feat(lfx-security-engineer): new skill for LFX security code review#36
Open
dealako wants to merge 15 commits into
Open
feat(lfx-security-engineer): new skill for LFX security code review#36dealako wants to merge 15 commits into
dealako wants to merge 15 commits into
Conversation
Added 10 practical usage examples covering beginner to expert scenarios: - Quick pre-commit checks (--scan-only) - Full security reviews (default mode) - File-specific reviews (--file) - Full repository audits (--full-scan) - Educational mode with explanations (--explain) - CI/CD integration (--ci-mode --format json) - Watch mode for active development (--watch) - Terraform/OpenTofu infrastructure audits - Database migration reviews - Advanced flag combinations Also documented 5 new modes: - --full-scan: Run on all files (not just changed) - --explain: Add detailed educational context - --ci-mode: Exit with non-zero on blockers, output JSON - --format json: Machine-readable structured output - --watch: Auto-run on file changes during development Each example includes scenario description, exact command, and detailed explanation of what it does. Reference: JIRA ticket not provided (part of skill documentation improvement) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: David Deal <ddeal@linuxfoundation.org>
Replace plain-text security report with color-coded, visually organized format that includes: - Emoji severity indicators (🔴 CRITICAL, 🟡 WARNING, ✅ PASSED) - Clickable file:line references for VS Code navigation - Detailed finding sections with What/Risk/Fix explanations - Comprehensive summary with status, counts, and next steps - Exit code documentation (0/1/2) for CI/CD integration The new format improves readability for both technical engineers and non-technical users while maintaining all original security information. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: David Deal <ddeal@linuxfoundation.org>
… modes Added comprehensive "Usage Examples" section with 10 practical scenarios: 1. Quick Pre-Commit Check (--scan-only) - beginner 2. Full Security Review Before PR (default) - standard workflow 3. Review Specific File/Directory (--file) 4. Full Repository Audit (--full-scan) - advanced 5. Educational Mode (--explain) - learning/training 6. CI/CD Pipeline Integration (--ci-mode --format json) - expert 7. Watch Mode for Active Development (--watch --scan-only) - power user 8. Terraform/OpenTofu Infrastructure Audit - auto-detection 9. Database Migration Review (--file db/migrations/) 10. Combine Multiple Flags (--full-scan --explain --format json) - advanced Also documented 5 new mode flags: - --full-scan: Run on all files (not just changed) - --explain: Add detailed educational context - --ci-mode: Exit with non-zero on blockers, output JSON - --format json: Machine-readable structured output - --watch: Auto-run on file changes during development Each example includes: - Scenario description (user context) - Exact command to run - Detailed explanation of what it does - Difficulty level (beginner/standard/advanced/expert/power user) Examples cover real-world use cases from quick pre-commit checks to CI/CD integration, making the skill accessible to both new users and experienced security engineers. Added Pro Tip at end recommending workflow patterns. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: David Deal <ddeal@linuxfoundation.org>
Add comprehensive "Operational Features" section documenting: - Ignore patterns (.gitignore and .secignore file format) - Progressive disclosure (critical-first with --all flag) - Caching strategy (skip unchanged files, cache management) - Scan modes (--full-scan and --watch with use cases) - Performance optimization (parallel checks, tips, benchmarks) Section inserted before "Scope Boundaries" as per spec. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: David Deal <ddeal@linuxfoundation.org>
Add comprehensive "False Positive Reduction" section with: - Context-aware detection for test files, mocks, and config files - Suppression comment syntax: // security-ignore: reason - reference - Smart PII detection rules (synthetic vs real data patterns) - Framework-aware safe patterns (ORM, template engines, security helpers) - Implementation guidance with example suppressed finding format This section helps reduce scan noise by distinguishing between test fixtures and real vulnerabilities while maintaining security coverage. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: David Deal <ddeal@linuxfoundation.org>
- Add Rust detection via Cargo.toml as a primary signal (ordered before TypeScript-BFF fallback since it is unambiguous) - Add Rust secondary signals table (Cargo.lock, src/main.rs, build.rs, .cargo/config.toml, rust-toolchain) - Add Rust-specific checks to Check 2 (access control: missing auth extractors in Actix-web/Axum/Rocket handlers, unsafe blocks bypassing permission checks) - Add Rust-specific checks to Check 3 (crypto: weak hash crates, non-OS- seeded RNG, custom crypto, disabled cert validation) - Add Rust-specific checks to Check 4 (injection: unsafe blocks, Command::new with user input, format!-built SQL queries, path traversal via std::fs) - Clarify primary signal intro to reflect multi-ecosystem manifest detection - Add target/ and bare *.rs presence to "do not rely on alone" list Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: David Deal <ddeal@linuxfoundation.org>
dealako
added
the
ai-assisted
dealako
added
the
ai-assisted
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a new /lfx-security-engineer skill intended to guide security-focused reviews across LFX repositories, combining a mechanical “Phase 1” scan checklist with a “Phase 2” judgment-based review checklist.
Changes:
- Introduces a new skill prompt describing repo-type detection (Angular/Vue/Go/Rust/TS BFF + Terraform + migrations).
- Documents Phase 1 automated scan checks (secrets, OWASP categories, Terraform, migrations) and Phase 2 review prompts (auth/authz/input validation/tests).
