e90a84eaa0
Combines three repositories into a single workspace: - go-agent → pkg/orchestrator (Clotho), pkg/jobrunner, pkg/loop, cmd/ - go-agentic → pkg/lifecycle (allowance, sessions, plans, dispatch) - php-devops → repos.yaml, setup.sh, scripts/, .core/ Module path: forge.lthn.ai/core/agent All packages build, all tests pass. Co-Authored-By: Virgil <virgil@lethean.io>
1.6 KiB
1.6 KiB
| name | description | args | |
|---|---|---|---|
| security | Security-focused code review |
|
Security Review
Perform a security-focused code review.
Focus Areas
1. Injection Vulnerabilities
- SQL injection
- Command injection
- XSS (Cross-Site Scripting)
- LDAP injection
- XML injection
2. Authentication & Authorisation
- Hardcoded credentials
- Weak password handling
- Missing auth checks
- Privilege escalation paths
3. Data Exposure
- Sensitive data in logs
- PII in error messages
- Secrets in version control
- Insecure data transmission
4. Cryptography
- Weak algorithms (MD5, SHA1 for security)
- Hardcoded keys/IVs
- Insecure random number generation
5. Dependencies
- Known vulnerable packages
- Outdated dependencies
Process
- Get diff for specified range
- Scan for security patterns
- Check for common vulnerabilities
- Report findings with severity
Patterns to Check
Go
// SQL injection
db.Query("SELECT * FROM users WHERE id = " + id)
// Command injection
exec.Command("bash", "-c", userInput)
// Hardcoded secrets
apiKey := "sk_live_..."
PHP
// SQL injection
$db->query("SELECT * FROM users WHERE id = $id");
// XSS
echo $request->input('name');
// Command injection
shell_exec($userInput);
Output Format
## Security Review
### Critical
- **file:line** - SQL Injection: User input directly in query
### High
- **file:line** - Hardcoded API key detected
### Medium
- **file:line** - Missing CSRF protection
### Low
- **file:line** - Debug endpoint exposed
---
**Summary**: X critical, Y high, Z medium, W low