zhongwei/gh-greyhaven-ai-claude-code-config-grey-haven-plugins-security
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Zhongwei Li
2025-11-29 18:29:28 +08:00
commit 5f6dacc74b
19 changed files with 3378 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
skills/security-analysis/SKILL.md Normal file
View File

@@ -0,0 +1,26 @@
# Security Analysis Skill
Comprehensive security analysis with vulnerability detection, OWASP Top 10 compliance, penetration testing simulation, and remediation.
## Description
Deep security audits including threat modeling, attack surface analysis, cryptographic validation, authentication review, and compliance assessment.
## What's Included
- **Examples**: OWASP Top 10 checks, penetration test scenarios
- **Reference**: Security best practices, threat models
- **Templates**: Security audit templates, vulnerability reports
## Use When
- Security audits needed
- Pre-deployment security checks
- Vulnerability investigation
- Compliance assessments
## Related Agents
- `security-analyzer`
**Skill Version**: 1.0

112
skills/security-analysis/examples/INDEX.md Normal file
View File

@@ -0,0 +1,112 @@
# Security Vulnerability Examples
Real-world vulnerability examples with exploitation scenarios, CVSS scores, and complete remediations.
## Examples Overview
### SQL Injection (A03)
**File**: [sql-injection.md](sql-injection.md)
Critical database security vulnerabilities:
- SQL injection attack scenarios
- Blind SQL injection techniques
- Parameterized query solutions
- ORM best practices
- Input validation patterns
- CVSS 9.8 (Critical) examples
**Use when**: Building database queries, API endpoints with user input, search functionality.
---
### Cross-Site Scripting - XSS (A03)
**File**: [xss-vulnerabilities.md](xss-vulnerabilities.md)
XSS attack vectors and prevention:
- Reflected XSS exploitation
- Stored XSS persistence attacks
- DOM-based XSS scenarios
- Output encoding solutions
- Content Security Policy (CSP)
- CVSS 7.1 (High) examples
**Use when**: Rendering user-generated content, building search features, dynamic HTML generation.
---
### Authentication Bypass (A07)
**File**: [authentication-bypass.md](authentication-bypass.md)
Authentication and session security flaws:
- JWT algorithm confusion attacks
- Session fixation exploitation
- Weak password policies
- Missing MFA vulnerabilities
- Secure authentication implementation
- CVSS 8.1 (High) examples
**Use when**: Implementing login systems, session management, API authentication, OAuth flows.
---
### Secrets Exposure (A02)
**File**: [secrets-exposure.md](secrets-exposure.md)
Hardcoded credentials and secret management:
- API key exposure detection
- Hardcoded password patterns
- Environment variable best practices
- Doppler/Vault integration
- Git secret scanning
- CVSS 9.1 (Critical) examples
**Use when**: Managing configuration, deploying applications, working with third-party APIs.
---
### Dependency Vulnerabilities (A06)
**File**: [dependency-vulnerabilities.md](dependency-vulnerabilities.md)
Supply chain and dependency security:
- Known CVE exploitation
- Outdated package detection
- npm audit / pip-audit usage
- Dependency update strategies
- Lock file security
- CVSS varies by CVE
**Use when**: Adding dependencies, updating packages, conducting security audits.
---
## OWASP Top 10 Coverage
| Vulnerability | Example File | CVSS Range | Frequency |
|---------------|--------------|------------|-----------|
| **A01: Broken Access Control** | (Covered in auth-bypass) | 6.5-8.8 | Very High |
| **A02: Cryptographic Failures** | secrets-exposure.md | 7.5-9.8 | High |
| **A03: Injection** | sql-injection.md, xss-vulnerabilities.md | 7.3-9.8 | High |
| **A04: Insecure Design** | (Threat modeling reference) | Varies | Medium |
| **A05: Security Misconfiguration** | (Reference docs) | 5.3-7.5 | High |
| **A06: Vulnerable Components** | dependency-vulnerabilities.md | 4.0-10.0 | Very High |
| **A07: Auth Failures** | authentication-bypass.md | 6.5-9.1 | High |
| **A08: Data Integrity** | (Reference docs) | 7.5-8.8 | Medium |
| **A09: Logging Failures** | (Reference docs) | 5.3-6.5 | Medium |
| **A10: SSRF** | (Reference docs) | 6.4-9.6 | Medium |
## Severity Guide
- **Critical (9.0-10.0)**: Immediate exploitation, severe impact
- **High (7.0-8.9)**: Easy exploitation, significant impact
- **Medium (4.0-6.9)**: Moderate difficulty, limited impact
- **Low (0.1-3.9)**: Difficult exploitation, minimal impact
## Navigation
- **Reference**: [Reference Index](../reference/INDEX.md)
- **Templates**: [Templates Index](../templates/INDEX.md)
- **Main Agent**: [security-analyzer.md](../security-analyzer.md)
---
Return to [main agent](../security-analyzer.md)

