BMAD-METHOD/bmm/workflows/testarch/security-audit/instructions.md

Security Audit Workflow Instructions

Overview

Conduct a comprehensive security audit of the codebase covering OWASP Top 10 vulnerabilities, dependency security, secret detection, and authentication/authorization patterns.

Workflow Steps

Step 1: Scope Determination

Ask user for audit scope:

Security Audit Scope Selection

Available scopes:
1. [full] Complete security audit (recommended)
2. [owasp] OWASP Top 10 vulnerability focus
3. [deps] Dependency vulnerabilities only
4. [secrets] Secret detection only
5. [auth] Authentication/authorization review
6. [api] API security assessment

Select scope [1-6] or enter scope name:

Step 2: Context Loading

Load project context:

1. Load architecture document for understanding system design
2. Load project-context.md for coding standards and patterns
3. Identify technology stack (framework, language, dependencies)
4. Note any existing security configurations

Step 3: OWASP Top 10 Assessment

For each vulnerability category:

A01:2021 - Broken Access Control

• Check for missing access controls on functions
• Review CORS configuration
• Verify principle of least privilege
• Check for insecure direct object references (IDOR)
• Review JWT/session validation

A02:2021 - Cryptographic Failures

• Check for hardcoded secrets
• Verify HTTPS enforcement
• Review encryption algorithms used
• Check password hashing (bcrypt, argon2)
• Verify secure random number generation

A03:2021 - Injection

• SQL injection in database queries
• NoSQL injection patterns
• Command injection in system calls
• LDAP injection
• XPath injection

A04:2021 - Insecure Design

• Review authentication flows
• Check for business logic flaws
• Verify rate limiting implementation
• Review error handling patterns

A05:2021 - Security Misconfiguration

• Default credentials check
• Unnecessary features enabled
• Error messages exposing info
• Security headers missing
• Debug mode in production

A06:2021 - Vulnerable Components

• Outdated dependencies
• Known CVEs in dependencies
• Unmaintained packages
• License compliance issues

A07:2021 - Authentication Failures

• Weak password policies
• Missing brute-force protection
• Session management issues
• Multi-factor authentication gaps

A08:2021 - Software Integrity Failures

• CI/CD pipeline security
• Unsigned code/packages
• Insecure deserialization
• Missing integrity checks

A09:2021 - Logging & Monitoring Failures

• Insufficient logging
• Missing audit trails
• No alerting mechanisms
• Log injection vulnerabilities

A10:2021 - Server-Side Request Forgery

• Unvalidated URL parameters
• Internal service exposure
• DNS rebinding risks

Step 4: Dependency Vulnerability Scan

Scan dependencies for known vulnerabilities:

# Node.js
npm audit
npx better-npm-audit audit

# Python
pip-audit
safety check

# Go
govulncheck ./...

# General
trivy fs .
grype .

Document findings:

• CVE identifier
• Severity (Critical/High/Medium/Low)
• Affected package and version
• Fix version available
• Remediation path

Step 5: Secret Detection

Scan for exposed secrets:

Patterns to detect:

• API keys (AWS, GCP, Azure, etc.)
• Database connection strings
• Private keys (RSA, SSH)
• OAuth tokens
• JWT secrets
• Password literals
• Environment variable leaks

Tools:

# Gitleaks
gitleaks detect --source . --verbose

# TruffleHog
trufflehog filesystem .

# detect-secrets
detect-secrets scan

Check locations:

• Source code files
• Configuration files
• Environment files (.env, .env.*)
• Docker files
• CI/CD configurations
• Git history

Step 6: Authentication/Authorization Review

Authentication checks:

• Password storage mechanism
• Session management
• Token handling (JWT, OAuth)
• MFA implementation
• Password reset flow
• Account lockout policy

Authorization checks:

• Role-based access control (RBAC)
• Attribute-based access control (ABAC)
• API endpoint protection
• Resource-level permissions
• Admin panel security

Step 7: API Security Assessment

Review API endpoints for:

• Authentication requirements
• Rate limiting
• Input validation
• Output encoding
• CORS configuration
• API versioning
• Documentation exposure

Check for:

• Mass assignment vulnerabilities
• Excessive data exposure
• Broken function level authorization
• Improper inventory management

Step 8: Generate Report

Create security audit report with:

# Security Audit Report

**Date:** {{date}}
**Scope:** {{audit_scope}}
**Auditor:** {{user_name}} + TEA Agent

## Executive Summary
{{executive_summary}}

## Risk Summary
| Severity | Count |
|----------|-------|
| Critical | {{critical_count}} |
| High | {{high_count}} |
| Medium | {{medium_count}} |
| Low | {{low_count}} |

## Findings

### Critical Findings
{{detailed_critical_issues}}

### High Severity Findings
{{detailed_high_issues}}

### Medium Severity Findings
{{detailed_medium_issues}}

### Low Severity Findings
{{detailed_low_issues}}

## Recommendations
{{prioritized_remediation_steps}}

## Appendix
- Full OWASP checklist results: {{owasp_results}}
- Dependency scan output: {{dependency_scan_output}}
- Secret detection results: {{secret_detection_results}}

Step 9: Remediation Guidance

For each finding, provide:

1. Clear description of the vulnerability
2. Location in codebase (file:line)
3. Risk assessment (likelihood + impact)
4. Remediation steps
5. Code example of fix (where applicable)
6. References (CWE, OWASP, CVE)

Step 10: Validation Checklist

Before completing audit:

• All scope items assessed
• Findings documented with evidence
• Severity ratings justified
• Remediation steps actionable
• Report saved to output location
• No false positives in critical findings

Output

Save report to: {{output_file}}

Notify user of completion with:

• Summary of findings
• Link to full report
• Top 3 priority items to address
• Offer to help with remediation