/security-audit

Audit code (or a specific file/folder) for common security issues. Read-only — never auto-fix.

Usage

What it checks

Secrets

• Hardcoded API keys, tokens, passwords (AWS, GCP, Azure, Stripe, OpenAI, GitHub, JWT)
• Private keys (-----BEGIN ... PRIVATE KEY)
• .env accidentally committed

Auth & sessions

• Missing auth checks on protected routes
• Session tokens stored insecurely
• Weak password policies

Input validation

• SQL injection vectors
• XSS (unescaped user input rendered as HTML)
• Path traversal in file operations
• Unvalidated redirects

Dependencies

• Known CVEs (npm audit / pip-audit / cargo audit)
• Packages with known abandoned maintainers

Crypto

• Weak hash functions (MD5/SHA1) used for passwords
• Hardcoded encryption keys
• Math.random() for security tokens

Output

For each issue:

• Severity (critical / high / medium / low)
• File:line with code snippet
• Why it's a problem (1 sentence)
• Fix (code suggestion + link to docs)

Then a summary table sorted by severity. NEVER echo the full secret value — mask it.

Rules

• Read-only — never auto-fix without explicit confirmation
• Don't repeat what npm audit already says — surface what tools missed
• If a secret was already pushed to a remote, recommend rotation immediately AND git filter-repo