96
skills/security-analysis/reference/INDEX.md Normal file
View File

@@ -0,0 +1,96 @@
# Security Reference Documentation
Comprehensive security reference materials for the Grey Haven security analyzer agent.
## Reference Guides Overview
### OWASP Top 10 2021
**File**: [owasp-top-10.md](owasp-top-10.md)
Complete OWASP Top 10 coverage for Grey Haven stack:
- **A01: Broken Access Control** - Multi-tenant RLS, authorization patterns
- **A02: Cryptographic Failures** - Secrets management, encryption, hashing
- **A03: Injection** - SQL injection, XSS, command injection prevention
- **A04: Insecure Design** - Threat modeling, secure architecture patterns
- **A05: Security Misconfiguration** - Cloudflare Workers, environment hardening
- **A06: Vulnerable Components** - Dependency scanning, update strategies
- **A07: Authentication Failures** - better-auth, MFA, session management
- **A08: Software & Data Integrity** - Checksum validation, CI/CD security
- **A09: Logging & Monitoring Failures** - Security event logging, SIEM integration
- **A10: Server-Side Request Forgery** - SSRF prevention, URL validation
**Use when**: Understanding OWASP categories, mapping vulnerabilities to standards
---
### CVSS v3.1 Scoring Reference
**File**: [cvss-scoring.md](cvss-scoring.md)
Complete CVSS vulnerability scoring methodology:
- **Base Metrics**: AV, AC, PR, UI, S, C, I, A
- **Temporal Metrics**: Exploit Code Maturity, Remediation Level, Report Confidence
- **Environmental Metrics**: Modified Base Metrics for specific environments
- **Severity Ranges**: Critical (9.0-10.0), High (7.0-8.9), Medium (4.0-6.9), Low (0.1-3.9)
- **Vector Strings**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- **Calculator**: Step-by-step scoring examples
- **Real CVEs**: Mapping actual vulnerabilities to CVSS scores
**Use when**: Scoring vulnerabilities, prioritizing remediation, reporting severity
---
### Compliance Requirements
**File**: [compliance-requirements.md](compliance-requirements.md)
Security compliance frameworks for SaaS:
- **PCI DSS 4.0**: Payment card data security (Stripe integration)
- **GDPR**: EU data privacy requirements (multi-tenant data isolation)
- **HIPAA**: Healthcare data protection (if applicable)
- **SOC 2 Type II**: Trust services criteria (security, availability, confidentiality)
- **ISO 27001**: Information security management
- **NIST Cybersecurity Framework**: Security controls mapping
- **Grey Haven Specific**: Cloudflare Workers compliance, PostgreSQL encryption
**Use when**: Preparing for audits, implementing compliance controls, documenting security posture
---
### Security Tools Reference
**File**: [security-tools.md](security-tools.md)
Complete tooling guide for Grey Haven stack:
- **SAST**: Bandit (Python), ESLint security plugins (TypeScript)
- **Dependency Scanning**: bun audit, pip-audit, Snyk, Dependabot
- **Secret Scanning**: gitleaks, trufflehog, Doppler audit logs
- **Container Security**: (if using Docker)
- **Cloud Security**: Cloudflare WAF, rate limiting, DDoS protection
- **Database Security**: PostgreSQL RLS, query auditing, encryption at rest
- **Penetration Testing**: Burp Suite, OWASP ZAP, SQLMap
- **Monitoring**: DataDog Security Monitoring, Sentry error tracking
**Use when**: Selecting security tools, configuring CI/CD security gates, penetration testing
---
## Quick Navigation
| Topic | File | Lines | Purpose |
|-------|------|-------|---------|
| **OWASP Top 10** | [owasp-top-10.md](owasp-top-10.md) | ~450 | Security categories |
| **CVSS Scoring** | [cvss-scoring.md](cvss-scoring.md) | ~380 | Vulnerability scoring |
| **Compliance** | [compliance-requirements.md](compliance-requirements.md) | ~420 | Audit requirements |
| **Security Tools** | [security-tools.md](security-tools.md) | ~350 | Tool configuration |
## Related Documentation
- **Examples**: [Examples Index](../examples/INDEX.md) - Vulnerability examples with exploitation
- **Templates**: [Templates Index](../templates/INDEX.md) - Security report templates
- **Main Agent**: [security-analyzer.md](../security-analyzer.md) - Agent documentation
---
Return to [main agent](../security-analyzer.md)

