public/librenotes
1
0
Fork 0
Code Issues 37 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
librenotes/.wave/pipelines/security-scan.yaml
Michael Czechowski fc24f9a8ab Add Wave general-purpose pipelines 
ADR, changelog, code-review, debug, doc-sync, explain, feature,
hotfix, improve, onboard, plan, prototype, refactor, security-scan,
smoke-test, speckit-flow, supervise, test-gen, and more.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-25 17:02:36 +01:00

148 lines
4.7 KiB
YAML
Raw Permalink Blame History

kind: WavePipeline
metadata:
name: security-scan
description: "Comprehensive security vulnerability audit"
release: true
input:
source: cli
example: "audit the authentication module for vulnerabilities"
steps:
- id: scan
persona: navigator
workspace:
mount:
- source: ./
target: /project
mode: readonly
exec:
type: prompt
source: |
Perform a security scan of: {{ input }}
## Scan Process
1. **Map attack surface**: Identify all entry points (HTTP handlers, CLI args,
file parsers, IPC endpoints, database queries, external API calls)
2. **Check OWASP Top 10**:
- Injection (SQL, command, LDAP, XPath)
- Broken authentication/authorization
- Sensitive data exposure
- XML external entities (XXE)
- Broken access control
- Security misconfiguration
- Cross-site scripting (XSS)
- Insecure deserialization
- Using components with known vulnerabilities
- Insufficient logging and monitoring
3. **Scan for common Go vulnerabilities** (if Go project):
- Unchecked errors on security-critical operations
- Race conditions on shared state
- Path traversal via unsanitized file paths
- Template injection
- Unsafe use of reflect or unsafe packages
4. **Check secrets and configuration**:
- Hardcoded credentials, API keys, tokens
- Insecure default configurations
- Missing TLS/encryption
- Overly permissive file permissions
5. **Review dependency usage**:
- Known vulnerable patterns in dependency usage
- Outdated security practices
output_artifacts:
- name: scan_results
path: .wave/output/security-scan.json
type: json
handover:
contract:
type: json_schema
source: .wave/output/security-scan.json
schema_path: .wave/contracts/security-scan.schema.json
on_failure: retry
max_retries: 2
- id: deep-dive
persona: auditor
dependencies: [scan]
memory:
inject_artifacts:
- step: scan
artifact: scan_results
as: scan_findings
workspace:
mount:
- source: ./
target: /project
mode: readonly
exec:
type: prompt
source: |
Perform a deep security analysis based on the injected scan results.
For each finding with severity HIGH or CRITICAL:
1. **Verify the finding**: Read the actual source code at the reported location.
Confirm the vulnerability exists (eliminate false positives).
2. **Trace the data flow**: Follow untrusted input from entry point to sink.
Identify all transformations and validation (or lack thereof).
3. **Assess exploitability**: Could an attacker realistically exploit this?
What preconditions are needed? What's the impact?
4. **Check for related patterns**: Search for similar vulnerable patterns
elsewhere in the codebase using Grep.
5. **Propose remediation**: Specific, actionable fix with code examples.
Prioritize by effort vs. impact.
For MEDIUM and LOW findings, do a lighter review confirming they're real.
Produce a markdown report with these sections:
- Executive Summary
- Confirmed Vulnerabilities (with severity badges)
- False Positives Eliminated
- Data Flow Analysis
- Remediation Plan (ordered by priority)
- Related Patterns Found
output_artifacts:
- name: deep_dive
path: .wave/output/security-deep-dive.md
type: markdown
- id: report
persona: summarizer
dependencies: [deep-dive]
memory:
inject_artifacts:
- step: scan
artifact: scan_results
as: scan_findings
- step: deep-dive
artifact: deep_dive
as: analysis
exec:
type: prompt
source: |
Synthesize the injected scan findings and deep-dive analysis into a final report.
Create a concise, actionable security report:
1. **Risk Score**: Overall risk rating (CRITICAL/HIGH/MEDIUM/LOW) with justification
2. **Top 3 Issues**: The most important findings to fix immediately
3. **Quick Wins**: Low-effort fixes that improve security posture
4. **Remediation Roadmap**: Ordered list of fixes by priority
5. **What's Good**: Security practices already in place
Format as a clean markdown report suitable for sharing with the team.
output_artifacts:
- name: report
path: .wave/output/security-report.md
type: markdown
Reference in New Issue View Git Blame Copy Permalink