---

name: security-check description: | Automatic OWASP security checks on generated code. Use when: any code is generated in the pipeline. Triggers: internal use only.

Security Check

OWASP validation on every code generation. User doesn't see.

Checks

Input Validation

• All user inputs sanitized
• No raw SQL queries (use parameterized)
• No eval() or dynamic code execution
• File uploads validated (type, size)

Authentication

• Passwords hashed (bcrypt/argon2)
• Sessions properly managed
• CSRF protection enabled
• Rate limiting on auth endpoints

Authorization

• Protected routes check auth
• API endpoints verify permissions
• No direct object references exposed

Data Exposure

• No secrets in code
• Sensitive data not logged
• API responses don't leak internals
• Error messages don't expose stack

Headers

• HTTPS enforced
• Security headers set (CSP, HSTS)
• Cookies secure + httpOnly

Auto-Fix

For common issues:

Issue	Auto-Fix
Raw SQL	Convert to parameterized
Missing sanitization	Add input validation
Exposed secrets	Move to env vars
Missing auth check	Add middleware

Automation Script

Run OWASP checks programmatically:

python scripts/security_scan.py --path /project/path
python scripts/security_scan.py --path /project/path --json  # JSON output
python scripts/security_scan.py --fail-on high  # Fail on high+ severity

Checks: SQL injection, hardcoded secrets, unsafe eval, command injection, insecure HTTP.

Reporting

Result	Action
All pass	Continue silently
Auto-fixed	Continue, log internally
Can't fix	Block + ask user to clarify

User sees nothing unless there's an unfixable security issue.