---

name: audit-security description: Quick security audit checking for hardcoded secrets, SSRF vectors, injection points, dependency issues, and missing security headers

Security Audit Skill

Perform a focused security audit on the codebase, checking for common vulnerabilities and security misconfigurations.

Instructions

Run through each security check systematically and report all findings.

1. Hardcoded Secrets Detection

Search for potential secrets in the codebase:

# Patterns to search for
API_KEY, api_key, apiKey, ApiKey
PASSWORD, password, Password, passwd
SECRET, secret, Secret
TOKEN, token, Token
CREDENTIAL, credential, Credential
PRIVATE_KEY, private_key, privateKey
AUTH, auth (in assignment context)
Bearer, Basic (hardcoded auth headers)

Using Grep tool, search for these patterns in:

• src/main/java/**/*.java
• src/main/resources/*.yml
• src/main/resources/*.properties
• *.env* files (except .env.example)
• docker-compose*.yml

Exclude:

• Test files (src/test/**)
• Comments explaining what secrets are needed
• Environment variable references (${...}, System.getenv())
• Configuration property placeholders

2. SSRF Vector Analysis

Identify potential Server-Side Request Forgery vulnerabilities:

Search for:

• URL construction from user input
• HTTP client calls with dynamic URLs
• new URL(), URI.create(), HttpRequest.newBuilder()
• OkHttp, RestTemplate, WebClient with variable URLs
• Redirect following without validation

Check:

• Are URLs validated against allowlists?
• Is there URL scheme validation (http/https only)?
• Are internal IPs blocked (127.0.0.1, 10.x, 192.168.x, 169.254.x)?
• Is redirect following limited?

In this project, examine:

• GoogleMapsService.java - URL unshortening
• ForecastService.java - Windguru API calls
• Strategy implementations - weather station fetches

3. Injection Point Detection

Search for potential injection vulnerabilities:

Command Injection:

Runtime.exec(), ProcessBuilder
String concatenation with external input

SQL Injection (if applicable):

String query = "SELECT * FROM " + userInput
Statement.execute() with concatenated strings

Log Injection:

log.info("User: " + userInput)  // without sanitization

XSS in responses:

Returning user input in HTML without encoding

Check for:

• String concatenation in sensitive operations
• Missing input validation/sanitization
• Unparameterized queries or commands

4. Dependency Security Check

Analyze build.gradle for:

Version Issues:

• Outdated dependencies with known CVEs
• Dependencies without version pinning
• Use of deprecated libraries

Key dependencies to check:

spring-boot-starter-* (current: 3.5.x)
okhttp (current: 4.12.x)
gson
spring-ai-*
playwright (for E2E)

Recommend:

• Running ./gradlew dependencyUpdates if available
• Checking against NIST NVD or Snyk database
• Using OWASP dependency-check plugin

5. Security Headers Analysis

Check for missing security headers in responses:

Required headers:

• X-Content-Type-Options: nosniff
• X-Frame-Options: DENY or SAMEORIGIN
• X-XSS-Protection: 1; mode=block
• Strict-Transport-Security (HSTS)
• Content-Security-Policy
• Referrer-Policy

Check locations:

• Spring Security configuration (if present)
• WebFilter implementations
• Controller response modifications
• nginx.conf (if applicable)
• NettyConfig.java or similar

6. Additional Quick Checks

Authentication/Authorization:

• Are endpoints properly secured?
• Is there rate limiting?
• Session management issues?

Sensitive Data Exposure:

• Stack traces in error responses?
• Verbose error messages?
• Debug endpoints enabled in prod?

CORS Configuration:

• Overly permissive CORS (*)?
• Credentials allowed with wildcard origin?

Output Format

## Security Audit Report

### Summary
| Category | Issues Found | Severity |
|----------|--------------|----------|
| Hardcoded Secrets | X | Critical/None |
| SSRF Vectors | X | High/Medium/None |
| Injection Points | X | Critical/None |
| Dependencies | X | High/Medium/Low |
| Security Headers | X | Medium/None |

### Critical Issues (Immediate Action Required)

#### [Issue Title]
**File**: `path/to/file.java:line`
**Type**: [Hardcoded Secret / Injection / etc.]
**Risk**: [What could happen if exploited]
**Evidence**:
```java
// problematic code

Remediation: [How to fix]

High Priority Issues

[Issue Title]

...

Medium Priority Issues

[Issue Title]

...

Low Priority / Informational

• [Finding 1]
• [Finding 2]

Passed Checks

• No hardcoded secrets found in source code
• Dependencies are up to date
• [Other positive findings]

Recommendations

1. [Priority recommendation]
2. [Additional recommendation]
3. [Long-term improvement]

## Execution Steps

1. **Secrets scan**: Use `Grep` to search for secret patterns across the codebase
2. **SSRF analysis**: Read HTTP client code and URL handling logic
3. **Injection check**: Search for string concatenation patterns in sensitive contexts
4. **Dependency review**: Read `build.gradle` and check versions
5. **Headers check**: Examine security configuration and filters
6. **Compile report**: Organize findings by severity

## Notes

- Focus on actionable findings, not theoretical risks
- Distinguish between actual secrets and configuration placeholders
- Consider the context (e.g., test data vs production code)
- For dependencies, note that patch versions usually don't have CVEs
- This is a quick audit; recommend periodic deep security reviews