security-audit
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseSecurity Audit Skill
安全审计Skill
Security audit patterns (OWASP Top 10, CWE Top 25 2025, CVSS v4.0) and GitHub project security checks for any project. Deep automated PHP/TYPO3 code scanning with 80+ checkpoints and 19 reference guides.
适用于任意项目的安全审计模式(涵盖OWASP Top 10、CWE Top 25 2025、CVSS v4.0)以及GitHub项目安全检测。支持深度自动化PHP/TYPO3代码扫描,包含80+检查点和19份参考指南。
Expertise Areas
专业覆盖领域
- Vulnerabilities: XXE, SQL injection, XSS, CSRF, command injection, path traversal, file upload, deserialization, SSRF, type juggling, SSTI, JWT flaws
- Risk Scoring: CVSS v3.1 and v4.0 methodology
- Secure Coding: Input validation, output encoding, cryptography, session management, authentication
- Standards: OWASP Top 10, CWE Top 25, OWASP ASVS, Proactive Controls
- 漏洞类型:XXE、SQL injection、XSS、CSRF、command injection、path traversal、file upload、deserialization、SSRF、type juggling、SSTI、JWT flaws
- 风险评分:CVSS v3.1和v4.0评分方法
- 安全编码:输入验证、输出编码、加密技术、会话管理、身份认证
- 合规标准:OWASP Top 10、CWE Top 25、OWASP ASVS、Proactive Controls
Reference Files
参考文件
Core
核心类
- - OWASP Top 10 patterns and mitigations
references/owasp-top10.md - - CWE Top 25 (2025) coverage map with PHP examples
references/cwe-top25.md - - XXE detection and prevention
references/xxe-prevention.md - - CVSS v3.1 and v4.0 scoring methodology
references/cvss-scoring.md - - API key encryption at rest (sodium)
references/api-key-encryption.md
- - OWASP Top 10模式及缓解方案
references/owasp-top10.md - - CWE Top 25(2025)覆盖地图及PHP示例
references/cwe-top25.md - - XXE检测与防护
references/xxe-prevention.md - - CVSS v3.1和v4.0评分方法
references/cvss-scoring.md - - API密钥静态加密(基于sodium)
references/api-key-encryption.md
Vulnerability Prevention
漏洞防护
- - Insecure deserialization prevention
references/deserialization-prevention.md - - Path traversal / directory traversal prevention
references/path-traversal-prevention.md - - Secure file upload handling
references/file-upload-security.md - - Input validation, CSP nonces, CORS, encoding
references/input-validation.md
- - 不安全反序列化防护
references/deserialization-prevention.md - - 路径遍历/目录遍历防护
references/path-traversal-prevention.md - - 安全文件上传处理
references/file-upload-security.md - - 输入验证、CSP随机数、CORS、编码
references/input-validation.md
Secure Architecture
安全架构
- - Authentication, session, JWT, MFA patterns
references/authentication-patterns.md - - HTTP security headers (HSTS, CSP, etc.)
references/security-headers.md - - Security logging and audit trails
references/security-logging.md - - PHP sodium, key management, common mistakes
references/cryptography-guide.md
- - 身份认证、会话、JWT、MFA模式
references/authentication-patterns.md - - HTTP安全头部(HSTS、CSP等)
references/security-headers.md - - 安全日志与审计追踪
references/security-logging.md - - PHP sodium、密钥管理、常见错误
references/cryptography-guide.md
Framework Security
框架安全
- - TYPO3, Symfony, Laravel security patterns
references/framework-security.md
- - TYPO3、Symfony、Laravel安全模式
references/framework-security.md
Modern Threats
现代威胁
- - SSRF, mass assignment, race conditions
references/modern-attacks.md - - CVE-derived patterns (type juggling, PHAR, SSTI, JWT, LDAP injection)
references/cve-patterns.md - - PHP 8.x security features
references/php-security-features.md
- - SSRF、批量赋值、竞争条件
references/modern-attacks.md - - 基于CVE的攻击模式(type juggling、PHAR、SSTI、JWT、LDAP injection)
references/cve-patterns.md - - PHP 8.x安全特性
references/php-security-features.md
DevSecOps
DevSecOps
- - SAST, dependency scanning, SBOM, container security
references/ci-security-pipeline.md - - SLSA, Sigstore, OpenSSF Scorecard
references/supply-chain-security.md
- - SAST、依赖扫描、SBOM、容器安全
references/ci-security-pipeline.md - - SLSA、Sigstore、OpenSSF Scorecard
references/supply-chain-security.md
Quick Patterns
快速参考模式
XML parsing (prevent XXE):
php
$doc->loadXML($input, LIBXML_NONET);SQL (prevent injection):
php
$stmt = $pdo->prepare('SELECT * FROM users WHERE id = ?');
$stmt->execute([$id]);Output (prevent XSS):
php
echo htmlspecialchars($input, ENT_QUOTES | ENT_HTML5, 'UTF-8');API keys (encrypt at rest):
php
$nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
$encrypted = 'enc:' . base64_encode($nonce . sodium_crypto_secretbox($apiKey, $nonce, $key));Password hashing:
php
$hash = password_hash($password, PASSWORD_ARGON2ID);XML解析(防护XXE):
php
$doc->loadXML($input, LIBXML_NONET);SQL(防护注入):
php
$stmt = $pdo->prepare('SELECT * FROM users WHERE id = ?');
$stmt->execute([$id]);输出(防护XSS):
php
echo htmlspecialchars($input, ENT_QUOTES | ENT_HTML5, 'UTF-8');API密钥(静态加密):
php
$nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
$encrypted = 'enc:' . base64_encode($nonce . sodium_crypto_secretbox($apiKey, $nonce, $key));密码哈希:
php
$hash = password_hash($password, PASSWORD_ARGON2ID);Security Checklist
安全检查清单
- bcrypt/Argon2 for passwords, CSRF tokens on state changes
- All input validated server-side, parameterized SQL
- XML external entities disabled (LIBXML_NONET only)
- Context-appropriate output encoding, CSP configured
- API keys encrypted at rest (sodium_crypto_secretbox)
- TLS 1.2+, secrets not in VCS, audit logging
- No unserialize() with user input, use json_decode()
- File uploads validated, renamed, stored outside web root
- Security headers: HSTS, CSP, X-Content-Type-Options
- Dependencies scanned (composer audit), Dependabot enabled
- 密码使用bcrypt/Argon2,状态变更时使用CSRF令牌
- 所有输入在服务端验证,使用参数化SQL
- 禁用XML外部实体(仅启用LIBXML_NONET)
- 采用上下文适配的输出编码,配置CSP
- API密钥静态加密(使用sodium_crypto_secretbox)
- 使用TLS 1.2+,版本控制系统中不存储密钥,启用审计日志
- 不使用unserialize()处理用户输入,改用json_decode()
- 文件上传需验证、重命名,存储在Web根目录外
- 配置安全头部:HSTS、CSP、X-Content-Type-Options
- 扫描依赖项(composer audit),启用Dependabot
Verification
验证命令
bash
undefinedbash
undefinedPHP project security audit
PHP项目安全审计
./scripts/security-audit.sh /path/to/project
./scripts/security-audit.sh /path/to/project
GitHub repository security audit
GitHub仓库安全审计
./scripts/github-security-audit.sh owner/repo
---
> **Contributing:** https://github.com/netresearch/security-audit-skill./scripts/github-security-audit.sh owner/repo
---
> **贡献指南:** https://github.com/netresearch/security-audit-skill