playbooks

home / skills / questnova502 / claude-skills-sync / security-audit

security-audit skill

/skills/security-audit/skills/security-audit

This skill helps you perform PHP security audits by applying OWASP patterns, vulnerability checks, and CVSS scoring to identify and prioritize risks.

npx playbooks add skill questnova502/claude-skills-sync --skill security-audit

Review the files below or copy the command above to add this skill to your agents.

Files (6)
SKILL.md
2.0 KB
---
name: security-audit
description: "Agent Skill: Security audit patterns for PHP/OWASP. Use when conducting security assessments, identifying vulnerabilities (XXE, SQL injection, XSS), or CVSS scoring. By Netresearch."
---

# Security Audit Skill

Security audits, vulnerability assessment, and secure coding patterns aligned with OWASP.

## Expertise Areas

- **Vulnerabilities**: XXE, SQL injection, XSS, CSRF, auth flaws, insecure deserialization
- **Risk Scoring**: CVSS v3.1 methodology
- **Secure Coding**: Input validation, output encoding, cryptography, session management

## Reference Files

- `references/xxe-prevention.md` - XXE detection and prevention
- `references/owasp-top10.md` - OWASP Top 10 patterns
- `references/cvss-scoring.md` - CVSS scoring methodology
- `references/api-key-encryption.md` - API key encryption at rest (sodium)
- `references/secure-php.md` - PHP-specific security patterns
- `references/secure-config.md` - Secure configuration checklists

## Quick Patterns

**XML parsing (prevent XXE):**
```php
$doc->loadXML($input, LIBXML_NONET | LIBXML_NOENT | LIBXML_DTDLOAD);
```

**SQL (prevent injection):**
```php
$stmt = $pdo->prepare('SELECT * FROM users WHERE id = ?');
$stmt->execute([$id]);
```

**Output (prevent XSS):**
```php
echo htmlspecialchars($input, ENT_QUOTES | ENT_HTML5, 'UTF-8');
```

**API keys (encrypt at rest):**
```php
$nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
$encrypted = 'enc:' . base64_encode($nonce . sodium_crypto_secretbox($apiKey, $nonce, $key));
```

## Security Checklist

- [ ] bcrypt/Argon2 for passwords, CSRF tokens on state changes
- [ ] All input validated server-side, parameterized SQL
- [ ] XML external entities disabled, file uploads restricted
- [ ] Context-appropriate output encoding, CSP configured
- [ ] API keys encrypted at rest (sodium_crypto_secretbox)
- [ ] TLS 1.2+, secrets not in VCS, audit logging

## Verification

```bash
./scripts/security-audit.sh /path/to/project
```

---

> **Contributing:** https://github.com/netresearch/security-audit-skill

Overview

This skill provides pragmatic security audit patterns and checks focused on PHP and OWASP guidance. It helps assess common vulnerabilities, apply secure coding practices, and produce CVSS v3.1 risk scores for findings. Use it to speed up manual reviews and to standardize remediation guidance across projects.

How this skill works

The skill inspects code and configuration for high-risk patterns (XXE, SQL injection, XSS, CSRF, insecure deserialization, auth flaws) and recommends concrete fixes and secure defaults. It applies CVSS v3.1 methodology to classify impact and exploitability, and surfaces secure PHP patterns (input validation, output encoding, safe XML parsing, encrypted API key storage). It also bundles a checklist for deployment and verification scripts to run a baseline audit.

When to use it

  • During a code review for PHP applications or APIs
  • When performing a security assessment or penetration test
  • To validate remediation steps after a vulnerability fix
  • Before release to ensure secure configuration and secrets handling
  • When generating CVSS scores for identified findings

Best practices

  • Validate all input server-side and use parameterized queries for database access
  • Encode output in the context of HTML, attributes, JavaScript, or URL to prevent XSS
  • Disable XML external entities and parsing features that allow remote DTDs to prevent XXE
  • Use bcrypt or Argon2 for passwords and protect state changes with CSRF tokens
  • Encrypt API keys and secrets at rest (e.g., libsodium secretbox) and avoid storing secrets in VCS
  • Enforce TLS 1.2+ and configure CSP and audit logging for production

Example use cases

  • Identify and fix a blind SQL injection by converting string concatenation to prepared statements
  • Detect XXE usage in XML parsing and switch to safe parser flags or reject external entities
  • Score a critical authentication bypass with CVSS v3.1 and recommend mitigation priorities
  • Audit configuration to ensure TLS, CSP, and secret management meet minimum requirements
  • Validate that API keys are encrypted at rest and that nonce usage is implemented correctly

FAQ

Can this skill automatically find all vulnerabilities?

No. It provides patterns, checks, and scoring guidance to speed up audits but complements manual review and dynamic testing.

Which vulnerabilities are covered?

Priority areas include XXE, SQL injection, XSS, CSRF, authentication/authorization flaws, and insecure deserialization, plus secure config and secret handling.