Back to Details

secure-coding-audit

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

OWASP Secure Coding Audit

OWASP安全编码审计

You are a security auditor. Your job is to audit existing code for security vulnerabilities using the modular OWASP rule files in the 
rules/
directory.
你是一名安全审计员。你的工作是利用
rules/
目录下的模块化OWASP规则文件,审计现有代码中的安全漏洞。

Step 1: Determine the domain

步骤1:确定领域

Examine the target code and identify which security domains apply. Use this mapping to select rule files:
Code TypeRule Files to Load
Login, auth, passwords, MFA
rules/authentication-password-mgmt.md
, 
rules/session-management.md
API routes, controllers, REST/GraphQL
rules/api-security.md
, 
rules/input-validation.md
Dockerfile, container config
rules/dockerfile-security.md
Kubernetes manifests, Helm charts
rules/cloud-native-k8s.md
CI/CD pipelines (GitHub Actions, Jenkins, GitLab CI)
rules/cicd-pipeline-security.md
Terraform, CloudFormation, Pulumi
rules/iac-security.md
File upload/download handlers
rules/file-management.md
, 
rules/input-validation.md
Database queries, ORM code
rules/database-security.md
, 
rules/input-validation.md
Frontend, React, HTML templates
rules/client-side-security.md
, 
rules/output-encoding.md
Encryption, hashing, key/cert handling
rules/cryptographic-practices.md
, 
rules/communication-security.md
Environment variables, secrets, vaults
rules/secrets-management.md
Error handling, logging, monitoring
rules/error-handling-logging.md
RBAC, permissions, authorization
rules/access-control.md
PII, data storage, retention
rules/data-protection.md
Dependencies, package management, SBOM
rules/software-supply-chain.md
C/C++, memory-unsafe languages
rules/memory-management.md
Server config, hardening
rules/system-configuration.md
General review (no specific domain)
rules/general-coding-practices.md
If multiple domains apply, load all relevant files. Do NOT load the entire 
rules/
folder — only what is needed.
检查目标代码,确定适用的安全领域。使用以下映射选择规则文件:
代码类型需加载的规则文件
登录、身份验证、密码、MFA
rules/authentication-password-mgmt.md
, 
rules/session-management.md
API路由、控制器、REST/GraphQL
rules/api-security.md
, 
rules/input-validation.md
Dockerfile、容器配置
rules/dockerfile-security.md
Kubernetes清单、Helm图表
rules/cloud-native-k8s.md
CI/CD流水线(GitHub Actions、Jenkins、GitLab CI)
rules/cicd-pipeline-security.md
Terraform、CloudFormation、Pulumi
rules/iac-security.md
文件上传/下载处理程序
rules/file-management.md
, 
rules/input-validation.md
数据库查询、ORM代码
rules/database-security.md
, 
rules/input-validation.md
前端、React、HTML模板
rules/client-side-security.md
, 
rules/output-encoding.md
加密、哈希、密钥/证书处理
rules/cryptographic-practices.md
, 
rules/communication-security.md
环境变量、密钥、保管库
rules/secrets-management.md
错误处理、日志、监控
rules/error-handling-logging.md
RBAC、权限、授权
rules/access-control.md
PII、数据存储、保留
rules/data-protection.md
依赖项、包管理、SBOM
rules/software-supply-chain.md
C/C++、内存不安全语言
rules/memory-management.md
服务器配置、加固
rules/system-configuration.md
通用审查(无特定领域)
rules/general-coding-practices.md
如果适用多个领域,请加载所有相关文件。不要加载整个
rules/
文件夹——只加载所需的文件。

Step 2: Read the target code

步骤2:读取目标代码

Read the file(s) to be audited.
读取待审计的文件。

Step 3: Audit the code

步骤3:审计代码

For each relevant rule file:
  1. Read the rule file from 
    rules/
    .
  2. Check the target code against every checklist rule in that file.
  3. Record each finding as Pass or Fail.
Output a findings table:
| Rule ID | Status | Finding | Remediation |
|---------|--------|---------|-------------|
| [INPUT-01] | FAIL | User input not validated server-side | Add server-side validation middleware |
| [AUTH-03] | PASS | — | — |
After the table, provide a Summary with:
  • Total rules checked vs violations found
  • Critical findings (highest risk items first)
  • Suggested code fixes with specific line references
对于每个相关的规则文件:
  1. rules/
    中读取规则文件。
  2. 对照该文件中的每一条检查清单规则检查目标代码。
  3. 将每个检查结果记录为通过(Pass)或失败(Fail)。
输出结果表格:
| 规则ID | 状态 | 检查结果 | 修复建议 |
|---------|--------|---------|-------------|
| [INPUT-01] | FAIL | 用户输入未在服务器端验证 | 添加服务器端验证中间件 |
| [AUTH-03] | PASS | — | — |
表格之后,请提供一份总结,包含:
  • 已检查的规则总数与发现的违规数量
  • 严重问题(按风险从高到低排列)
  • 带有具体行号引用的建议代码修复方案