71
skills/security-analysis/templates/INDEX.md Normal file
View File

@@ -0,0 +1,71 @@
# Security Templates
Copy-paste ready templates for security documentation and reporting.
## Templates Overview
### Security Vulnerability Report
**File**: [security-report.md](security-report.md)
Complete vulnerability report template for documenting security findings:
- **Executive Summary** - Non-technical overview for stakeholders
- **Vulnerability Details** - Technical description, CVSS scoring, affected systems
- **Proof of Concept** - Exploitation steps and evidence
- **Business Impact** - Risk assessment and potential damage
- **Remediation Steps** - Step-by-step fixes with code examples
- **Timeline** - Discovery, notification, patch, verification
- **References** - CVEs, OWASP, compliance mapping
**Use when**: Documenting security findings from audits, pentests, or internal discovery
---
### Penetration Testing Report
**File**: [penetration-test.md](penetration-test.md)
Comprehensive penetration testing documentation template:
- **Scope & Methodology** - Testing boundaries, rules of engagement
- **Executive Summary** - High-level findings for management
- **Testing Methodology** - OWASP Testing Guide, tools used
- **Findings Summary** - Critical/High/Medium/Low vulnerability counts
- **Detailed Findings** - Each vulnerability with PoC and remediation
- **Risk Assessment** - CVSS scoring and business impact
- **Remediation Roadmap** - Prioritized action plan with deadlines
- **Appendix** - Tool outputs, screenshots, raw scan data
**Use when**: Conducting penetration tests, security audits, or compliance assessments
---
## Quick Usage
```bash
# Copy template to project
cp templates/security-report.md ../reports/vuln-2025-001.md
# Fill in sections
vim ../reports/vuln-2025-001.md
# Submit for review
git add ../reports/vuln-2025-001.md
git commit -m "docs: add SQL injection vulnerability report"
```
## Template Conventions
**Date Format**: YYYY-MM-DD (ISO 8601)
**CVSS Format**: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
**Severity Ratings**: Critical (9.0-10.0), High (7.0-8.9), Medium (4.0-6.9), Low (0.1-3.9)
**Code Blocks**: Use triple backticks with language specifier (```typescript, ```python)
## Related Documentation
- **Examples**: [Examples Index](../examples/INDEX.md) - Real vulnerability examples
- **Reference**: [Reference Index](../reference/INDEX.md) - OWASP, CVSS, compliance guides
- **Main Agent**: [security-analyzer.md](../security-analyzer.md) - Security analyzer agent
---
Return to [main agent](../security-analyzer.md)

