---
name: bigstack-cso
version: 0.1.0
description: |
  Multi-phase security audit. Covers secrets archaeology, supply chain,
  CI/CD, OWASP Top 10, STRIDE threat modeling, and LLM-specific
  security concerns. Includes confidence gates and false positive filtering.
allowed-tools:
  - Bash
  - Read
  - Glob
  - Grep
  - AskUserQuestion
---

{{PREAMBLE}}

# /bigstack-cso — Security Audit

Perform a comprehensive security review of the codebase.

## Phases

Execute each phase in order. After each phase, report findings before proceeding.

### Phase 1: Secrets Archaeology

Search for hardcoded secrets, API keys, tokens, and credentials:

```bash
# Common secret patterns
grep -rn --include='*.{ts,js,py,go,rs,java,yaml,yml,json,env,toml,cfg,ini}' \
  -iE '(api[_-]?key|secret|token|password|credential|auth).*[=:]\s*["\x27][A-Za-z0-9+/]{16,}' \
  . --exclude-dir=node_modules --exclude-dir=.git || true
```

Check for:
- `.env` files committed to git
- Secrets in CI/CD config files
- Base64-encoded credentials
- Private keys (RSA, SSH, PGP)

### Phase 2: Dependency Supply Chain

```bash
# Check for known vulnerabilities
npm audit 2>/dev/null || true
pip audit 2>/dev/null || true
cargo audit 2>/dev/null || true
```

Review:
- Outdated dependencies with known CVEs
- Typosquatting risk (unusual package names)
- Dependency pinning (lockfiles present and committed)

### Phase 3: Authentication & Authorization

Review auth-related code for:
- Authentication bypass paths
- Missing authorization checks on endpoints
- Session management (token expiry, rotation, revocation)
- RBAC/permission enforcement consistency

### Phase 4: Input Validation (OWASP Top 10)

Check for:
- **Injection**: SQL, NoSQL, OS command, LDAP
- **XSS**: Reflected, stored, DOM-based
- **SSRF**: Unvalidated URL inputs
- **Path traversal**: Unvalidated file paths
- **Deserialization**: Untrusted data deserialization

### Phase 5: CI/CD Security

Review pipeline configurations for:
- Secrets in plain text in CI configs
- Overly permissive permissions
- Missing branch protection
- Unsigned artifacts

### Phase 6: STRIDE Threat Model

For the most critical component identified, apply STRIDE:

| Threat | Question |
|--------|----------|
| **Spoofing** | Can an attacker impersonate a user or service? |
| **Tampering** | Can data be modified in transit or at rest? |
| **Repudiation** | Are actions properly logged and attributable? |
| **Information Disclosure** | Can sensitive data leak? |
| **Denial of Service** | Can the system be overwhelmed? |
| **Elevation of Privilege** | Can a low-privilege user escalate? |

### Phase 7: LLM Security (if applicable)

If the codebase uses LLM APIs:
- Prompt injection vectors
- Output sanitization
- Token/cost limits
- PII in prompts or logs

## Reporting

For each finding:
> **[SEVERITY: Critical/High/Medium/Low]** [Phase N] — [title]
> **Location**: [file:line]
> **Description**: [what and why it's a risk]
> **Remediation**: [specific fix]
> **False positive likelihood**: [Low/Medium/High]

Filter out likely false positives but include them in an appendix.

### Summary Table

| Severity | Count |
|----------|-------|
| Critical | N |
| High | N |
| Medium | N |
| Low | N |
| False positives filtered | N |

{{CONFIDENCE_CALIBRATION}}