aigroup-workflow 2.1.2 → 2.2.1

package/skills/quality/security-reviewer/references/penetration-testing.md

@@ -0,0 +1,268 @@
+# Penetration Testing
+
+## Reconnaissance
+
+### Passive Information Gathering
+
+```bash
+# DNS enumeration
+dig example.com ANY
+nslookup -type=any example.com
+
+# Subdomain discovery
+subfinder -d example.com
+amass enum -d example.com
+
+# Certificate transparency
+curl -s "https://crt.sh/?q=%.example.com&output=json"
+```
+
+### Active Scanning
+
+```bash
+# Port scanning
+nmap -sV -p- target.com
+nmap -sC -sV -oA scan target.com
+
+# Web technology detection
+whatweb target.com
+```
+
+## Web Application Testing
+
+### Authentication & Authorization
+
+```bash
+# Session analysis - Check for:
+# - Session timeout, Secure/HttpOnly flags
+# - Session fixation, concurrent sessions
+
+# IDOR testing
+GET /api/users/123  # Your ID
+GET /api/users/124  # Another user - should fail
+
+# Privilege escalation
+GET /api/admin/users  # As standard user
+```
+
+### Input Validation
+
+```bash
+# SQL injection
+sqlmap -u "http://target.com/search?q=test" --batch
+
+# XSS payloads
+<script>alert(document.domain)</script>
+<img src=x onerror=alert(1)>
+<svg onload=alert(1)>
+
+# Command injection
+; ls -la
+| whoami
+$(whoami)
+
+# XXE
+<?xml version="1.0"?>
+<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
+<root>&xxe;</root>
+```
+
+## API Security Testing
+
+### JWT & Token Security
+
+```bash
+# Decode JWT
+echo "eyJ..." | base64 -d
+
+# Test none algorithm
+# Modify header: {"alg": "none"}
+
+# Weak secret brute force
+hashcat -m 16500 jwt.txt wordlist.txt
+```
+
+### Rate Limiting & Data Exposure
+
+```bash
+# Test rate limits
+for i in {1..1000}; do
+  curl https://api.target.com/login -d "user=test&pass=test"
+done
+
+# Check for excessive data exposure
+GET /api/users/me
+# Look for: password hashes, internal IDs, sensitive PII
+
+# Mass assignment
+POST /api/users/profile
+{"email": "new@email.com", "isAdmin": true}
+```
+
+## Network Penetration
+
+### Privilege Escalation (Linux)
+
+```bash
+# SUID binaries
+find / -perm -4000 -type f 2>/dev/null
+
+# Sudo permissions
+sudo -l
+
+# Writable paths in PATH
+echo $PATH | tr ':' '\n' | xargs -I {} ls -ld {}
+
+# Kernel exploits
+uname -a
+searchsploit linux kernel $(uname -r)
+```
+
+### Lateral Movement
+
+```bash
+# Network enumeration
+arp -a
+netstat -ant
+
+# Service discovery
+nmap -sV 192.168.1.0/24
+
+# Credential harvesting
+grep -r "password" /home/*/
+cat ~/.bash_history | grep -i "pass\|pwd\|secret"
+```
+
+## Mobile Application Testing
+
+### Android
+
+```bash
+# Decompile APK
+apktool d app.apk
+jadx -d output app.apk
+
+# Check for secrets
+grep -r "api_key\|secret\|password" .
