Skip to content

feat: add /cso skill — OWASP Top 10 + STRIDE security audit#155

Open
HMAKT99 wants to merge 1 commit intogarrytan:mainfrom
HMAKT99:arun/cso-skill
Open

feat: add /cso skill — OWASP Top 10 + STRIDE security audit#155
HMAKT99 wants to merge 1 commit intogarrytan:mainfrom
HMAKT99:arun/cso-skill

Conversation

@HMAKT99
Copy link

@HMAKT99 HMAKT99 commented Mar 18, 2026
edited
Loading

/review catches bugs. /cso catches the unlocked doors.

/review thinks like an engineer — race conditions, N+1 queries, error handling. But it doesn't think like an attacker. It won't notice the missing auth check on /api/admin/users, the raw SQL in the search controller, or the API keys in plaintext config.

What /cso does

You:   /cso

Claude: ATTACK SURFACE MAP
        Public endpoints:     12 (unauthenticated)
        Authenticated:        34
        Admin-only:            3

        SECURITY FINDINGS
        Sev    OWASP   Finding
        CRIT   A03     Raw SQL in search_controller.rb:47
        HIGH   A01     Missing auth on /api/admin/users
        HIGH   A02     API keys in config/secrets.yml (not .env)
        MED    A05     CORS allows * — should restrict to app domain

        STRIDE THREAT MODEL — Auth Module:
        Spoofing:    Session tokens lack rotation
        Tampering:   JWT payload not validated server-side
        ...

Full OWASP Top 10 audit + STRIDE threat modeling + data classification (RESTRICTED/CONFIDENTIAL/INTERNAL/PUBLIC). Not security theater — finds doors that are actually unlocked.

Only .tmpl committed — bun run gen:skill-docs generates the rest.

Test plan

  • .tmpl follows template pipeline
  • Registered in gen-skill-docs.ts, skill-check.ts, test files

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@HMAKT99