chore: import upstream snapshot with attribution
This commit is contained in:
@@ -0,0 +1,33 @@
|
||||
---
|
||||
allowed-tools: Read, Write, Edit, Bash
|
||||
argument-hint: [auth-method] | --oauth | --jwt | --mfa | --passwordless
|
||||
description: Implement secure user authentication system with chosen method and security best practices
|
||||
---
|
||||
|
||||
# Add Authentication System
|
||||
|
||||
Implement secure user authentication system: **$ARGUMENTS**
|
||||
|
||||
## Current Application State
|
||||
|
||||
- Framework detection: @package.json or @requirements.txt or @Cargo.toml
|
||||
- Existing auth: !`grep -r "auth\|login\|jwt\|session" src/ --include="*.js" --include="*.py" --include="*.rs" | wc -l`
|
||||
- Security config: @.env* (check for auth-related variables)
|
||||
- Database setup: Check for user models or auth tables
|
||||
|
||||
## Task
|
||||
|
||||
Implement comprehensive authentication system with security best practices:
|
||||
|
||||
**Authentication Methods**: Choose from username/password, OAuth 2.0, JWT, SAML, MFA, or passwordless based on $ARGUMENTS
|
||||
|
||||
**Implementation Areas**:
|
||||
1. **User Management** - Registration, profiles, password policies, account verification
|
||||
2. **Authentication Flow** - Login/logout, session management, token handling, middleware
|
||||
3. **Authorization System** - RBAC, permissions, route protection, API security
|
||||
4. **Security Hardening** - Password hashing, rate limiting, CSRF protection, secure cookies
|
||||
5. **Integration** - Frontend components, API endpoints, database models, middleware
|
||||
|
||||
**Security Standards**: Implement OWASP authentication guidelines, secure session management, and proper error handling.
|
||||
|
||||
**Output**: Production-ready authentication system with comprehensive security controls and user-friendly interface.
|
||||
@@ -0,0 +1,31 @@
|
||||
---
|
||||
allowed-tools: Read, Bash, Grep
|
||||
argument-hint: [scope] | --security | --licenses | --updates | --all
|
||||
description: Audit dependencies for security vulnerabilities, license compliance, and update recommendations
|
||||
---
|
||||
|
||||
# Dependency Audit
|
||||
|
||||
Audit dependencies for security vulnerabilities and compliance: **$ARGUMENTS**
|
||||
|
||||
## Current Dependencies
|
||||
|
||||
- Package files: @package.json or @requirements.txt or @Cargo.toml or @pom.xml
|
||||
- Lock files: @package-lock.json or @poetry.lock or @Cargo.lock
|
||||
- Security scan: !`npm audit --audit-level=moderate 2>/dev/null || pip check 2>/dev/null || cargo audit 2>/dev/null || echo "No security scanner available"`
|
||||
- Outdated packages: !`npm outdated 2>/dev/null || pip list --outdated 2>/dev/null || echo "Check manually"`
|
||||
|
||||
## Task
|
||||
|
||||
Perform comprehensive dependency security and compliance audit:
|
||||
|
||||
**Audit Scope**: Use $ARGUMENTS to focus on security, licenses, updates, or complete audit
|
||||
|
||||
**Analysis Areas**:
|
||||
1. **Vulnerability Scanning** - Known CVEs, security advisories, exploit availability
|
||||
2. **Version Analysis** - Outdated packages, breaking changes, update recommendations
|
||||
3. **License Compliance** - License compatibility, restrictions, legal obligations
|
||||
4. **Supply Chain Security** - Package authenticity, maintainer status, suspicious dependencies
|
||||
5. **Performance Impact** - Bundle size, unused dependencies, optimization opportunities