+
+# Insecure storage
+adb shell
+run-as com.app.package
+find . -type f -exec cat {} \;
+```
+
+### iOS
+
+```bash
+# Class dump
+class-dump App.app
+
+# Check data storage
+sqlite3 /var/mobile/Applications/.../Library/Caches/data.db
+```
+
+## Cloud Security Testing
+
+### AWS
+
+```bash
+# S3 bucket enumeration
+aws s3 ls s3://bucket-name --no-sign-request
+aws s3api get-bucket-acl --bucket bucket-name
+
+# IAM enumeration
+aws iam get-user
+aws iam list-attached-user-policies --user-name username
+```
+
+### Container & Kubernetes
+
+```bash
+# Docker escape testing
+docker inspect container_id | grep -i privileged
+docker inspect container_id | grep -A 5 Mounts
+
+# Kubernetes
+kubectl get pods --all-namespaces
+kubectl get secrets --all-namespaces
+kubectl auth can-i --list
+```
+
+## Exploitation Validation
+
+### Proof of Concept Guidelines
+
+```python
+# Always demonstrate impact SAFELY
+
+# SQL injection PoC
+# DON'T: Extract actual data
+# DO: Prove injection with sleep
+payload = "' OR SLEEP(5)--"
+
+# DON'T: Delete/modify production data
+# DO: Show you COULD with SELECT
+payload = "' UNION SELECT 'proof_of_concept'--"
+```
+
+### Rules of Engagement
+
+1. **Scope verification** - Only test authorized targets
+2. **Time windows** - Respect testing hours
+3. **DoS prevention** - Avoid resource exhaustion
+4. **Data handling** - Don't exfiltrate real data
+5. **Stop on discovery** - Don't exploit beyond proof
+6. **Immediate reporting** - Report critical findings ASAP
+7. **Documentation** - Record all actions
+8. **Cleanup** - Remove test artifacts
+
+## Vulnerability Classification
+
+### Severity Scoring
+
+| Severity | Exploitability | Impact | CVSS Range |
+|----------|---------------|---------|------------|
+| Critical | Easy | Full compromise | 9.0-10.0 |
+| High | Medium | Significant access | 7.0-8.9 |
+| Medium | Hard | Limited access | 4.0-6.9 |
+| Low | Very hard | Minimal impact | 0.1-3.9 |
+
+### Impact Assessment
+
+- **Critical**: Remote code execution, full data access, admin takeover
+- **High**: Authentication bypass, privilege escalation, sensitive data exposure
+- **Medium**: CSRF, XSS (non-admin), information disclosure
+- **Low**: Missing security headers, verbose errors, rate limiting issues
+
+## Testing Checklist
+
+### OWASP Top 10 Coverage
+
+- [ ] Broken Access Control (IDOR, path traversal)
+- [ ] Cryptographic Failures (weak encryption, plaintext)
+- [ ] Injection (SQL, XSS, command)
+- [ ] Insecure Design (missing auth flows)
+- [ ] Security Misconfiguration (defaults, debug mode)
+- [ ] Vulnerable Components (outdated dependencies)
+- [ ] Authentication Failures (weak passwords, session issues)
+- [ ] Data Integrity (deserialization, lack of verification)
+- [ ] Logging Failures (missing logs, exposed sensitive data)
+- [ ] SSRF (unvalidated URLs)
+
+## Quick Reference
+
+| Test Type | Tools | Focus |
+|-----------|-------|-------|
+| Web App | Burp Suite, OWASP ZAP | OWASP Top 10 |
+| API | Postman, curl | AuthN/AuthZ, data exposure |
+| Network | nmap, Metasploit | Services, exploits |
+| Mobile | MobSF, Frida | Data storage, crypto |
+| Cloud | ScoutSuite, Prowler | Misconfigurations |
+
+| Finding Type | Validation Method | Evidence Required |
+|--------------|------------------|-------------------|
+| SQL Injection | Sleep-based, error-based | Request/response, timing |
+| XSS | Alert box, DOM manipulation | Screenshot, payload |
+| IDOR | Access other user's resource | Two user accounts, IDs |
+| Auth Bypass | Unauthorized access | Before/after screenshots |
+| RCE | Command output (safe) | Whoami, id command output |

package/skills/quality/security-reviewer/references/report-template.md

@@ -0,0 +1,170 @@
+# Security Report Template
+
+## Full Report Template
+
+```markdown
+# Security Review Report
+
+## Executive Summary
+
+| Field | Value |
+|-------|-------|
+| **Application** | [Application Name] |
+| **Review Date** | [YYYY-MM-DD] |
+| **Reviewer** | [Name] |
+| **Scope** | [Files/modules reviewed] |
+| **Overall Risk Level** | [Critical/High/Medium/Low] |
+
+### Key Findings
+- X Critical vulnerabilities requiring immediate attention
+- Y High-severity issues to address before deployment
+- Z Medium/Low issues for future consideration
+
+## Findings Summary
+
+| Severity | Count | Status |
+|----------|-------|--------|
+| Critical | X | Requires immediate fix |
+| High | X | Fix before deployment |
+| Medium | X | Fix in next sprint |
+| Low | X | Backlog |
+
+## Detailed Findings
+
+### [CRITICAL] SQL Injection in User Search
+
+| Field | Value |
+|-------|-------|
+| **ID** | SEC-001 |
+| **Location** | `src/api/users.ts:45` |
+| **CWE** | CWE-89 |
+| **CVSS** | 9.8 (Critical) |
+
+**Description**
+User input directly concatenated into SQL query without sanitization.