- Adds operational/documentation guidance (CI mode, formatting, suppressions, caching, reporting format).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
The CI example claimed exit code 1 for blockers, but the exit code section defines exit code 2 for critical blockers and exit code 1 for warnings. Use "non-zero status" in the example to stay consistent with the canonical exit code table without duplicating specifics. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: David Deal <ddeal@linuxfoundation.org>
…side scope
Fix typo ("andlogging") and replace the misleading claim that Angular
repos are inherently Node.js/TypeScript server environments. The checks
target the server-side TypeScript paths in LFX's Angular repo (e.g., its
Express-based proxy layer), not browser-only Angular components.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: David Deal <ddeal@linuxfoundation.org>
--all was referenced in the Progressive Disclosure section but absent from the Modes list, making it look like an unsupported option. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: David Deal <ddeal@linuxfoundation.org>
The LFX monorepo does not place @angular/core in the root package.json, so the previous root package.json check would silently fall through to typescript-bff on LFX repos. - Check apps/lfx-one/angular.json and turbo.json first, matching the detection logic used in lfx-preflight/SKILL.md - Keep the root package.json grep as a fallback for non-LFX Angular repos - Add LFX-specific files to the Angular secondary signals table with notes explaining their relationship to the monorepo structure - Update the explanatory text to document the alignment rationale Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: David Deal <ddeal@linuxfoundation.org>
…ment - Align all secondary signal and check tables with consistent column padding - Fix broken inline bold+code formatting (Use --scan-only, --watch) - Restore PII field table lost to linter (was collapsed to a single line) - Fix Phase 2 skip note formatting - Minor whitespace and comment style fixes Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: David Deal <ddeal@linuxfoundation.org>
Signed-off-by: David Deal <ddeal@linuxfoundation.org>
|
Hi David, Suggestion: Extract Phase 1 checks into scripts to reduce token usage Most of Phase 1 is deterministic bash (regex greps, repo detection) that the LLM reads (~490 lines), interprets, then re-types into a terminal. If it called a script instead, it would read ~20 lines of structured output rather than ~1,150 lines of instructions — roughly 4x token savings per invocation. Script output would be something like: Bonus: I figured you can work through this easily by asking your AI assistant to try to reduce token usage by abstracting repeatable actions into scripts. |
|
If you'd prefer I can also push up that change as I've got it locally |
Contributor
Author
|
@jordanconway - feel free to close this out and push your version, or combine or consolidate. I'll defer to you on this. |
Comment on lines
+329
to
+332
| ## Check 3: OWASP A02 — Cryptographic Failures | ||
|
|
||
| Include [a direct link](https://owasp.org/Top10/2025/A02_2025-Security_Misconfiguration/) | ||
| to the OWASP A02 website documentation in the report. |
Comment on lines
+363
to
+366
| ## Check 4: OWASP A03 — Injection | ||
|
|
||
| Include [a direct link](https://owasp.org/Top10/2025/A03_2025-Software_Supply_Chain_Failures/) | ||
| to the OWASP A03 website documentation in the report. |
|
|
||
| - **Stack traces in API responses** — `res.json({ error: err.stack })` exposes internals | ||
| - **Secrets or PII in URLs** — tokens, emails, or dates of birth in query strings appear in server logs and browser history | ||
| - **Over-returning data** — endpoints returning entire DB rows (including`email`, `dob`, `gender`, `race`, or other PII fields) when only a subset isneeded by the caller |
|
|
||
| **Secrets and credentials:** | ||
|
|
||
| - `.tfvars` files committed to source control — `terraform.tfvars` and`*.auto.tfvars` contain actual values and must be gitignored |
|
|
||
| **Open network access:** | ||
|
|
||
| - Security group ingress rules allowing `0.0.0.0/0` or `::/0` on sensitive ports(22/SSH, 3306/MySQL, 5432/PostgreSQL, 6379/Redis, 27017/MongoDB) |
|
|
||
| # Phase 2: Security Review | ||
|
|
||
| **Skip if `--scan-only`** was passed.** |
| ```html | ||
| <!-- Dangerous --> | ||
| <div [innerHTML]="userInput"></div> | ||
| <div dangerouslySetInnerHTML="{{__html:" userInput}}></div> |
| | flyway.conf or flyway.toml | Flyway migration configuration | | ||
| | liquibase.properties or changelog.xml | Liquibase migration configuration | | ||
|
|
||
| **Do not rely on alone (any framework):** |
Comment on lines
+414
to
+416
| - `unsafe`** blocks** — flag every new `unsafe` block and verify it has a | ||
| `// SAFETY:` comment explaining why it cannot cause undefined behavior with | ||
| attacker-controlled data |
Comment on lines
+419
to
+421
| - **SQL injection** — `format!()` used to build query strings instead of | ||
| parameterized queries(sqlx `query!` macro, Diesel typed queries, or sea-orm | ||
| are safe alternatives) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
lfx-security-engineerskill for security reviews of LFX reposWhat's included
Repo type detection
Cargo.tomlprimary signal with Rust-specific checks for unsafe blocks, weak crypto crates, command injection, and missing auth extractorsPhase 1 — Automated Scan (9 checks)
Phase 2 — Security Review (4 reviews)
Operational features
--scan-only,--file,--full-scan,--explain,--ci-mode,--format json,--watchmodessecurity-ignore:suppression).secignoresupport for excluding paths--allfor full output).security-cache/Example Execution With Warnings
Click to expand
Example Execution With Warnings
Click to expand
Test plan
/lfx-security-engineeron an Angular repo with known auth issues and verify findings are reported/lfx-security-engineeron a Go repo with a Terraform module and verify both application and infrastructure checks fire/lfx-security-engineer --scan-onlyand confirm Phase 2 is skipped/lfx-security-engineer --file src/auth/and confirm scope is limited to that pathCargo.tomland nopackage.json🤖 Generated with Claude Code