From 4284f80a9ad093380971857bfbe8eb883aafeb94 Mon Sep 17 00:00:00 2001
From: Ibrahim Elsahafy <ibrahim@elsahafy.com>
Date: Wed, 31 Dec 2025 21:07:15 +0400
Subject: [PATCH] feat(bmm): add security audit workflow with OWASP Top 10

- Add workflow.yaml for comprehensive security auditing
- Add instructions.md with step-by-step audit process
- Add owasp-checklist.md covering all OWASP Top 10 categories
- Add security-report.template.md for consistent reporting
---
 .../testarch/security-audit/instructions.md   | 269 ++++++++++++++++++
 .../security-audit/owasp-checklist.md         | 215 ++++++++++++++
 .../security-report.template.md               | 194 +++++++++++++
 .../testarch/security-audit/workflow.yaml     |  40 +++
 4 files changed, 718 insertions(+)
 create mode 100644 src/modules/bmm/workflows/testarch/security-audit/instructions.md
 create mode 100644 src/modules/bmm/workflows/testarch/security-audit/owasp-checklist.md
 create mode 100644 src/modules/bmm/workflows/testarch/security-audit/security-report.template.md
 create mode 100644 src/modules/bmm/workflows/testarch/security-audit/workflow.yaml

diff --git a/src/modules/bmm/workflows/testarch/security-audit/instructions.md b/src/modules/bmm/workflows/testarch/security-audit/instructions.md
new file mode 100644
index 00000000..7222a8dc
--- /dev/null
+++ b/src/modules/bmm/workflows/testarch/security-audit/instructions.md
@@ -0,0 +1,269 @@
+# Security Audit Workflow Instructions
+
+## Overview
+
+Conduct a comprehensive security audit of the codebase covering OWASP Top 10 vulnerabilities, dependency security, secret detection, and authentication/authorization patterns.
+
+## Workflow Steps
+
+### Step 1: Scope Determination
+
+**Ask user for audit scope:**
+```
+Security Audit Scope Selection
+
+Available scopes:
+1. [full] Complete security audit (recommended)
+2. [owasp] OWASP Top 10 vulnerability focus
+3. [deps] Dependency vulnerabilities only
+4. [secrets] Secret detection only
+5. [auth] Authentication/authorization review
+6. [api] API security assessment
+
+Select scope [1-6] or enter scope name:
+```
+
+### Step 2: Context Loading
+
+**Load project context:**
+1. Load architecture document for understanding system design
+2. Load project-context.md for coding standards and patterns
+3. Identify technology stack (framework, language, dependencies)
+4. Note any existing security configurations
+
+### Step 3: OWASP Top 10 Assessment
+
+**For each vulnerability category:**
+
+#### A01:2021 - Broken Access Control
+- [ ] Check for missing access controls on functions
+- [ ] Review CORS configuration
+- [ ] Verify principle of least privilege
+- [ ] Check for insecure direct object references (IDOR)
+- [ ] Review JWT/session validation
+
+#### A02:2021 - Cryptographic Failures
+- [ ] Check for hardcoded secrets
+- [ ] Verify HTTPS enforcement
+- [ ] Review encryption algorithms used
+- [ ] Check password hashing (bcrypt, argon2)
+- [ ] Verify secure random number generation
+
+#### A03:2021 - Injection
+- [ ] SQL injection in database queries
+- [ ] NoSQL injection patterns
+- [ ] Command injection in system calls
+- [ ] LDAP injection
+- [ ] XPath injection
+
+#### A04:2021 - Insecure Design
+- [ ] Review authentication flows
+- [ ] Check for business logic flaws
+- [ ] Verify rate limiting implementation
+- [ ] Review error handling patterns
+
+#### A05:2021 - Security Misconfiguration
+- [ ] Default credentials check
+- [ ] Unnecessary features enabled
+- [ ] Error messages exposing info
+- [ ] Security headers missing
+- [ ] Debug mode in production
+
+#### A06:2021 - Vulnerable Components
+- [ ] Outdated dependencies
+- [ ] Known CVEs in dependencies
+- [ ] Unmaintained packages
+- [ ] License compliance issues
+
+#### A07:2021 - Authentication Failures
+- [ ] Weak password policies
+- [ ] Missing brute-force protection
+- [ ] Session management issues
+- [ ] Multi-factor authentication gaps
+
+#### A08:2021 - Software Integrity Failures
+- [ ] CI/CD pipeline security
+- [ ] Unsigned code/packages
+- [ ] Insecure deserialization
+- [ ] Missing integrity checks
+
+#### A09:2021 - Logging & Monitoring Failures
+- [ ] Insufficient logging
+- [ ] Missing audit trails
+- [ ] No alerting mechanisms
+- [ ] Log injection vulnerabilities
+
+#### A10:2021 - Server-Side Request Forgery
+- [ ] Unvalidated URL parameters
+- [ ] Internal service exposure
+- [ ] DNS rebinding risks
+
+### Step 4: Dependency Vulnerability Scan
+
+**Scan dependencies for known vulnerabilities:**
+
+```bash
+# Node.js
+npm audit
+npx better-npm-audit audit
+
+# Python
+pip-audit
+safety check
+
+# Go
+govulncheck ./...