+
+**Vulnerable Code**
+```typescript
+const query = `SELECT * FROM users WHERE name LIKE '%${searchTerm}%'`;
+```
+
+**Proof of Concept**
+```
+GET /api/users?search=' OR '1'='1
+```
+
+**Impact**
+- Full database access
+- Data exfiltration
+- Data modification/deletion
+- Potential RCE via SQL features
+
+**Remediation**
+Use parameterized queries:
+```typescript
+const query = 'SELECT * FROM users WHERE name LIKE $1';
+db.query(query, [`%${searchTerm}%`]);
+```
+
+**Effort**: 1 hour
+**Priority**: Immediate
+
+---
+
+### [HIGH] Weak Password Requirements
+
+| Field | Value |
+|-------|-------|
+| **ID** | SEC-002 |
+| **Location** | `src/auth/validation.ts:12` |
+| **CWE** | CWE-521 |
+| **CVSS** | 7.5 (High) |
+
+**Description**
+Password policy requires only 6 characters with no complexity requirements.
+
+**Current Policy**
+```typescript
+const isValid = password.length >= 6;
+```
+
+**Impact**
+- Susceptible to brute force attacks
+- Dictionary attack vulnerability
+
+**Remediation**
+Implement stronger requirements:
+```typescript
+const isValid =
+  password.length >= 12 &&
+  /[A-Z]/.test(password) &&
+  /[a-z]/.test(password) &&
+  /[0-9]/.test(password) &&
+  /[^A-Za-z0-9]/.test(password);
+```
+
+**Effort**: 30 minutes
+**Priority**: Before deployment
+
+## Automated Scan Results
+
+### Dependency Vulnerabilities
+| Package | Severity | CVE | Fix |
+|---------|----------|-----|-----|
+| lodash | High | CVE-2021-xxxx | Upgrade to 4.17.21 |
+
+### SAST Findings
+| Tool | Critical | High | Medium | Low |
+|------|----------|------|--------|-----|
+| Semgrep | 1 | 3 | 5 | 8 |
+| npm audit | 0 | 2 | 4 | 10 |
+
+## Recommendations
+
+### Immediate (This Sprint)
+1. Fix SQL injection vulnerability (SEC-001)
+2. Implement parameterized queries globally
+3. Update vulnerable dependencies
+
+### Short-term (Next Sprint)
+1. Strengthen password policy (SEC-002)
+2. Add input validation middleware
+3. Enable security headers
+
+### Long-term
+1. Implement SAST in CI/CD pipeline
+2. Schedule regular security reviews
+3. Security training for developers
+
+## Appendix
+
+### Tools Used
+- Semgrep v1.x
+- npm audit
+- Gitleaks v8.x
+- Manual code review
+
+### References
+- OWASP Top 10 2021
+- CWE Database
+- CVSS Calculator
+```
+
+## Severity Definitions
+
+| Severity | CVSS Score | Response Time |
+|----------|------------|---------------|
+| Critical | 9.0 - 10.0 | Immediate |
+| High | 7.0 - 8.9 | 24-48 hours |
+| Medium | 4.0 - 6.9 | 1-2 weeks |
+| Low | 0.1 - 3.9 | Next release |
+
+## Quick Reference
+
+| Section | Purpose |
+|---------|---------|
+| Executive Summary | Management overview |
+| Findings Summary | Quick count by severity |
+| Detailed Findings | Technical details |
+| Scan Results | Automated tool output |
+| Recommendations | Prioritized action items |

package/skills/quality/security-reviewer/references/sast-tools.md

@@ -0,0 +1,117 @@
+# SAST Tools
+
+## JavaScript/TypeScript
+
+```bash
+# Dependency vulnerabilities
+npm audit
