Skip to content

feat: add /cso skill — OWASP Top 10 + STRIDE security audit#155

Closed
HMAKT99 wants to merge 1 commit intogarrytan:mainfrom
HMAKT99:arun/cso-skill
Closed

feat: add /cso skill — OWASP Top 10 + STRIDE security audit#155
HMAKT99 wants to merge 1 commit intogarrytan:mainfrom
HMAKT99:arun/cso-skill

Conversation

@HMAKT99
Copy link
Copy Markdown
Contributor

@HMAKT99 HMAKT99 commented Mar 18, 2026
edited
Loading

/review catches bugs. /cso catches the unlocked doors.

/review thinks like an engineer — race conditions, N+1 queries, error handling. But it doesn't think like an attacker. It won't notice the missing auth check on /api/admin/users, the raw SQL in the search controller, or the API keys in plaintext config.

What /cso does

You:   /cso

Claude: ATTACK SURFACE MAP
        Public endpoints:     12 (unauthenticated)
        Authenticated:        34
        Admin-only:            3

        SECURITY FINDINGS
        Sev    OWASP   Finding
        CRIT   A03     Raw SQL in search_controller.rb:47
        HIGH   A01     Missing auth on /api/admin/users
        HIGH   A02     API keys in config/secrets.yml (not .env)
        MED    A05     CORS allows * — should restrict to app domain

        STRIDE THREAT MODEL — Auth Module:
        Spoofing:    Session tokens lack rotation
        Tampering:   JWT payload not validated server-side
        ...

Full OWASP Top 10 audit + STRIDE threat modeling + data classification (RESTRICTED/CONFIDENTIAL/INTERNAL/PUBLIC). Not security theater — finds doors that are actually unlocked.

Only .tmpl committed — bun run gen:skill-docs generates the rest.

Test plan

  • .tmpl follows template pipeline
  • Registered in gen-skill-docs.ts, skill-check.ts, test files

@boinger boinger mentioned this pull request Mar 21, 2026
Open
6 tasks
garrytan added a commit that referenced this pull request Mar 22, 2026
@garrytan
Merge PR #155: add /cso skill — OWASP Top 10 + STRIDE security audit
24b7e11 
# Conflicts:
#	scripts/gen-skill-docs.ts
#	scripts/skill-check.ts
#	test/gen-skill-docs.test.ts
#	test/skill-validation.test.ts
@garrytan garrytan mentioned this pull request Mar 22, 2026
Merged
@garrytan
Copy link
Copy Markdown
Owner

garrytan commented Mar 22, 2026

Merged into #325 (wave 1: /cso launch + security hardening). Thank you for the contribution!

@garrytan garrytan closed this Mar 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@HMAKT99 @garrytan