for Continued Excellence:
- Maintain dependency updates
- Regular security audits
- Implement automated security testing
- Monitor for new CVEs in dependencies
- Continue load testing under production-like conditions
DO NOT invent vulnerabilities or performance issues to fill a report. Absence of findings is a valid audit result.