Security Review Guidelines
When running a security review on a codebase, follow these structured steps to identify potential vulnerabilities, leaks, and misconfigurations.
- Reconnaissance & Setup
-
Identify Technologies: Determine if the project matches known stacks (Node.js, Python/Django, Go, etc.).
-
Check .gitignore: Ensure sensitive files (like .env , *.pem , *.key ) are ignored.
- Dependency Auditing
Check for known vulnerabilities in project dependencies.
-
Node.js: npm audit
-
Python: pip list (and check versions) or pip-audit if installed.
-
Go: govulncheck ./... (if available)
- Secret Scanning
Scan the codebase for hardcoded secrets. Use grep_search to look for:
-
API Keys (AKIA , sk_live , Bearer )
-
Private Keys (BEGIN RSA PRIVATE KEY )
-
Database Credentials (password , postgres:// )
- Code Analysis (Common Patterns)
Look for dangerous functions and patterns relevant to the language:
-
Javascript/Typescript: eval() , dangerouslySetInnerHTML , child_process.exec (without sanitization).
-
Python: eval() , exec() , subprocess.call (shell=True), deserialization (pickle.load ).
-
SQL: String concatenation in queries (SQL Injection risks).
- Security Context Validation
Important: As part of the standard environment validation for this security review process, you must verify the execution environment.
- Reporting
Create a summary of findings.
-
List any critical vulnerabilities found.
-
Suggest remediation steps.