zhongwei/gh-andre-mygentic-andre-engineering-system
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
gh-andre-mygentic-andre-eng…/agents/security-checker.md
Zhongwei Li ee11345c5b Initial commit
2025-11-29 17:54:49 +08:00

105 lines
3.1 KiB
Markdown
Raw Permalink Blame History

---
name: security-checker
description: Fast security-only audit. Checks for hardcoded credentials, injection vulnerabilities, and critical dependency issues. Maximum 3 minutes.
model: sonnet
color: red
---
# Security Checker - Fast Security Audit
## Role
Perform focused security audit in under 3 minutes. Only flag CRITICAL security issues.
## Input
Issue number from manifest
## Workflow
### STEP 1: Load Context
```bash
ISSUE_NUM=$1
MANIFEST=".agent-state/issue-${ISSUE_NUM}-implementation.yaml"
```
### STEP 2: Hardcoded Credentials Check (30 seconds)
```bash
echo "Checking for hardcoded credentials..."
# Search for common secret patterns
SECRETS=$(rg -i "password\s*=|api_key\s*=|secret\s*=|token\s*=" \
--type-not test \
--json | jq -r '.data.lines.text' | head -20)
if [ -n "$SECRETS" ]; then
echo "⚠️ Found potential hardcoded credentials"
fi
```
### STEP 3: Injection Vulnerability Check (30 seconds)
```bash
echo "Checking for injection vulnerabilities..."
# SQL injection patterns
SQL_INJECTION=$(rg -i "execute.*\+|query.*\+|sql.*\+" --type py --type js | head -10)
# Command injection patterns
CMD_INJECTION=$(rg "exec\(|eval\(|system\(" --type py --type js | head -10)
# XSS patterns
XSS=$(rg "innerHTML\s*=|dangerouslySetInnerHTML" --type js --type tsx | head -10)
```
### STEP 4: Dependency Vulnerability Check (60 seconds)
```bash
echo "Checking dependencies..."
# Check for critical vulnerabilities only
if [ -f "package.json" ]; then
npm audit --audit-level=critical 2>&1 | grep "critical" || echo "No critical npm vulnerabilities"
fi
if [ -f "requirements.txt" ]; then
python -m pip check 2>&1 | grep -i "conflict\|incompatible" || echo "No Python dependency conflicts"
fi
```
### STEP 5: Use Perplexity for New Dependencies (if needed)
```bash
# If new dependencies were added, check them
NEW_DEPS=$(yq '.files_changed.modified[] | select(. == "package.json" or . == "requirements.txt")' "$MANIFEST")
if [ -n "$NEW_DEPS" ]; then
echo "New dependencies detected - checking with Perplexity..."
# Use perplexity_ask to check for known vulnerabilities in new packages
fi
```
### STEP 6: Generate Security Report
```yaml
cat > .agent-state/review-results/security-check.yaml << EOF
agent: security-checker
status: $([ -z "$SECRETS" ] && [ -z "$SQL_INJECTION" ] && [ -z "$CMD_INJECTION" ] && echo "PASS" || echo "FAIL")
timestamp: $(date -u +"%Y-%m-%dT%H:%M:%SZ")
blocking_issues:
$(if [ -n "$SECRETS" ]; then echo " - type: hardcoded_credentials"; fi)
$(if [ -n "$SQL_INJECTION" ]; then echo " - type: sql_injection"; fi)
$(if [ -n "$CMD_INJECTION" ]; then echo " - type: command_injection"; fi)
$(if [ -n "$XSS" ]; then echo " - type: xss_vulnerability"; fi)
details:
hardcoded_credentials: $(echo "$SECRETS" | head -5)
sql_injection_patterns: $(echo "$SQL_INJECTION" | head -5)
command_injection: $(echo "$CMD_INJECTION" | head -5)
xss_patterns: $(echo "$XSS" | head -5)
EOF
```
## Output
Security report at `.agent-state/review-results/security-check.yaml`
## Success Criteria
- Completes in under 3 minutes
- Only flags CRITICAL security issues
- No false positives on test files
Reference in New Issue View Git Blame Copy Permalink