mirror of
https://github.com/github/awesome-copilot.git
synced 2026-04-12 03:05:55 +00:00
7e375eac04
* feat: add security-review skill for AI-powered codebase vulnerability scanning * chore: regenerate README tables * fix: address Copilot review comments on reference files
6.6 KiB
6.6 KiB
Security Report Format
Use this template for all /security-review output. Generated during Step 7.
Report Structure
Header
╔══════════════════════════════════════════════════════════╗
║ 🔐 SECURITY REVIEW REPORT ║
║ Generated by: /security-review skill ║
╚══════════════════════════════════════════════════════════╝
Project: <project name or path>
Scan Date: <today's date>
Scope: <files/directories scanned>
Languages Detected: <list>
Frameworks Detected: <list>
Executive Summary Table
Always show this first — at a glance overview:
┌────────────────────────────────────────────────┐
│ FINDINGS SUMMARY │
├──────────────┬──────────────────────────────── ┤
│ 🔴 CRITICAL │ <n> findings │
│ 🟠 HIGH │ <n> findings │
│ 🟡 MEDIUM │ <n> findings │
│ 🔵 LOW │ <n> findings │
│ ⚪ INFO │ <n> findings │
├──────────────┼─────────────────────────────────┤
│ TOTAL │ <n> findings │
└──────────────┴─────────────────────────────────┘
Dependency Audit: <n> vulnerable packages found
Secrets Scan: <n> exposed credentials found
Findings (Grouped by Category)
For EACH finding, use this card format:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
[SEVERITY EMOJI] [SEVERITY] — [VULNERABILITY TYPE]
Confidence: HIGH / MEDIUM / LOW
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📍 Location: src/routes/users.js, Line 47
🔍 Vulnerable Code:
const query = `SELECT * FROM users WHERE id = ${req.params.id}`;
db.execute(query);
⚠️ Risk:
An attacker can manipulate the `id` parameter to execute arbitrary
SQL commands, potentially dumping the entire database, bypassing
authentication, or deleting data.
Example attack: GET /users/1 OR 1=1--
✅ Recommended Fix:
Use parameterized queries:
const query = 'SELECT * FROM users WHERE id = ?';
db.execute(query, [req.params.id]);
📚 Reference: OWASP A03:2021 – Injection
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Dependency Audit Section
📦 DEPENDENCY AUDIT
══════════════════
🟠 HIGH — lodash@4.17.20 (package.json)
CVE-2021-23337: Prototype pollution via zipObjectDeep()
Fix: npm install lodash@4.17.21
🟡 MEDIUM — axios@0.27.2 (package.json)
CVE-2023-45857: CSRF via withCredentials
Fix: npm install axios@1.6.0
⚪ INFO — express@4.18.2
No known CVEs. Current version is 4.19.2 — consider updating.
Secrets Scan Section
🔑 SECRETS & EXPOSURE SCAN
═══════════════════════════
🔴 CRITICAL — Hardcoded API Key
File: src/config/database.js, Line 12
Found: STRIPE_SECRET_KEY = "sk_live_FAKE_KEY_..."
Action Required:
1. Rotate this key IMMEDIATELY at https://dashboard.stripe.com
2. Remove from source code
3. Add to .env file and load via process.env.STRIPE_SECRET_KEY
4. Add .env to .gitignore
5. Audit git history — key may be in previous commits:
git log --all -p | grep "sk_live_"
Use git-filter-repo or BFG to purge from history if found.
Patch Proposals Section
Only include for CRITICAL and HIGH findings:
🛠️ PATCH PROPOSALS
══════════════════
⚠️ REVIEW EACH PATCH BEFORE APPLYING — Nothing has been changed yet.
─────────────────────────────────────────────
Patch 1/3: SQL Injection in src/routes/users.js
─────────────────────────────────────────────
BEFORE (vulnerable):
```js
// Line 47
const query = `SELECT * FROM users WHERE id = ${req.params.id}`;
db.execute(query);
```
AFTER (fixed):
```js
// Line 47 — Fixed: Use parameterized query to prevent SQL injection
const query = 'SELECT * FROM users WHERE id = ?';
db.execute(query, [req.params.id]);
```
Apply this patch? (Review first — AI-generated patches may need adjustment)
─────────────────────────────────────────────
Footer
══════════════════════════════════════════════════════════
📋 SCAN COVERAGE
Files scanned: <n>
Lines analyzed: <n>
Scan duration: <time>
⚡ NEXT STEPS
1. Address all CRITICAL findings immediately
2. Schedule HIGH findings for current sprint
3. Add MEDIUM/LOW to your security backlog
4. Set up automated re-scanning in CI/CD pipelines
💡 NOTE: This is a static analysis scan. It does not execute your
application and cannot detect all runtime vulnerabilities. Pair
with dynamic testing (DAST) for comprehensive coverage.
══════════════════════════════════════════════════════════
Confidence Ratings Guide
Apply to every finding:
| Confidence | When to Use |
|---|---|
| HIGH | Vulnerability is unambiguous. Sanitization is clearly absent. Exploitable as-is. |
| MEDIUM | Vulnerability likely exists but depends on runtime context, config, or call path the agent couldn't fully trace. |
| LOW | Suspicious pattern detected but could be a false positive. Flag for human review. |
Never omit confidence — it helps developers prioritize their review effort.