|
||||
|
||||
**Output**: Prioritized security report with critical vulnerabilities, recommended actions, and compliance status.
|
||||
@@ -0,0 +1,39 @@
|
||||
---
|
||||
allowed-tools: Read, Bash, Grep, Glob
|
||||
argument-hint: [target] | --web-app | --api | --auth | --full-scan
|
||||
description: Perform penetration testing and vulnerability assessment on application
|
||||
---
|
||||
|
||||
# Penetration Test
|
||||
|
||||
Perform penetration testing and vulnerability assessment: **$ARGUMENTS**
|
||||
|
||||
## Application Context
|
||||
|
||||
- Running services: !`netstat -tlnp 2>/dev/null | grep LISTEN | head -10 || lsof -i -P | grep LISTEN | head -10`
|
||||
- Web framework: @package.json or @requirements.txt (detect framework and version)
|
||||
- API endpoints: !`grep -r "route\|endpoint\|@app\\.route\|@RequestMapping" src/ 2>/dev/null | wc -l`
|
||||
- Authentication: !`grep -r "auth\|login\|jwt\|session" src/ 2>/dev/null | wc -l`
|
||||
|
||||
## Task
|
||||
|
||||
Conduct systematic penetration testing following ethical hacking methodologies:
|
||||
|
||||
**Test Target**: Use $ARGUMENTS to focus on web application, API, authentication, or comprehensive testing
|
||||
|
||||
**Testing Phases**:
|
||||
1. **Reconnaissance** - Service discovery, technology fingerprinting, attack surface mapping
|
||||
2. **Vulnerability Assessment** - OWASP Top 10, injection flaws, broken authentication
|
||||
3. **Exploitation Testing** - XSS, CSRF, SQL injection, privilege escalation attempts
|
||||
4. **Authentication Testing** - Brute force, session management, authorization bypasses
|
||||
5. **API Security Testing** - Input validation, rate limiting, authentication bypass
|
||||
6. **Infrastructure Testing** - Network security, container security, configuration issues
|
||||
|
||||
**Testing Methodology**:
|
||||
- Follow OWASP Testing Guide and NIST guidelines
|
||||
- Use both automated tools and manual testing techniques
|
||||
- Document all findings with proof-of-concept examples
|
||||
- Provide remediation recommendations for each vulnerability
|
||||
- Maintain ethical boundaries and avoid data damage
|
||||
|
||||
**Output**: Comprehensive penetration test report with executive summary, detailed findings, risk ratings, and remediation roadmap.
|
||||
@@ -0,0 +1,38 @@
|
||||
---
|
||||
allowed-tools: Read, Bash, Grep, Glob
|
||||
argument-hint: [scope] | --api-keys | --passwords | --certificates | --fix
|
||||
description: Scan codebase for exposed secrets, credentials, and sensitive information
|
||||
---
|
||||
|
||||
# Secrets Scanner
|
||||
|
||||
Scan codebase for exposed secrets and sensitive information: **$ARGUMENTS**
|
||||
|
||||
## Current Repository State
|
||||
|
||||
- Git status: !`git status --porcelain | wc -l` uncommitted files
|
||||
- File types: !`find . -name "*.js" -o -name "*.py" -o -name "*.env*" -o -name "*.yml" | wc -l` scannables
|
||||
- Recent commits: !`git log --oneline --grep="password\|key\|secret\|token" -5`
|
||||
- Environment files: @.env* or @config/* (if exists)
|
||||
|
||||
## Task
|
||||
|
||||
Perform comprehensive secrets detection and remediation across codebase:
|
||||
|
||||
**Scan Scope**: Use $ARGUMENTS to focus on API keys, passwords, certificates, or complete scan
|
||||
|
||||
**Detection Categories**:
|
||||
1. **API Keys & Tokens** - GitHub, AWS, Google Cloud, Stripe, third-party services
|
||||
2. **Database Credentials** - Connection strings, usernames, passwords
|
||||
3. **Certificates & Keys** - Private keys, SSH keys, SSL certificates
|
||||
4. **Authentication Secrets** - JWT secrets, session keys, OAuth credentials
|
||||
5. **Configuration Leaks** - Hardcoded URLs, internal endpoints, debug settings
|
||||
|
||||
**Remediation Actions**:
|
||||
- Identify exposed secrets with file locations and line numbers
|
||||
- Provide secure alternatives (environment variables, secret management)
|
||||
- Generate .gitignore entries for sensitive files
|
||||
- Create secure configuration templates
|
||||
- Implement secrets management best practices
|
||||
|
||||
**Output**: Detailed security report with risk levels, immediate actions, and long-term security improvements.
|
||||
@@ -0,0 +1,81 @@
|
||||
---
|
||||
allowed-tools: Read, Bash, Grep, Glob
|
||||
argument-hint: [focus-area] | --full
|
||||
description: Perform comprehensive security assessment and vulnerability analysis
|
||||
---
|
||||
|
||||
# Security Audit
|
||||
|
||||
Perform comprehensive security assessment: $ARGUMENTS
|
||||
|
||||
## Current Environment
|
||||
|
||||
- Dependency scan: !`npm audit --audit-level=moderate 2>/dev/null || pip check 2>/dev/null || echo "No package manager detected"`
|
||||
- Environment files: @.env* (if exists)
|
||||
- Security config: @.github/workflows/security.yml or @security/ (if exists)
|
||||
- Recent commits: !`git log --oneline --grep="security\|fix" -10`
|
||||
|
||||
## Task
|
||||
|
||||
Perform systematic security audit following these steps:
|
||||
|
||||
1. **Environment Setup**
|
||||
- Identify the technology stack and framework
|
||||
- Check for existing security tools and configurations
|
||||
- Review deployment and infrastructure setup
|
||||
|
||||
2. **Dependency Security**
|
||||
- Scan all dependencies for known vulnerabilities
|
||||
- Check for outdated packages with security issues
|
||||
- Review dependency sources and integrity
|
||||
- Use appropriate tools: `npm audit`, `pip check`, `cargo audit`, etc.