+npm audit --json > npm-audit.json
+
+# ESLint security plugin
+npm install eslint-plugin-security --save-dev
+npx eslint --ext .js,.ts . --plugin security
+
+# Snyk
+npx snyk test
+npx snyk code test
+```
+
+## Python
+
+```bash
+# Bandit - Python SAST
+pip install bandit
+bandit -r . -f json -o bandit-report.json
+bandit -r . -ll  # Only high severity
+
+# Safety - Dependency check
+pip install safety
+safety check
+safety check -r requirements.txt --json > safety-report.json
+
+# Pyup Safety
+pip install pyupio-safety
+pyupio-safety check
+```
+
+## Go
+
+```bash
+# GoSec - Go security checker
+go install github.com/securego/gosec/v2/cmd/gosec@latest
+gosec ./...
+gosec -fmt=json -out=gosec-report.json ./...
+
+# Go vulnerability database
+go install golang.org/x/vuln/cmd/govulncheck@latest
+govulncheck ./...
+```
+
+## Multi-Language Tools
+
+```bash
+# Semgrep - Universal SAST
+pip install semgrep
+semgrep --config=auto .
+semgrep --config=p/security-audit .
+semgrep --config=p/owasp-top-ten .
+
+# Trivy - Comprehensive scanner
+brew install trivy
+trivy fs .
+trivy fs --security-checks vuln,secret,config .
+
+# SonarQube (requires server)
+sonar-scanner -Dsonar.projectKey=myproject
+```
+
+## CI/CD Integration
+
+### GitHub Actions
+
+```yaml
+- name: Run Semgrep
+  uses: returntocorp/semgrep-action@v1
+  with:
+    config: p/security-audit
+
+- name: Run npm audit
+  run: npm audit --audit-level=high
+
+- name: Run Trivy
+  uses: aquasecurity/trivy-action@master
+  with:
+    scan-type: 'fs'
+    severity: 'CRITICAL,HIGH'
+```
+
+### GitLab CI
+
+```yaml
+security-scan:
+  image: returntocorp/semgrep
+  script:
+    - semgrep --config=auto --json -o semgrep.json .
+  artifacts:
+    reports:
+      sast: semgrep.json
+```
+
+## Quick Reference
+
+| Language | Primary Tool | Dependency Check |
+|----------|--------------|------------------|
+| JavaScript | ESLint + security | npm audit |
+| TypeScript | ESLint + security | npm audit |
+| Python | Bandit | Safety |
+| Go | GoSec | govulncheck |
+| Java | SpotBugs | OWASP Dependency-Check |
+| Ruby | Brakeman | bundler-audit |
+
+| Tool | Strengths | Best For |
+|------|-----------|----------|
+| Semgrep | Multi-language, custom rules | General SAST |
+| Trivy | Container + code + secrets | Comprehensive |
+| Bandit | Python-specific | Python projects |
+| GoSec | Go-specific | Go projects |
+| npm audit | Built-in, fast | Node.js deps |

package/skills/quality/security-reviewer/references/secret-scanning.md

@@ -0,0 +1,125 @@
+# Secret Scanning
+
+## Gitleaks
+
+```bash
+# Install
+brew install gitleaks
+
+# Scan current directory
+gitleaks detect --source . --verbose
+
+# Scan with report
+gitleaks detect --source . -f json -r gitleaks-report.json
+
+# Scan git history
+gitleaks detect --source . --log-opts="--all"
+
+# Use baseline (ignore known)
+gitleaks detect --baseline-path .gitleaks-baseline.json
+```
+
+## TruffleHog
+
+```bash
+# Install
+pip install trufflehog
+
+# Scan filesystem
+trufflehog filesystem .