+
+# General
+trivy fs .
+grype .
+```
+
+**Document findings:**
+- CVE identifier
+- Severity (Critical/High/Medium/Low)
+- Affected package and version
+- Fix version available
+- Remediation path
+
+### Step 5: Secret Detection
+
+**Scan for exposed secrets:**
+
+Patterns to detect:
+- API keys (AWS, GCP, Azure, etc.)
+- Database connection strings
+- Private keys (RSA, SSH)
+- OAuth tokens
+- JWT secrets
+- Password literals
+- Environment variable leaks
+
+**Tools:**
+```bash
+# Gitleaks
+gitleaks detect --source . --verbose
+
+# TruffleHog
+trufflehog filesystem .
+
+# detect-secrets
+detect-secrets scan
+```
+
+**Check locations:**
+- Source code files
+- Configuration files
+- Environment files (.env, .env.*)
+- Docker files
+- CI/CD configurations
+- Git history
+
+### Step 6: Authentication/Authorization Review
+
+**Authentication checks:**
+- Password storage mechanism
+- Session management
+- Token handling (JWT, OAuth)
+- MFA implementation
+- Password reset flow
+- Account lockout policy
+
+**Authorization checks:**
+- Role-based access control (RBAC)
+- Attribute-based access control (ABAC)
+- API endpoint protection
+- Resource-level permissions
+- Admin panel security
+
+### Step 7: API Security Assessment
+
+**Review API endpoints for:**
+- Authentication requirements
+- Rate limiting
+- Input validation
+- Output encoding
+- CORS configuration
+- API versioning
+- Documentation exposure
+
+**Check for:**
+- Mass assignment vulnerabilities
+- Excessive data exposure
+- Broken function level authorization
+- Improper inventory management
+
+### Step 8: Generate Report
+
+**Create security audit report with:**
+
+```markdown
+# Security Audit Report
+
+**Date:** {date}
+**Scope:** {audit_scope}
+**Auditor:** {user_name} + TEA Agent
+
+## Executive Summary
+{brief_overview_of_findings}
+
+## Risk Summary
+| Severity | Count |
+|----------|-------|
+| Critical | X |
+| High | X |
+| Medium | X |
+| Low | X |
+
+## Findings
+
+### Critical Findings
+{detailed_critical_issues}
+
+### High Severity Findings
+{detailed_high_issues}
+
+### Medium Severity Findings
+{detailed_medium_issues}
+
+### Low Severity Findings
+{detailed_low_issues}
+
+## Recommendations
+{prioritized_remediation_steps}
+
+## Appendix
+- Full OWASP checklist results
+- Dependency scan output
+- Secret detection results
+```
+
+### Step 9: Remediation Guidance
+
+**For each finding, provide:**
+1. Clear description of the vulnerability
+2. Location in codebase (file:line)
+3. Risk assessment (likelihood + impact)
+4. Remediation steps
+5. Code example of fix (where applicable)
+6. References (CWE, OWASP, CVE)
+
+### Step 10: Validation Checklist
+
+Before completing audit:
+- [ ] All scope items assessed
+- [ ] Findings documented with evidence
+- [ ] Severity ratings justified
+- [ ] Remediation steps actionable
+- [ ] Report saved to output location
+- [ ] No false positives in critical findings
+
+## Output
+
+Save report to: `{output_file}`
+
+Notify user of completion with:
+- Summary of findings
+- Link to full report
+- Top 3 priority items to address
+- Offer to help with remediation
diff --git a/src/modules/bmm/workflows/testarch/security-audit/owasp-checklist.md b/src/modules/bmm/workflows/testarch/security-audit/owasp-checklist.md
new file mode 100644
index 00000000..64d61a7d
--- /dev/null
+++ b/src/modules/bmm/workflows/testarch/security-audit/owasp-checklist.md
@@ -0,0 +1,215 @@
+# OWASP Top 10 (2021) Security Checklist
+
+## A01:2021 - Broken Access Control
+
+### Access Control Checks
+- [ ] All endpoints require authentication unless explicitly public
+- [ ] Authorization checked on every request (not just UI)
+- [ ] Deny by default policy implemented
+- [ ] CORS properly configured with allowlisted origins
+- [ ] Directory listing disabled on web servers
+- [ ] Metadata files (.git, .svn) not accessible
