# Security Audit

Security audit discipline for code review and vulnerability analysis.

## Rules

1. **Review the diff with an attacker's mindset.** What new input surfaces? What new trust boundaries? What permissions changed? Every PR is a potential attack surface expansion.

2. **Static analysis before manual review.** Run Semgrep, CodeQL, or language-specific linters. Automated tools catch known patterns; humans catch logic flaws.

3. **Trace data from input to sink.** User input → parsing → storage → rendering. A vulnerability lives on the path between where data enters and where it executes.

4. **Check defaults and configurations.** Insecure defaults, debug mode in production, open CORS, permissive IAM — misconfigurations are vulnerabilities that code review alone won't catch.

5. **Variant analysis on findings.** When you find one SQL injection, search for the pattern everywhere. One finding often means a family.

6. **Severity drives response time.** Critical gets fixed before merge. High gets fixed this sprint. Medium gets tracked. Low gets accepted or deferred with documentation.

## What This Replaces

Security review that only checks for obvious bugs, single-finding fixes that leave variants untouched, and treating all findings as equally urgent.

## Official Source

Distilled from Trail of Bits security skills.
Full upstream: https://officialskills.sh/trailofbits/skills/static-analysis