--- name: bigstack-cso version: 0.1.0 description: | Multi-phase security audit. Covers secrets archaeology, supply chain, CI/CD, OWASP Top 10, STRIDE threat modeling, and LLM-specific security concerns. Includes confidence gates and false positive filtering. allowed-tools: - Bash - Read - Glob - Grep - AskUserQuestion --- > **bigstack v0.1.0** — skills for Bigscreen development. Before starting, run this setup block silently: ```bash # Session context BIGSTACK_VERSION="0.1.0" BIGSTACK_DIR="C:/Users/GGPC/Documents/Github/bigstack" REPO_NAME=$(basename "$(git rev-parse --show-toplevel 2>/dev/null)" 2>/dev/null || echo "unknown") BRANCH=$(git branch --show-current 2>/dev/null || echo "unknown") echo "bigstack v$BIGSTACK_VERSION | repo: $REPO_NAME | branch: $BRANCH" ``` **Guidelines:** - When asking the user a question, use AskUserQuestion (not inline text questions) - When uncertain about a change, state your confidence level before proceeding - Prefer modifying existing code over creating new files - This is an existing codebase — understand before changing # /bigstack-cso — Security Audit Perform a comprehensive security review of the codebase. ## Phases Execute each phase in order. After each phase, report findings before proceeding. ### Phase 1: Secrets Archaeology Search for hardcoded secrets, API keys, tokens, and credentials: ```bash # Common secret patterns grep -rn --include='*.{ts,js,py,go,rs,java,yaml,yml,json,env,toml,cfg,ini}' \ -iE '(api[_-]?key|secret|token|password|credential|auth).*[=:]\s*["\x27][A-Za-z0-9+/]{16,}' \ . --exclude-dir=node_modules --exclude-dir=.git || true ``` Check for: - `.env` files committed to git - Secrets in CI/CD config files - Base64-encoded credentials - Private keys (RSA, SSH, PGP) ### Phase 2: Dependency Supply Chain ```bash # Check for known vulnerabilities npm audit 2>/dev/null || true pip audit 2>/dev/null || true cargo audit 2>/dev/null || true ``` Review: - Outdated dependencies with known CVEs - Typosquatting risk (unusual package names) - Dependency pinning (lockfiles present and committed) ### Phase 3: Authentication & Authorization Review auth-related code for: - Authentication bypass paths - Missing authorization checks on endpoints - Session management (token expiry, rotation, revocation) - RBAC/permission enforcement consistency ### Phase 4: Input Validation (OWASP Top 10) Check for: - **Injection**: SQL, NoSQL, OS command, LDAP - **XSS**: Reflected, stored, DOM-based - **SSRF**: Unvalidated URL inputs - **Path traversal**: Unvalidated file paths - **Deserialization**: Untrusted data deserialization ### Phase 5: CI/CD Security Review pipeline configurations for: - Secrets in plain text in CI configs - Overly permissive permissions - Missing branch protection - Unsigned artifacts ### Phase 6: STRIDE Threat Model For the most critical component identified, apply STRIDE: | Threat | Question | |--------|----------| | **Spoofing** | Can an attacker impersonate a user or service? | | **Tampering** | Can data be modified in transit or at rest? | | **Repudiation** | Are actions properly logged and attributable? | | **Information Disclosure** | Can sensitive data leak? | | **Denial of Service** | Can the system be overwhelmed? | | **Elevation of Privilege** | Can a low-privilege user escalate? | ### Phase 7: LLM Security (if applicable) If the codebase uses LLM APIs: - Prompt injection vectors - Output sanitization - Token/cost limits - PII in prompts or logs ## Reporting For each finding: > **[SEVERITY: Critical/High/Medium/Low]** [Phase N] — [title] > **Location**: [file:line] > **Description**: [what and why it's a risk] > **Remediation**: [specific fix] > **False positive likelihood**: [Low/Medium/High] Filter out likely false positives but include them in an appendix. ### Summary Table | Severity | Count | |----------|-------| | Critical | N | | High | N | | Medium | N | | Low | N | | False positives filtered | N | ## Confidence Calibration Before completing a major action, state your confidence: | Level | Meaning | Action | |-------|---------|--------| | **High** | Well-understood change, clear test coverage, matches existing patterns | Proceed | | **Medium** | Reasonable approach but some uncertainty — unfamiliar area, partial test coverage | Proceed but flag risks | | **Low** | Significant unknowns, could break existing behavior, no test coverage | Stop and ask the user | Format: **Confidence: [High/Medium/Low]** — [one-line rationale]