+- [ ] Rate limiting implemented on sensitive endpoints
+
+### IDOR Prevention
+- [ ] Object references are indirect or validated
+- [ ] User can only access their own resources
+- [ ] Admin functions properly protected
+- [ ] API endpoints validate ownership
+
+### Session Security
+- [ ] Session invalidated on logout
+- [ ] Session timeout implemented
+- [ ] Session fixation prevented
+- [ ] Concurrent session limits (if required)
+
+---
+
+## A02:2021 - Cryptographic Failures
+
+### Data Protection
+- [ ] Sensitive data identified and classified
+- [ ] Data encrypted at rest
+- [ ] Data encrypted in transit (TLS 1.2+)
+- [ ] No sensitive data in URLs
+- [ ] Secure cookies (HttpOnly, Secure, SameSite)
+
+### Password Security
+- [ ] Passwords hashed with bcrypt/argon2/scrypt
+- [ ] No MD5/SHA1 for passwords
+- [ ] Salt unique per password
+- [ ] Work factor appropriate (>=10 for bcrypt)
+
+### Key Management
+- [ ] No hardcoded secrets in code
+- [ ] Secrets in environment variables or vault
+- [ ] Encryption keys rotated periodically
+- [ ] Secure random number generation
+
+---
+
+## A03:2021 - Injection
+
+### SQL Injection
+- [ ] Parameterized queries used everywhere
+- [ ] ORM/query builder used correctly
+- [ ] No string concatenation in queries
+- [ ] Input validation on all user data
+
+### NoSQL Injection
+- [ ] MongoDB queries use proper operators
+- [ ] No eval() on user input
+- [ ] Input sanitized for NoSQL patterns
+
+### Command Injection
+- [ ] No shell commands with user input
+- [ ] If needed, strict allowlist validation
+- [ ] Escape special characters
+
+### XSS Prevention
+- [ ] Output encoding on all user data
+- [ ] Content-Security-Policy header set
+- [ ] Dangerous HTML stripped or sanitized
+- [ ] Template engines auto-escape
+
+---
+
+## A04:2021 - Insecure Design
+
+### Threat Modeling
+- [ ] Security requirements documented
+- [ ] Threat model exists for critical flows
+- [ ] Security user stories in backlog
+
+### Business Logic
+- [ ] Rate limiting on business operations
+- [ ] Transaction limits enforced server-side
+- [ ] Workflow state validated
+
+### Error Handling
+- [ ] Generic error messages to users
+- [ ] Detailed errors only in logs
+- [ ] No stack traces in production
+
+---
+
+## A05:2021 - Security Misconfiguration
+
+### Server Configuration
+- [ ] Unnecessary features disabled
+- [ ] Default accounts removed/changed
+- [ ] Directory browsing disabled
+- [ ] Error pages customized
+
+### Security Headers
+- [ ] Content-Security-Policy
+- [ ] X-Content-Type-Options: nosniff
+- [ ] X-Frame-Options or CSP frame-ancestors
+- [ ] Strict-Transport-Security
+- [ ] X-XSS-Protection (legacy browsers)
+- [ ] Referrer-Policy
+
+### Cloud/Container Security
+- [ ] Least privilege IAM roles
+- [ ] Security groups properly configured
+- [ ] Container images scanned
+- [ ] No root processes in containers
+
+---
+
+## A06:2021 - Vulnerable Components
+
+### Dependency Management
+- [ ] Dependencies up to date
+- [ ] No known CVEs in dependencies
+- [ ] Automated vulnerability scanning
+- [ ] Lock files committed (package-lock, yarn.lock)
+
+### Update Process
+- [ ] Regular dependency updates scheduled
+- [ ] Security updates prioritized
+- [ ] Breaking changes tested before deploy
+
+---
+
+## A07:2021 - Authentication Failures
+
+### Password Policies
+- [ ] Minimum length >= 8 characters
+- [ ] No common password check
+- [ ] Breach database check (optional)
+- [ ] Account lockout after failures
+
+### Multi-Factor Authentication
+- [ ] MFA available for sensitive accounts
+- [ ] MFA recovery process secure
+- [ ] TOTP/WebAuthn preferred over SMS
+
+### Session Management
+- [ ] Strong session IDs (>=128 bits)
+- [ ] Session regeneration on privilege change
+- [ ] Secure session storage
+
+---
+
+## A08:2021 - Software Integrity Failures
+
