OpenSkillIndex← back to search
claude-codesecurity

Vibecosystem security

Security audit workflow - OWASP Top 10, input validation, auth, secret detection, vulnerability scan

install
source · Clone the upstream repo
git clone https://github.com/vibeeval/vibecosystem
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/vibeeval/vibecosystem "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/security" ~/.claude/skills/vibeeval-vibecosystem-security && rm -rf "$T"
manifest: skills/security/SKILL.md
tags
#security#owasp#vulnerability-scanning#input-validation#authentication
source content

Security Patterns

OWASP Top 10 (2021) Checklist

#VulnerabilityPrevention
A01Broken Access ControlRBAC, resource-level auth, CORS
A02Cryptographic FailuresEncrypt at rest/transit, no PII in logs
A03Injection (SQL/NoSQL/XSS/OS)Parameterized queries, output encoding, CSP
A04Insecure DesignThreat modeling, secure design patterns
A05Security MisconfigurationHardened defaults, no debug in prod
A06Vulnerable Componentsnpm audit, dependency scan, CVE tracking
A07Auth FailuresRate limiting, MFA, secure session
A08Data Integrity FailuresInput validation, signed updates, CI/CD security
A09Logging & Monitoring FailuresAudit log, alert on anomaly
A10SSRFURL allowlist, network segmentation

Input Validation

import { z } from 'zod';

const UserInput = z.object({
  email: z.string().email().max(255),
  name: z.string().min(1).max(100).regex(/^[\w\s-]+$/),
  age: z.number().int().min(0).max(150),
});

// Parameterized query (SQL injection prevention)
const user = await db.query('SELECT * FROM users WHERE id = $1', [userId]);

Auth Best Practices

// Password hashing
import bcrypt from 'bcryptjs';
const hash = await bcrypt.hash(password, 12);
const valid = await bcrypt.compare(password, hash);

// JWT with expiry
const token = jwt.sign({ userId: user.id, role: user.role }, secret, { expiresIn: '24h' });

// Rate limiting on auth endpoints
const authLimiter = rateLimit({ windowMs: 15 * 60 * 1000, max: 5 });
app.use('/api/auth', authLimiter);

Secret Detection

# Git hooks ile secret engelleme
grep -rn "sk-\|pk_\|ghp_\|xoxb-\|AKIA" --include="*.ts" --include="*.js" src/
grep -rn "password\s*=\s*['\"]" --include="*.ts" src/

Security Headers

import helmet from 'helmet';
app.use(helmet());
// Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, etc.

Anti-Patterns

Anti-PatternCozum
Hardcoded secretsEnvironment variables
SQL string concatParameterized queries
No CORS configWhitelist origins
Debug mode in prodNODE_ENV check
No rate limitingexpress-rate-limit

Pentest Methodology (Overview)

Detayli rehber icin: 

pentest-methodology
skill

5-faz pipeline: Recon > Vuln Analysis > Exploitation > Verification > Report

Proof Levels

LevelTanim
L1 - TheoreticalPotansiyel risk, exploit edilmemis
L2 - DemonstratedBypass/leak gosterildi
L3 - ExploitedTam exploit, veri erisimi
L4 - ChainedBirden fazla vuln zincirlendi

Source-to-Sink Taint Tracing

Kullanici input'unun (source) tehlikeli fonksiyona (sink) ulasip ulasamadigini kontrol et:

Source: req.body, req.query, req.params, req.headers, cookies
Sink: db.query(), eval(), exec(), res.redirect(), innerHTML

Kontrol: Source ile Sink arasinda sanitizasyon/validasyon var mi?

Bu yaklasimi her code review'da auth/data islerinde kullan.