Awesome/awesome-copilot
1
0
Fork 0
mirror of https://github.com/github/awesome-copilot.git synced 2026-04-12 19:25:55 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
plugin/eyeball
awesome-copilot/skills/security-review/references/report-format.md
Mrigank Singh 7e375eac04 feat: add security-review skill for AI-powered codebase vulnerability scanning (#1211) 
* feat: add security-review skill for AI-powered codebase vulnerability scanning

* chore: regenerate README tables

* fix: address Copilot review comments on reference files
2026-03-30 11:44:48 +11:00

195 lines
6.6 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Security Report Format
Use this template for all `/security-review` output. Generated during Step 7.
---
## Report Structure
### Header
```
╔══════════════════════════════════════════════════════════╗
║ 🔐 SECURITY REVIEW REPORT ║
║ Generated by: /security-review skill ║
╚══════════════════════════════════════════════════════════╝
Project: <project name or path>
Scan Date: <today's date>
Scope: <files/directories scanned>
Languages Detected: <list>
Frameworks Detected: <list>
```
---
### Executive Summary Table
Always show this first — at a glance overview:
```
┌────────────────────────────────────────────────┐
│ FINDINGS SUMMARY │
├──────────────┬──────────────────────────────── ┤
│ 🔴 CRITICAL │ <n> findings │
│ 🟠 HIGH │ <n> findings │
│ 🟡 MEDIUM │ <n> findings │
│ 🔵 LOW │ <n> findings │
│ ⚪ INFO │ <n> findings │
├──────────────┼─────────────────────────────────┤
│ TOTAL │ <n> findings │
└──────────────┴─────────────────────────────────┘
Dependency Audit: <n> vulnerable packages found
Secrets Scan: <n> exposed credentials found
```
---
### Findings (Grouped by Category)
For EACH finding, use this card format:
```
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
[SEVERITY EMOJI] [SEVERITY] — [VULNERABILITY TYPE]
Confidence: HIGH / MEDIUM / LOW
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📍 Location: src/routes/users.js, Line 47
🔍 Vulnerable Code:
const query = `SELECT * FROM users WHERE id = ${req.params.id}`;
db.execute(query);
⚠️ Risk:
An attacker can manipulate the `id` parameter to execute arbitrary
SQL commands, potentially dumping the entire database, bypassing
authentication, or deleting data.
Example attack: GET /users/1 OR 1=1--
✅ Recommended Fix:
Use parameterized queries:
const query = 'SELECT * FROM users WHERE id = ?';
db.execute(query, [req.params.id]);
📚 Reference: OWASP A03:2021 Injection
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
```
---
### Dependency Audit Section
```
📦 DEPENDENCY AUDIT
══════════════════
🟠 HIGH — lodash@4.17.20 (package.json)
CVE-2021-23337: Prototype pollution via zipObjectDeep()
Fix: npm install lodash@4.17.21
🟡 MEDIUM — axios@0.27.2 (package.json)
CVE-2023-45857: CSRF via withCredentials
Fix: npm install axios@1.6.0
⚪ INFO — express@4.18.2
No known CVEs. Current version is 4.19.2 — consider updating.
```
---
### Secrets Scan Section
```
🔑 SECRETS & EXPOSURE SCAN
═══════════════════════════
🔴 CRITICAL — Hardcoded API Key
File: src/config/database.js, Line 12
Found: STRIPE_SECRET_KEY = "sk_live_FAKE_KEY_..."
Action Required:
1. Rotate this key IMMEDIATELY at https://dashboard.stripe.com
2. Remove from source code
3. Add to .env file and load via process.env.STRIPE_SECRET_KEY
4. Add .env to .gitignore
5. Audit git history — key may be in previous commits:
git log --all -p | grep "sk_live_"
Use git-filter-repo or BFG to purge from history if found.
```
---
### Patch Proposals Section
Only include for CRITICAL and HIGH findings:
````
🛠️ PATCH PROPOSALS
══════════════════
⚠️ REVIEW EACH PATCH BEFORE APPLYING — Nothing has been changed yet.
─────────────────────────────────────────────
Patch 1/3: SQL Injection in src/routes/users.js
─────────────────────────────────────────────
BEFORE (vulnerable):
```js
// Line 47
const query = `SELECT * FROM users WHERE id = ${req.params.id}`;
db.execute(query);
```
AFTER (fixed):
```js
// Line 47 — Fixed: Use parameterized query to prevent SQL injection
const query = 'SELECT * FROM users WHERE id = ?';
db.execute(query, [req.params.id]);
```
Apply this patch? (Review first — AI-generated patches may need adjustment)
─────────────────────────────────────────────
````
---
### Footer
```
══════════════════════════════════════════════════════════
📋 SCAN COVERAGE
Files scanned: <n>
Lines analyzed: <n>
Scan duration: <time>
⚡ NEXT STEPS
1. Address all CRITICAL findings immediately
2. Schedule HIGH findings for current sprint
3. Add MEDIUM/LOW to your security backlog
4. Set up automated re-scanning in CI/CD pipelines
💡 NOTE: This is a static analysis scan. It does not execute your
application and cannot detect all runtime vulnerabilities. Pair
with dynamic testing (DAST) for comprehensive coverage.
══════════════════════════════════════════════════════════
```
---
## Confidence Ratings Guide
Apply to every finding:
| Confidence | When to Use |
|------------|-------------|
| **HIGH** | Vulnerability is unambiguous. Sanitization is clearly absent. Exploitable as-is. |
| **MEDIUM** | Vulnerability likely exists but depends on runtime context, config, or call path the agent couldn't fully trace. |
| **LOW** | Suspicious pattern detected but could be a false positive. Flag for human review. |
Never omit confidence — it helps developers prioritize their review effort.
Reference in New Issue View Git Blame Copy Permalink