|
||||
|
||||
3. **Authentication & Authorization**
|
||||
- Review authentication mechanisms and implementation
|
||||
- Check for proper session management
|
||||
- Verify authorization controls and access restrictions
|
||||
- Examine password policies and storage
|
||||
|
||||
4. **Input Validation & Sanitization**
|
||||
- Check all user input validation and sanitization
|
||||
- Look for SQL injection vulnerabilities
|
||||
- Identify potential XSS (Cross-Site Scripting) issues
|
||||
- Review file upload security and validation
|
||||
|
||||
5. **Data Protection**
|
||||
- Identify sensitive data handling practices
|
||||
- Check encryption implementation for data at rest and in transit
|
||||
- Review data masking and anonymization practices
|
||||
- Verify secure communication protocols (HTTPS, TLS)
|
||||
|
||||
6. **Secrets Management**
|
||||
- Scan for hardcoded secrets, API keys, and passwords
|
||||
- Check for proper secrets management practices
|
||||
- Review environment variable security
|
||||
- Identify exposed configuration files
|
||||
|
||||
7. **Error Handling & Logging**
|
||||
- Review error messages for information disclosure
|
||||
- Check logging practices for security events
|
||||
- Verify sensitive data is not logged
|
||||
- Assess error handling robustness
|
||||
|
||||
8. **Infrastructure Security**
|
||||
- Review containerization security (Docker, etc.)
|
||||
- Check CI/CD pipeline security
|
||||
- Examine cloud configuration and permissions
|
||||
- Assess network security configurations
|
||||
|
||||
9. **Security Headers & CORS**
|
||||
- Check security headers implementation
|
||||
- Review CORS configuration
|
||||
- Verify CSP (Content Security Policy) settings
|
||||
- Examine cookie security attributes
|
||||
|
||||
10. **Reporting**
|
||||
- Document all findings with severity levels (Critical, High, Medium, Low)
|
||||
- Provide specific remediation steps for each issue
|
||||
- Include code examples and file references
|
||||
- Create an executive summary with key recommendations
|
||||
|
||||
Use automated security scanning tools when available and provide manual review for complex security patterns.
|
||||
@@ -0,0 +1,32 @@
|
||||
---
|
||||
allowed-tools: Read, Write, Edit, Bash
|
||||
argument-hint: [focus-area] | --headers | --auth | --encryption | --infrastructure
|
||||
description: Harden application security configuration with comprehensive security controls
|
||||
---
|
||||
|
||||
# Security Hardening
|
||||
|
||||
Harden application security configuration and controls: **$ARGUMENTS**
|
||||
|
||||
## Current Security Posture
|
||||
|
||||
- Framework: @package.json or @requirements.txt or @Cargo.toml (detect framework)
|
||||
- Security headers: !`curl -I http://localhost:3000 2>/dev/null | grep -i 'x-\|content-security\|strict-transport' || echo "No server running"`
|
||||
- Environment config: @.env* (check for security-related variables)
|
||||
- Dependencies: !`npm audit --audit-level=moderate 2>/dev/null || echo "Run dependency audit first"`
|
||||
|
||||
## Task
|
||||
|
||||
Implement comprehensive security hardening based on security best practices:
|
||||
|
||||
**Hardening Focus**: Use $ARGUMENTS to target specific areas or apply comprehensive hardening
|
||||
|
||||
**Security Controls**:
|
||||
1. **Authentication & Authorization** - MFA, RBAC, session security, password policies
|
||||
2. **Input Validation** - XSS prevention, SQL injection protection, CSRF tokens
|
||||
3. **Secure Communication** - HTTPS/TLS, HSTS, certificate management
|
||||
4. **Data Protection** - Encryption at rest/transit, key management, secure storage
|
||||
5. **Security Headers** - CSP, CORS, security response headers
|
||||
6. **Infrastructure Security** - Container hardening, network segmentation, monitoring
|
||||
|
||||
**Output**: Hardened application with comprehensive security controls, proper configuration, and monitoring capabilities.
|
||||
Reference in New Issue
Block a user