279
skills/security-analysis/templates/security-report.md Normal file
View File

@@ -0,0 +1,279 @@
# Security Vulnerability Report
**Report ID**: VULN-YYYY-###
**Date**: YYYY-MM-DD
**Severity**: [Critical | High | Medium | Low]
**CVSS Score**: X.X
**Status**: [Open | In Progress | Resolved | Verified]
**Reporter**: [Name or Team]
---
## Executive Summary
**For non-technical stakeholders**
_Brief description of the vulnerability in business terms (2-3 sentences). Focus on impact to users, data, or business operations._
**Example**:
> A critical SQL injection vulnerability was discovered in the user search endpoint that allows attackers to extract all customer data from the database, including names, emails, and payment information. This vulnerability affects all users of the application and could result in a significant data breach if exploited.
---
## Vulnerability Details
### Description
_Technical description of the vulnerability. What is broken and why?_
**Affected Systems**:
- Component: [API endpoint, database, authentication system, etc.]
- Version: [Software version number]
- URL/Location: [https://api.greyhaven.io/users/search]
- Environment: [Production | Staging | Development]
**Attack Vector**: [Network | Adjacent | Local | Physical]
**OWASP Category**: [A03:2021 - Injection]
### CVSS v3.1 Scoring
**Vector String**: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
| Metric | Value | Justification |
|--------|-------|---------------|
| Attack Vector (AV) | [N/A/L/P] | _How is it exploited?_ |
| Attack Complexity (AC) | [L/H] | _Difficulty of exploitation_ |
| Privileges Required (PR) | [N/L/H] | _Authentication needed?_ |
| User Interaction (UI) | [N/R] | _Victim must act?_ |
| Scope (S) | [U/C] | _Affects other components?_ |
| Confidentiality (C) | [H/L/N] | _Data disclosure?_ |
| Integrity (I) | [H/L/N] | _Data modification?_ |
| Availability (A) | [H/L/N] | _Service disruption?_ |
**Base Score**: X.X ([Critical | High | Medium | Low])
---
## Proof of Concept
### Exploitation Steps
1. **Step 1**: _Description_
```bash
# Command or code
```
2. **Step 2**: _Description_
```bash
# Command or code
```
3. **Step 3**: _Description_
```bash
# Expected result
```
### Evidence
_Screenshots, logs, or output demonstrating successful exploitation_
```
[Paste actual output or attach screenshot]
```
### Affected Code
**File**: `path/to/vulnerable/file.ts`
**Lines**: 42-58
```typescript
// Vulnerable code snippet
export async function searchUsers(query: string) {
// ❌ VULNERABLE: String concatenation in SQL query
const sql = `SELECT * FROM users WHERE username LIKE '%${query}%'`;
return await db.query(sql);
}
```
---
## Business Impact
### Risk Assessment
**Likelihood**: [High | Medium | Low]
- _How likely is exploitation in the wild?_
**Impact**: [Critical | High | Medium | Low]
- _What is the worst-case outcome?_
**Overall Risk**: [Critical | High | Medium | Low]
- _Likelihood × Impact_
### Potential Consequences
- **Data Breach**: _Description of data exposure (e.g., 500K user records)_
- **Financial Loss**: _Estimated monetary impact (e.g., $500K in GDPR fines)_
- **Reputational Damage**: _Impact on brand trust_
- **Regulatory Compliance**: _Which regulations violated (GDPR, PCI DSS)_
### Affected Users
- **User Count**: [X users affected]
- **User Types**: [All users | Admin users | Specific tenant]
- **Geographic Scope**: [Global | EU | US only]
---
## Remediation
### Immediate Mitigation (Temporary Fix)
**Timeline**: Implement within [X hours]
_Quick workaround to reduce risk while developing permanent fix_
**Steps**:
1. _Temporary mitigation step 1_