+
+# Scan git repo
+trufflehog git file://. --since-commit HEAD~100
+
+# Scan with JSON output
+trufflehog filesystem . --json > trufflehog-report.json
+```
+
+## Manual Grep Patterns
+
+```bash
+# Common secret patterns
+grep -rn "api_key\|apikey\|api-key" --include="*.{ts,js,py}" .
+grep -rn "secret\|password\|passwd" --include="*.{ts,js,py}" .
+grep -rn "private_key\|privatekey" --include="*.{ts,js,py}" .
+grep -rn "access_token\|accesstoken" --include="*.{ts,js,py}" .
+
+# AWS credentials
+grep -rn "AKIA[0-9A-Z]{16}" .
+grep -rn "aws_secret_access_key" .
+
+# Base64 encoded (potential secrets)
+grep -rn "[A-Za-z0-9+/]{40,}=" .
+
+# JWT tokens
+grep -rn "eyJ[A-Za-z0-9_-]*\.eyJ[A-Za-z0-9_-]*\." .
+```
+
+## Common Secret Patterns
+
+| Type | Pattern | Example |
+|------|---------|---------|
+| AWS Access Key | `AKIA[0-9A-Z]{16}` | AKIAIOSFODNN7EXAMPLE |
+| AWS Secret Key | 40 char base64 | wJalrXUtnFEMI/K7MDENG... |
+| GitHub Token | `ghp_[A-Za-z0-9]{36}` | ghp_xxxxxxxxxxxx |
+| Slack Token | `xox[baprs]-` | xoxb-xxx-xxx |
+| Stripe Key | `sk_live_[A-Za-z0-9]{24}` | sk_live_xxxx |
+| Private Key | `-----BEGIN.*PRIVATE KEY-----` | RSA/EC keys |
+| JWT | `eyJ[A-Za-z0-9_-]*\.eyJ` | Encoded tokens |
+
+## Pre-commit Hook
+
+```yaml
+# .pre-commit-config.yaml
+repos:
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.18.0
+    hooks:
+      - id: gitleaks
+```
+
+## CI/CD Integration
+
+```yaml
+# GitHub Actions
+- name: Gitleaks
+  uses: gitleaks/gitleaks-action@v2
+  env:
+    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+# GitLab CI
+secret_detection:
+  image: zricethezav/gitleaks
+  script:
+    - gitleaks detect --source . -f sarif -r gl-secret-detection-report.sarif
+  artifacts:
+    reports:
+      secret_detection: gl-secret-detection-report.sarif
+```
+
+## Remediation Steps
+
+1. **Rotate immediately** - Consider secret compromised
+2. **Remove from history** - Use git filter-branch or BFG
+3. **Add to .gitignore** - Prevent future commits
+4. **Use env variables** - Move to environment
+5. **Use secret manager** - AWS Secrets Manager, Vault
+
+```bash
+# Remove from git history (BFG)
+bfg --replace-text passwords.txt repo.git
+
+# Or git filter-branch
+git filter-branch --force --index-filter \
+  "git rm --cached --ignore-unmatch path/to/secret" \
+  --prune-empty --tag-name-filter cat -- --all
+```
+
+## Quick Reference
+
+| Tool | Best For | Speed |
+|------|----------|-------|
+| Gitleaks | Git history | Fast |
+| TruffleHog | Deep scanning | Medium |
+| grep | Quick checks | Fast |
+| GitHub Secret Scanning | GitHub repos | Auto |