+### CI/CD Security
+- [ ] Build pipeline secured
+- [ ] Dependency sources verified
+- [ ] Signed commits (optional)
+- [ ] Artifact integrity verified
+
+### Deserialization
+- [ ] No unsafe deserialization of user data
+- [ ] Type checking before deserialization
+- [ ] Integrity checks on serialized data
+
+---
+
+## A09:2021 - Logging & Monitoring Failures
+
+### Logging
+- [ ] Authentication events logged
+- [ ] Access control failures logged
+- [ ] Input validation failures logged
+- [ ] Sensitive data NOT logged
+
+### Monitoring
+- [ ] Alerts for suspicious activity
+- [ ] Log aggregation implemented
+- [ ] Incident response plan exists
+
+---
+
+## A10:2021 - Server-Side Request Forgery
+
+### URL Validation
+- [ ] User-supplied URLs validated
+- [ ] Allowlist of permitted domains
+- [ ] No access to internal services
+- [ ] DNS rebinding prevented
+
+### Network Segmentation
+- [ ] Internal services not exposed
+- [ ] Firewall rules block unnecessary traffic
+
+---
+
+## Severity Rating Guide
+
+| Severity | CVSS Score | Examples |
+|----------|------------|----------|
+| Critical | 9.0-10.0 | RCE, Auth bypass, Data breach |
+| High | 7.0-8.9 | SQL injection, Privilege escalation |
+| Medium | 4.0-6.9 | XSS, CSRF, Info disclosure |
+| Low | 0.1-3.9 | Minor info leak, Missing headers |
+
+---
+
+## References
+
+- [OWASP Top 10](https://owasp.org/Top10/)
+- [OWASP Testing Guide](https://owasp.org/www-project-web-security-testing-guide/)
+- [CWE Top 25](https://cwe.mitre.org/top25/)
+- [NIST Cybersecurity Framework](https://www.nist.gov/cyberframework)
diff --git a/src/modules/bmm/workflows/testarch/security-audit/security-report.template.md b/src/modules/bmm/workflows/testarch/security-audit/security-report.template.md
new file mode 100644
index 00000000..7cab9672
--- /dev/null
+++ b/src/modules/bmm/workflows/testarch/security-audit/security-report.template.md
@@ -0,0 +1,194 @@
+# Security Audit Report
+
+**Project:** {{project_name}}
+**Date:** {{date}}
+**Scope:** {{audit_scope}}
+**Auditor:** {{user_name}} + TEA Agent
+
+---
+
+## Executive Summary
+
+{{executive_summary}}
+
+---
+
+## Risk Summary
+
+| Severity | Count | Status |
+|----------|-------|--------|
+| Critical | {{critical_count}} | {{critical_status}} |
+| High | {{high_count}} | {{high_status}} |
+| Medium | {{medium_count}} | {{medium_status}} |
+| Low | {{low_count}} | {{low_status}} |
+
+**Overall Risk Level:** {{overall_risk}}
+
+---
+
+## Technology Stack
+
+| Component | Technology | Version |
+|-----------|------------|---------|
+| Framework | {{framework}} | {{framework_version}} |
+| Language | {{language}} | {{language_version}} |
+| Database | {{database}} | {{database_version}} |
+| Authentication | {{auth_method}} | - |
+
+---
+
+## Critical Findings
+
+{{#each critical_findings}}
+### {{this.id}}: {{this.title}}
+
+**Severity:** CRITICAL
+**Category:** {{this.category}}
+**Location:** `{{this.location}}`
+
+**Description:**
+{{this.description}}
+
+**Evidence:**
+```
+{{this.evidence}}
+```
+
+**Impact:**
+{{this.impact}}
+
+**Remediation:**
+{{this.remediation}}
+
+**References:**
+- {{this.references}}
+
+---
+{{/each}}
+
+## High Severity Findings
+
+{{#each high_findings}}
+### {{this.id}}: {{this.title}}
+
+**Severity:** HIGH
+**Category:** {{this.category}}
+**Location:** `{{this.location}}`
+
+**Description:**
+{{this.description}}
+
+**Remediation:**
+{{this.remediation}}
+
+---
+{{/each}}
+
+## Medium Severity Findings
+
+{{#each medium_findings}}
+### {{this.id}}: {{this.title}}
+
+**Severity:** MEDIUM
+**Category:** {{this.category}}
+**Location:** `{{this.location}}`
+
+**Description:**
+{{this.description}}
+
+**Remediation:**
+{{this.remediation}}
+
+---
+{{/each}}
+
+## Low Severity Findings
+
+{{#each low_findings}}
+### {{this.id}}: {{this.title}}
+
+**Severity:** LOW
+**Category:** {{this.category}}
