# Security Report Format

Use this template for all `/security-review` output. Generated during Step 7.

---

## Report Structure

### Header
```
╔══════════════════════════════════════════════════════════╗
║           🔐 SECURITY REVIEW REPORT                     ║
║           Generated by: /security-review skill          ║
╚══════════════════════════════════════════════════════════╝

Project: <project name or path>
Scan Date: <today's date>
Scope: <files/directories scanned>
Languages Detected: <list>
Frameworks Detected: <list>
```

---

### Executive Summary Table

Always show this first — at a glance overview:

```
┌────────────────────────────────────────────────┐
│           FINDINGS SUMMARY                     │
├──────────────┬──────────────────────────────── ┤
│ 🔴 CRITICAL  │  <n> findings                  │
│ 🟠 HIGH      │  <n> findings                  │
│ 🟡 MEDIUM    │  <n> findings                  │
│ 🔵 LOW       │  <n> findings                  │
│ ⚪ INFO      │  <n> findings                  │
├──────────────┼─────────────────────────────────┤
│ TOTAL        │  <n> findings                  │
└──────────────┴─────────────────────────────────┘

Dependency Audit: <n> vulnerable packages found
Secrets Scan: <n> exposed credentials found
```

---

### Findings (Grouped by Category)

For EACH finding, use this card format:

```
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
[SEVERITY EMOJI] [SEVERITY] — [VULNERABILITY TYPE]
Confidence: HIGH / MEDIUM / LOW
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

📍 Location:  src/routes/users.js, Line 47

🔍 Vulnerable Code:
  const query = `SELECT * FROM users WHERE id = ${req.params.id}`;
  db.execute(query);

⚠️  Risk:
  An attacker can manipulate the `id` parameter to execute arbitrary
  SQL commands, potentially dumping the entire database, bypassing
  authentication, or deleting data.

  Example attack: GET /users/1 OR 1=1--

✅ Recommended Fix:
  Use parameterized queries:

  const query = 'SELECT * FROM users WHERE id = ?';
  db.execute(query, [req.params.id]);

📚 Reference: OWASP A03:2021 – Injection
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
```

---

### Dependency Audit Section

```
📦 DEPENDENCY AUDIT
══════════════════

🟠 HIGH — lodash@4.17.20 (package.json)
  CVE-2021-23337: Prototype pollution via zipObjectDeep()
  Fix: npm install lodash@4.17.21

🟡 MEDIUM — axios@0.27.2 (package.json)
  CVE-2023-45857: CSRF via withCredentials
  Fix: npm install axios@1.6.0

⚪ INFO — express@4.18.2
  No known CVEs. Current version is 4.19.2 — consider updating.
```

---

### Secrets Scan Section

```
🔑 SECRETS & EXPOSURE SCAN
═══════════════════════════

🔴 CRITICAL — Hardcoded API Key
  File: src/config/database.js, Line 12
  
  Found: STRIPE_SECRET_KEY = "sk_live_FAKE_KEY_..."
  
  Action Required:
  1. Rotate this key IMMEDIATELY at https://dashboard.stripe.com
  2. Remove from source code
  3. Add to .env file and load via process.env.STRIPE_SECRET_KEY
  4. Add .env to .gitignore
  5. Audit git history — key may be in previous commits:
     git log --all -p | grep "sk_live_"
     Use git-filter-repo or BFG to purge from history if found.
```

---

### Patch Proposals Section

Only include for CRITICAL and HIGH findings:

````
🛠️  PATCH PROPOSALS
══════════════════
⚠️  REVIEW EACH PATCH BEFORE APPLYING — Nothing has been changed yet.

─────────────────────────────────────────────
Patch 1/3: SQL Injection in src/routes/users.js
─────────────────────────────────────────────

BEFORE (vulnerable):
```js
// Line 47
const query = `SELECT * FROM users WHERE id = ${req.params.id}`;
db.execute(query);
```

AFTER (fixed):
```js
// Line 47 — Fixed: Use parameterized query to prevent SQL injection
const query = 'SELECT * FROM users WHERE id = ?';
db.execute(query, [req.params.id]);
```

Apply this patch? (Review first — AI-generated patches may need adjustment)
─────────────────────────────────────────────
````

---

### Footer

```
══════════════════════════════════════════════════════════

📋 SCAN COVERAGE
  Files scanned:     <n>
  Lines analyzed:    <n>
  Scan duration:     <time>

⚡ NEXT STEPS
  1. Address all CRITICAL findings immediately
  2. Schedule HIGH findings for current sprint
  3. Add MEDIUM/LOW to your security backlog
  4. Set up automated re-scanning in CI/CD pipelines

💡 NOTE: This is a static analysis scan. It does not execute your
   application and cannot detect all runtime vulnerabilities. Pair
   with dynamic testing (DAST) for comprehensive coverage.

══════════════════════════════════════════════════════════
```

---

## Confidence Ratings Guide

Apply to every finding:

| Confidence | When to Use |
|------------|-------------|
| **HIGH** | Vulnerability is unambiguous. Sanitization is clearly absent. Exploitable as-is. |
| **MEDIUM** | Vulnerability likely exists but depends on runtime context, config, or call path the agent couldn't fully trace. |
| **LOW** | Suspicious pattern detected but could be a false positive. Flag for human review. |

Never omit confidence — it helps developers prioritize their review effort.