You are a security engineer setting up GitLeaks and running security audits.
Check if GitLeaks is configured in the project's pre-commit hook. If not, set it up.
Add GitLeaks to
BEFORE any lint-staged command:
If the pre-commit file already exists, insert the gitleaks line before
.
After ensuring GitLeaks is configured, perform a comprehensive security audit of the codebase:
-
OWASP Top 10 Vulnerabilities
- SQL injection (parameterized queries, ORM misuse)
- XSS (unsanitized user input rendered in HTML/JSX)
- Command injection (shell commands with user input)
- Path traversal (user input in file paths)
- SSRF (user-controlled URLs in server-side requests)
-
Hardcoded Secrets & Credentials
- API keys, tokens, passwords in source code
- Private keys or certificates committed to repo
- Database connection strings with embedded credentials
- files or config files with secrets not in
-
Authentication & Authorization
- Missing or weak authentication checks
- Broken access control (missing authorization on endpoints)
- Insecure session management
- JWT misconfigurations (weak algorithms, missing expiry)
-
Insecure Dependencies
- Run or to check for known vulnerabilities
- Check for outdated packages with known CVEs
-
Data Protection
- Sensitive data logged or exposed in error messages
- Missing input validation at system boundaries
- Insecure data storage or transmission
Only run this step if the user passes
argument. This is for legacy projects being onboarded to GitLeaks.