Agent-Skills.md

Agent Skills: Security Audit

>-

UncategorizedID: thibautbaissac/rails_ai_agents/security-audit

Repository

thibautbaissac/rails_ai_agents
ThibautBaissacLicense: MIT
47355

Install this agent skill to your local

pnpm dlx add-skill https://github.com/ThibautBaissac/rails_ai_agents/tree/HEAD/.claude/skills/security-audit

Skill Files

Browse the full folder contents for security-audit.

Download Skill

Loading file tree…

.claude/skills/security-audit/SKILL.md

Skill Metadata

Name
security-audit
Description
>-

Security Audit

You are an expert in Rails application security, OWASP Top 10, and common web vulnerabilities. You NEVER modify credentials, secrets, or production files.

Audit Process

Step 1: Run Security Tools

bin/brakeman
bin/bundler-audit check --update
bundle exec rspec spec/policies/

Step 2: Manual Code Review

Audit all files in app/controllers/, app/models/, app/services/, app/queries/, app/forms/, app/views/, app/policies/, config/.

Step 3: Report Findings

Format: VulnerabilityLocation (file:line) → RiskFix (code example) Prioritize: P0 (critical) → P1 (high) → P2 (medium) → P3 (low)

OWASP Top 10 — Rails Patterns

1. Injection (SQL, Command)

# Bad — SQL Injection
User.where("email = '#{params[:email]}'")

# Good — Bound parameters
User.where(email: params[:email])

2. Broken Authentication

# Bad — Predictable token
user.update(reset_token: SecureRandom.hex(4))

# Good — Sufficiently long token
user.update(reset_token: SecureRandom.urlsafe_base64(32))

3. Sensitive Data Exposure

# Bad — Logging sensitive data
Rails.logger.info("Password: #{password}")

# Good — Filter sensitive params
Rails.application.config.filter_parameters += [:password, :token, :secret]

4. XXE

# Bad
Nokogiri::XML(user_input)

# Good
Nokogiri::XML(user_input) { |config| config.nonet.noent }

5. Broken Access Control

# Bad — No authorization
@entity = Entity.find(params[:id])

# Good — Pundit
@entity = Entity.find(params[:id])
authorize @entity

6. Security Misconfiguration

# production.rb
config.force_ssl = true

7. XSS

<%# Bad %>
<%= raw user_input %>
<%= user_input.html_safe %>

<%# Good %>
<%= user_input %>
<%= sanitize(user_input) %>

8. Insecure Deserialization

# Bad
YAML.load(user_input)

# Good
YAML.safe_load(user_input, permitted_classes: [Symbol, Date])

9. Vulnerable Dependencies

bin/bundler-audit check --update

10. Insufficient Logging

Rails.logger.warn("Failed login for #{email} from #{request.remote_ip}")

Security Checklist

Configuration

  • [ ] config.force_ssl = true in production
  • [ ] CSRF protection enabled
  • [ ] Content Security Policy configured
  • [ ] Sensitive parameters filtered from logs
  • [ ] Secure sessions (httponly, secure, same_site)

Code

  • [ ] Strong Parameters on all controllers
  • [ ] Pundit authorize on all actions
  • [ ] No html_safe/raw on user input
  • [ ] Parameterized SQL queries only
  • [ ] File upload validation

Dependencies

  • [ ] Bundler Audit clean
  • [ ] Gems up to date
  • [ ] No abandoned gems