+
+**Description:**
+{{this.description}}
+
+**Remediation:**
+{{this.remediation}}
+
+---
+{{/each}}
+
+## Dependency Vulnerabilities
+
+| Package | Version | CVE | Severity | Fix Version |
+|---------|---------|-----|----------|-------------|
+{{#each dependency_vulns}}
+| {{this.package}} | {{this.version}} | {{this.cve}} | {{this.severity}} | {{this.fix_version}} |
+{{/each}}
+
+---
+
+## Secret Detection Results
+
+| Type | File | Line | Status |
+|------|------|------|--------|
+{{#each secrets_found}}
+| {{this.type}} | {{this.file}} | {{this.line}} | {{this.status}} |
+{{/each}}
+
+---
+
+## OWASP Coverage
+
+| Category | Status | Findings |
+|----------|--------|----------|
+| A01 - Broken Access Control | {{a01_status}} | {{a01_count}} |
+| A02 - Cryptographic Failures | {{a02_status}} | {{a02_count}} |
+| A03 - Injection | {{a03_status}} | {{a03_count}} |
+| A04 - Insecure Design | {{a04_status}} | {{a04_count}} |
+| A05 - Security Misconfiguration | {{a05_status}} | {{a05_count}} |
+| A06 - Vulnerable Components | {{a06_status}} | {{a06_count}} |
+| A07 - Authentication Failures | {{a07_status}} | {{a07_count}} |
+| A08 - Software Integrity Failures | {{a08_status}} | {{a08_count}} |
+| A09 - Logging & Monitoring Failures | {{a09_status}} | {{a09_count}} |
+| A10 - SSRF | {{a10_status}} | {{a10_count}} |
+
+---
+
+## Recommendations
+
+### Immediate Actions (Critical/High)
+
+1. {{immediate_action_1}}
+2. {{immediate_action_2}}
+3. {{immediate_action_3}}
+
+### Short-term Actions (Medium)
+
+1. {{short_term_action_1}}
+2. {{short_term_action_2}}
+
+### Long-term Improvements (Low/Hardening)
+
+1. {{long_term_action_1}}
+2. {{long_term_action_2}}
+
+---
+
+## Appendix A: Tools Used
+
+- Dependency Scanner: {{dep_scanner}}
+- Secret Scanner: {{secret_scanner}}
+- Static Analysis: {{static_analysis}}
+
+## Appendix B: Files Reviewed
+
+{{#each files_reviewed}}
+- `{{this}}`
+{{/each}}
+
+---
+
+**Report Generated:** {{timestamp}}
+**Next Audit Recommended:** {{next_audit_date}}
diff --git a/src/modules/bmm/workflows/testarch/security-audit/workflow.yaml b/src/modules/bmm/workflows/testarch/security-audit/workflow.yaml
new file mode 100644
index 00000000..539a4eef
--- /dev/null
+++ b/src/modules/bmm/workflows/testarch/security-audit/workflow.yaml
@@ -0,0 +1,40 @@
+# Security Audit Workflow
+name: testarch-security-audit
+description: "Comprehensive security audit covering OWASP Top 10, dependency vulnerabilities, secret detection, and authentication/authorization review"
+author: "BMAD"
+version: "1.0.0"
+
+# Configuration sources
+config_source: "{project-root}/_bmad/bmm/config.yaml"
+user_name: "{config_source}:user_name"
+communication_language: "{config_source}:communication_language"
+user_skill_level: "{config_source}:user_skill_level"
+document_output_language: "{config_source}:document_output_language"
+planning_artifacts: "{config_source}:planning_artifacts"
+implementation_artifacts: "{config_source}:implementation_artifacts"
+output_folder: "{implementation_artifacts}"
+date: system-generated
+
+# Workflow components
+installed_path: "{project-root}/_bmad/bmm/workflows/testarch/security-audit"
+instructions: "{installed_path}/instructions.md"
+checklist: "{installed_path}/owasp-checklist.md"
+report_template: "{installed_path}/security-report.template.md"
+
+# Input references
+architecture_doc: "{planning_artifacts}/*architecture*.md"
+project_context: "**/project-context.md"
+
+# Output
+output_file: "{output_folder}/security-audit-report-{date}.md"
+
+# Audit scope options
+audit_scopes:
+  - full        # Complete security audit
+  - owasp       # OWASP Top 10 focus
+  - deps        # Dependency vulnerabilities only
+  - secrets     # Secret detection only
+  - auth        # Authentication/authorization only
+  - api         # API security only
+
+standalone: true