Step 1 · Security Audit

Goal

Systematically identify all security vulnerabilities in the codebase and its dependencies — producing a prioritised finding list that can be remedialed in order of risk.

Instructions

You are in workflow step 1 of the security-cycle. The goal is to find every material security issue before an attacker does. Do not stop at automated tools — they catch ~30% of issues. Manual review is required.

Tasks to Perform

1. Dependency Vulnerability Scan

# Node.js
npm audit --json > audit-results.json
npm audit --audit-level=critical   # fail if CRITICAL exists

# PHP
composer audit

# Python
pip-audit
safety check

# Ruby
bundle audit check --update

# All languages — Snyk (comprehensive, EPSS scoring)
npx snyk test

# Docker images
trivy image myapp:latest
trivy fs . --security-checks vuln

2. Secret Detection

# Scan entire git history for committed secrets
trufflehog git file://. --since-commit HEAD~100
# or
gitleaks detect --source=. --log-opts="--all"

# Scan current working tree
grep -rn "password\s*=\|api_key\s*=\|secret\s*=\|private_key\s*=" \
  --include="*.{php,js,ts,py,rb,go,yaml,yml,json,env}" . \
  | grep -v node_modules | grep -v vendor | grep -v ".git" \
  | grep -v "#.*secret\|//.*secret\|example\|placeholder\|changeme\|YOUR_"

3. OWASP Top 10 Manual Review

Work through each category:

# A01: Broken Access Control
# Find all authorization checks
grep -rn "authorize\|can\(\|cannot\(\|Gate::\|hasPermission\|isAdmin\|role_check" \
  --include="*.{php,js,ts,py,rb}" . | grep -v node_modules | grep -v vendor | head -30

# A02: Cryptographic Failures
# Find hashing and encryption
grep -rn "md5\|sha1\|encrypt\|decrypt\|hash\|password" \
  --include="*.{php,js,ts,py,rb}" . | grep -v node_modules | grep -v vendor | head -30
# Red flags: MD5/SHA1 for passwords, custom encryption, ECB mode

# A03: Injection
# Find raw SQL construction
grep -rn "query\(\|execute\(\|DB::raw\|PDO::query\|f\"SELECT\|f\"INSERT" \
  --include="*.{php,js,ts,py,rb}" . | grep -v node_modules | grep -v vendor | head -30
# Red flags: string interpolation in SQL, no parameterisation

# A04: Insecure Design — review auth flow
# Find session handling
grep -rn "session\|jwt\|token\|cookie" \
  --include="*.{php,js,ts,py,rb}" . | grep -v node_modules | grep -v vendor | head -30

# A05: Security Misconfiguration — review headers
grep -rn "Content-Security-Policy\|X-Frame-Options\|HSTS\|cors\|CORS" \
  --include="*.{php,js,ts}" . | grep -v node_modules | grep -v vendor | head -20

# A07: Auth failures — find auth endpoints
grep -rn "login\|logout\|register\|reset.*password\|verify.*email" \
  --include="*.{php,js,ts,py}" . | grep -v node_modules | grep -v vendor | head -30

# A08: Software integrity — check CI for unsigned artefacts
cat .github/workflows/*.yml 2>/dev/null | grep -E "uses:|run:" | head -40

# A09: Logging failures — find what IS logged (check for PII)
grep -rn "logger\.\|log\.\|console\.\|error_log" \
  --include="*.{php,js,ts,py}" . | grep -v node_modules | grep -v vendor | head -30

4. Check HTTP Security Headers

# Test a running instance
curl -I https://yourapp.com/api/health | grep -E \
  "Content-Security-Policy|X-Frame-Options|Strict-Transport|X-Content-Type|Referrer-Policy|Permissions-Policy"

# Or use securityheaders.com for a full grade

Required headers:

  • Content-Security-Policy: default-src 'self' (or tighter)
  • Strict-Transport-Security: max-age=31536000; includeSubDomains
  • X-Content-Type-Options: nosniff
  • X-Frame-Options: DENY (or SAMEORIGIN)
  • Referrer-Policy: strict-origin-when-cross-origin

5. Document Findings

Create docs/security/audit-YYYY-MM-DD.md:

# Security Audit — YYYY-MM-DD

## Critical (fix immediately)
- [Finding]: [Where][What][Risk]

## High (fix before next release)
- ...

## Medium (fix within sprint)
- ...

## Low (fix when touching the area)
- ...

## Informational
- ...

Exit Criteria

  • [ ] Dependency audit run — all CRITICAL/HIGH CVEs documented
  • [ ] Secret scan run — no committed secrets found (or findings documented)
  • [ ] OWASP Top 10 categories manually reviewed
  • [ ] HTTP security headers checked
  • [ ] All findings documented with severity and location
  • [ ] Findings added to TODO.md in priority order

Next Step

→ Proceed to Step 2 · Remediate