/security -- Find vulnerabilities before they ship

OWASP Top 10. STRIDE threat modeling. Secrets scan. Graded A-F.

What it checks

The security audit covers five areas. The agent auto-detects your stack and adjusts checks accordingly.

OWASP Top 10 (2021)

  • A01 -- Broken Access Control. Missing auth checks, IDOR, privilege escalation paths.
  • A02 -- Cryptographic Failures. Weak algorithms, hardcoded keys, plaintext storage.
  • A03 -- Injection. SQL, NoSQL, OS command, LDAP, XSS via unsanitized input.
  • A04 -- Insecure Design. Missing rate limits, no abuse case modeling.
  • A05 -- Security Misconfiguration. Default credentials, verbose errors, open CORS.
  • A06 -- Vulnerable Components. Known CVEs in dependencies, outdated packages.
  • A07 -- Auth Failures. Weak passwords allowed, missing MFA, session fixation.
  • A08 -- Data Integrity Failures. Unsigned updates, insecure deserialization, unverified CI/CD.
  • A09 -- Logging Failures. Missing audit logs, sensitive data in logs, no alerting.
  • A10 -- SSRF. Server-side requests to user-controlled URLs without validation.

STRIDE threat model

Applied to every entry point the agent identifies: API routes, form handlers, WebSocket connections, file uploads, OAuth callbacks.

  • Spoofing -- Can an attacker impersonate a user or service?
  • Tampering -- Can data be modified in transit or at rest?
  • Repudiation -- Can actions be performed without an audit trail?
  • Information Disclosure -- Do error messages, headers, or responses leak internals?
  • Denial of Service -- Can a single request consume unbounded resources?
  • Elevation of Privilege -- Can a regular user reach admin functionality?

Secrets scan

Regex patterns match common secret formats in source files and git history:

AWS keys:        AKIA[0-9A-Z]{16}
GitHub tokens:   ghp_[a-zA-Z0-9]{36}
Slack tokens:    xox[bpors]-[a-zA-Z0-9-]+
Private keys:    -----BEGIN (RSA|EC|DSA) PRIVATE KEY-----
Generic secrets: (password|secret|token|api_key)\s*=\s*['"][^'"]+['"]
.env files:      Any .env file committed to the repository

Dependencies

Checks package.json, go.mod, requirements.txt, Cargo.toml, and similar manifests against known vulnerability databases.

Git history

Scans previous commits for secrets that were added and later removed. Deleted secrets are still in the history and still exploitable.

Auto-detection by stack

The checks adapt to your technology. A Next.js app gets checked for NEXT_PUBLIC_ environment variable exposure and server action validation. A Go service gets checked for unsafe http.ListenAndServe without timeouts. A Python Flask app gets checked for debug=True in production config.

Grading: A through F

The audit produces a letter grade based on the number and severity of findings.

  • A -- No findings, or only informational notes.
  • B -- Low-severity findings only. No action required to ship.
  • C -- Medium-severity findings. Should fix but not blocking.
  • D -- High-severity findings. Blocks the sprint.
  • F -- Critical findings. Secrets exposed, auth bypassed, or injection confirmed. Blocks the sprint.

Conflict detection with /review

The security phase reads review.json for pre-tagged conflicts. When the review recommended something that has security implications, the security phase resolves the conflict.

# Example conflict: error detail level
/review says:  "Return validation errors with field names for UX"
/security says: "Error messages reveal internal field names (A01)"

Resolution: Return field-level errors for client-validated fields only.
Server-only fields return generic "Invalid input" message.

The unified recommendation goes into security.json so /ship includes it in the PR body.

Intensity modes

  • --quick -- Secrets scan and dependency check only. Fast, catches the most common issues.
  • --standard -- OWASP Top 10 and secrets scan. Default mode.
  • --thorough -- Full OWASP, STRIDE threat model, git history scan, dependency audit, and cross-file data flow analysis. Takes longer but covers everything.

Secret scanning patterns

The built-in patterns cover 30+ secret types. You can add custom patterns in .nanostack/config.json:

{
  "security": {
    "secret_patterns": [
      {
        "name": "Internal API key",
        "pattern": "myco_[a-zA-Z0-9]{32}",
        "severity": "critical"
      }
    ]
  }
}

Custom patterns are checked alongside the defaults. They appear in the report with their configured severity.

Previous/qaNext/ship