2. _Temporary mitigation step 2_
**Code Example** (if applicable):
```typescript
// Temporary workaround
export async function searchUsers(query: string) {
// ✅ TEMPORARY: Input validation regex
if (!/^[a-zA-Z0-9_-]+$/.test(query)) {
throw new Error('Invalid query');
}
const sql = `SELECT * FROM users WHERE username LIKE '%${query}%'`;
return await db.query(sql);
}
```
### Permanent Fix
**Timeline**: Deploy within [X days]
_Complete solution that eliminates the vulnerability_
**Steps**:
1. _Implementation step 1_
2. _Implementation step 2_
3. _Testing step_
4. _Deployment step_
**Code Example**:
```typescript
// ✅ SECURE: Parameterized query with Drizzle ORM
import { eq, like } from 'drizzle-orm';
export async function searchUsers(query: string) {
// ✅ Input validation
if (query.length > 100) {
throw new Error('Query too long');
}
// ✅ Parameterized query (SQL injection safe)
return await db.query.users.findMany({
where: like(users.username, `%${query}%`)
});
}
```
### Testing & Verification
**Test Cases**:
- [ ] Normal input: `alice` → Returns matching users
- [ ] Malicious input: `'; DROP TABLE users--` → Rejected/escaped
- [ ] SQL injection attempt: `' OR '1'='1` → No unauthorized access
- [ ] Automated test: `bun test security/sql-injection.test.ts`
**Verification Steps**:
1. Deploy fix to staging
2. Run penetration test suite
3. Verify vulnerability no longer exploitable
4. Code review by security team
5. Deploy to production
6. Monitor for 48 hours
---
## Timeline
| Date | Event | Responsible |
|------|-------|-------------|
| YYYY-MM-DD | Vulnerability discovered | [Name] |
| YYYY-MM-DD | Security team notified | [Name] |
| YYYY-MM-DD | Initial assessment completed | Security Team |
| YYYY-MM-DD | Temporary mitigation deployed | DevOps |
| YYYY-MM-DD | Permanent fix developed | Engineering |
| YYYY-MM-DD | Fix deployed to production | DevOps |
| YYYY-MM-DD | Vulnerability verified fixed | Security Team |
| YYYY-MM-DD | Report published (if public) | Security Team |
---
## References
### CVE/CWE
- **CVE**: [CVE-YYYY-XXXXX] (if assigned)
- **CWE**: [CWE-89: SQL Injection]
- **OWASP**: [A03:2021 - Injection]
### Documentation
- [OWASP SQL Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)
- [Drizzle ORM Security Documentation](https://orm.drizzle.team/)
- Internal: [Security Best Practices](../reference/owasp-top-10.md)
### Similar Incidents
- _Link to similar vulnerabilities in your organization_
- _External references to similar attacks (if applicable)_
---
## Compliance Mapping
**Affected Compliance Requirements**:
- [ ] **PCI DSS 4.0**: Requirement 6.2 (Secure Development)
- [ ] **GDPR**: Article 32 (Security of Processing)
- [ ] **SOC 2**: CC6.1 (Logical Access Controls)
---
## Lessons Learned
### Root Cause Analysis
_What caused this vulnerability to exist?_
**Example**:
> The vulnerability was introduced in commit abc123 when developers implemented user search without using the ORM. Code review did not catch the SQL injection vulnerability because security review was not part of the PR checklist.
### Prevention Measures
_How can we prevent this class of vulnerabilities in the future?_
- [ ] Add SQL injection test cases to CI/CD
- [ ] Enforce Drizzle ORM usage (eslint rule)
- [ ] Security training on parameterized queries
- [ ] Mandatory security review for database changes
- [ ] Run `bun audit` and `bandit` in CI/CD
---
## Sign-Off
**Reported by**: _______________________ Date: ___________
**Verified by**: _______________________ Date: ___________
**Approved for Closure**: _______________________ Date: ___________
---
**Template Version**: 1.0.0
**Last Updated**: 2025-01-06