Specialized worker auditing security vulnerabilities in codebase.

Purpose & Scope

Worker in ln-620 coordinator pipeline - invoked by ln-620-codebase-auditor
Audit codebase for security vulnerabilities (Category 1: Critical Priority)
Scan for hardcoded secrets, SQL injection, XSS, insecure dependencies, missing input validation
Return structured findings to coordinator with severity, location, effort, recommendations
Calculate compliance score (X/10) for Security category

Inputs (from Coordinator)

Receives contextStore as JSON string:

{
  "tech_stack": {
    "language": "TypeScript",
    "frameworks": ["Express", "React"],
    "database": "PostgreSQL",
    ...
  },
  "best_practices": {
    "framework_patterns": [...],
    "security_guidelines": [...]
  },
  "principles": {...},
  "codebase_root": "/path/to/project"
}

Workflow

Parse Context: Extract tech stack, best practices, codebase root from contextStore
Scan Codebase: Run security checks using Glob/Grep patterns (see Audit Rules below)
Collect Findings: Record each violation with severity, location (file:line), effort estimate (S/M/L), recommendation
Calculate Score: Count violations by severity, calculate compliance score (X/10)
Return Results: Return JSON with category, score, findings to coordinator

Audit Rules (Priority: CRITICAL)

1. Hardcoded Secrets

What: API keys, passwords, tokens, private keys in source code

Detection:

Search patterns: API_KEY = "...", password = "...", token = "...", SECRET = "..."
File extensions: .ts, .js, .py, .go, .java, .cs
Exclude: .env.example, README.md, test files with mock data

Severity:

CRITICAL: Production credentials (AWS keys, database passwords, API tokens)
HIGH: Development/staging credentials
MEDIUM: Test credentials in non-test files

Recommendation: Move to environment variables (.env), use secret management (Vault, AWS Secrets Manager)

Effort: S (replace hardcoded value with process.env.VAR_NAME)

2. SQL Injection Patterns

What: String concatenation in SQL queries instead of parameterized queries

Detection:

Patterns: query = "SELECT * FROM users WHERE id=" + userId, db.execute(f"SELECT * FROM {table}"), SELECT * FROM ${table}
Languages: JavaScript, Python, PHP, Java

Severity:

CRITICAL: User input directly concatenated without sanitization
HIGH: Variable concatenation in production code
MEDIUM: Concatenation with internal variables only

Recommendation: Use parameterized queries (prepared statements), ORM query builders

Effort: M (refactor query to use placeholders)

3. XSS Vulnerabilities

What: Unsanitized user input rendered in HTML/templates

Detection:

Patterns: innerHTML = userInput, dangerouslySetInnerHTML={{__html: data}}, echo $userInput;
Template engines: Check for unescaped output ({{ var | safe }}, <%- var %>)

Severity:

CRITICAL: User input directly inserted into DOM without sanitization
HIGH: User input with partial sanitization (insufficient escaping)
MEDIUM: Internal data with potential XSS if compromised

Recommendation: Use framework escaping (React auto-escapes, use textContent), sanitize with DOMPurify

Effort: S-M (replace innerHTML with textContent or sanitize)

4. Insecure Dependencies

What: Dependencies with known CVEs (Common Vulnerabilities and Exposures)

Detection:

Run npm audit (Node.js), pip-audit (Python), cargo audit (Rust), dotnet list package --vulnerable (.NET)
Check for outdated critical dependencies

Severity:

CRITICAL: CVE with exploitable vulnerability in production dependencies
HIGH: CVE in dev dependencies or lower severity production CVEs
MEDIUM: Outdated packages without known CVEs but security risk

Recommendation: Update to patched versions, replace unmaintained packages

Effort: S-M (update package.json, test), L (if breaking changes)

5. Missing Input Validation

What: Missing validation at system boundaries (API endpoints, user forms, file uploads)

Detection:

API routes without validation middleware
Form handlers without input sanitization
File uploads without type/size checks
Missing CORS configuration

Severity:

CRITICAL: File upload without validation, authentication bypass potential
HIGH: Missing validation on sensitive endpoints (payment, auth, user data)
MEDIUM: Missing validation on read-only or internal endpoints

Recommendation: Add validation middleware (Joi, Yup, express-validator), implement input sanitization

Effort: M (add validation schema and middleware)

Scoring Algorithm

violations = {critical: N, high: M, medium: K, low: L}

penalty = (critical * 2.0) + (high * 1.0) + (medium * 0.5) + (low * 0.2)

score = max(0, 10 - penalty)

Examples:

0 violations → 10/10
1 critical → 8/10
2 critical, 3 high → 3/10
5 critical, 10 high → 0/10

Output Format

Return JSON to coordinator:

{
  "category": "Security",
  "score": 7,
  "total_issues": 5,
  "critical": 1,
  "high": 2,
  "medium": 2,
  "low": 0,
  "findings": [
    {
      "severity": "CRITICAL",
      "location": "src/api/auth.ts:45",
      "issue": "Hardcoded API key in production code",
      "principle": "Secrets Management (OWASP A02:2021 Cryptographic Failures)",
      "recommendation": "Move API_KEY to environment variable (.env file)",
      "effort": "S"
    },
    {
      "severity": "HIGH",
      "location": "src/db/queries.ts:112",
      "issue": "SQL injection via string concatenation",
      "principle": "Input Validation (OWASP A03:2021 Injection)",
      "recommendation": "Use parameterized queries or ORM to prevent SQL injection",
      "effort": "M"
    }
  ]
}

Critical Rules

Do not auto-fix: Report violations only; coordinator creates task for user to fix
Tech stack aware: Use contextStore to apply framework-specific patterns (e.g., React XSS vs PHP XSS)
False positive reduction: Exclude test files, example configs, documentation
Effort realism: S = <1 hour, M = 1-4 hours, L = >4 hours
Location precision: Always include file:line for programmatic navigation

Definition of Done

contextStore parsed successfully
All 5 security checks completed (secrets, SQL injection, XSS, deps, validation)
Findings collected with severity, location, effort, recommendation
Score calculated using penalty algorithm
JSON result returned to coordinator

Reference Files

Security audit rules: references/security_rules.md

Version: 3.0.0 Last Updated: 2025-12-23

ln-621-security-auditor

安装

Purpose & Scope

Inputs (from Coordinator)

Workflow

Audit Rules (Priority: CRITICAL)

1. Hardcoded Secrets

2. SQL Injection Patterns

3. XSS Vulnerabilities

4. Insecure Dependencies

5. Missing Input Validation

Scoring Algorithm

Output Format

Critical Rules

Definition of Done

Reference Files