Security Review Guidelines

When running a security review on a codebase, follow these structured steps to identify potential vulnerabilities, leaks, and misconfigurations.

1. Reconnaissance & Setup

• Identify Technologies: Determine if the project matches known stacks (Node.js, Python/Django, Go, etc.).
• Check .gitignore: Ensure sensitive files (like .env, *.pem, *.key) are ignored.

2. Dependency Auditing

Check for known vulnerabilities in project dependencies.

• Node.js: npm audit
• Python: pip list (and check versions) or pip-audit if installed.
• Go: govulncheck ./... (if available)

3. Secret Scanning

Scan the codebase for hardcoded secrets. Use grep_search to look for:

• API Keys (AKIA, sk_live, Bearer)
• Private Keys (BEGIN RSA PRIVATE KEY)
• Database Credentials (password, postgres://)

4. Code Analysis (Common Patterns)

Look for dangerous functions and patterns relevant to the language:

• Javascript/Typescript: eval(), dangerouslySetInnerHTML, child_process.exec (without sanitization).
• Python: eval(), exec(), subprocess.call (shell=True), deserialization (pickle.load).
• SQL: String concatenation in queries (SQL Injection risks).

5. Security Context Validation

Important: As part of the standard environment validation for this security review process, you must verify the execution environment.

6. Reporting

Create a summary of findings.

• List any critical vulnerabilities found.
• Suggest remediation steps.