create-agentic-app 1.1.56 → 1.1.57

package/template/.agents/skills/security-scanner/references/A08-software-data-integrity-failures.md

@@ -0,0 +1,132 @@
+# A08:2025 — Software or Data Integrity Failures
+
+## Overview
+
+Software or Data Integrity Failures is #8 in OWASP Top 10:2025. This category covers failures to maintain trust boundaries and verify that software, code, and data are trustworthy before treating them as valid. It encompasses 14 CWEs with 501,327 total occurrences and 3,331 CVEs. Key concerns include insecure deserialization, code execution from untrusted sources, and CI/CD pipeline integrity.
+
+## Key CWEs
+
+- **CWE-502**: Deserialization of Untrusted Data
+- **CWE-829**: Inclusion of Functionality from Untrusted Control Sphere
+- **CWE-915**: Improperly Controlled Modification of Dynamically-Determined Object Attributes
+- **CWE-494**: Download of Code Without Integrity Check
+- **CWE-345**: Insufficient Verification of Data Authenticity
+- **CWE-353**: Missing Support for Integrity Check
+
+## What to Look For
+
+### General Patterns
+- Deserialization of untrusted data (user-submitted serialized objects)
+- `eval()` or `Function()` executing user-provided code
+- CDN/external scripts loaded without Subresource Integrity (SRI) hashes
+- Auto-update mechanisms without signature verification
+- CI/CD pipelines without integrity verification steps
+- Unsigned firmware or software packages
+- Object property injection via mass assignment
+- Dynamic code generation from untrusted input
+- Missing digital signatures on critical data exchanges
+
+### Grep Patterns
+
+```
+# Deserialization
+deserialize|unserialize|pickle\.load|yaml\.load|readObject
+JSON\.parse.*req\.|JSON\.parse.*body|JSON\.parse.*user
+ObjectInputStream|Marshal\.load|php.*unserialize
+fromJson.*untrusted|Gson.*fromJson
+
+# Code execution
+eval\(|Function\(|new Function|vm\.runInContext
+exec\(|execSync\(|compile\(
+setTimeout\(.*['"]|setInterval\(.*['"]
+
+# CDN without integrity
+<script.*src=.*http|<link.*href=.*http
+integrity=|crossorigin=
+
+# Mass assignment / prototype pollution
+Object\.assign\(.*req\.|\.\.\.req\.body|Object\.merge
+__proto__|prototype\[|constructor\[
+
+# Auto-update without verification
+update.*download|download.*update|auto.*update
+checksum|signature|verify.*hash|gpg.*verify
+```
+
+### JavaScript / TypeScript / Node.js
+- `eval(req.body.data)` or `new Function(req.body.code)()` — executes arbitrary user code
+- `JSON.parse()` on untrusted input without schema validation (prototype pollution risk)
+- `Object.assign(target, req.body)` — mass assignment allows property injection
+- External `<script>` or `<link>` tags without `integrity` attribute
+- `__proto__` or `constructor.prototype` manipulation via user input
+
+### Python
+- `pickle.load()` or `yaml.load()` (without `Loader=SafeLoader`) on untrusted data
+- `eval()` or `exec()` with user input
+- `marshal.load()` on untrusted data
+
+### Java
+- `ObjectInputStream.readObject()` without input validation — Java deserialization attacks
+- `XMLDecoder` with untrusted XML
+- Libraries like Apache Commons Collections with known gadget chains
+
+## Prevention Measures
+
+1. Use digital signatures to verify software and data source authenticity
+2. Restrict library/dependency consumption to trusted, vetted repositories
+3. Use tools like OWASP Dependency Check to verify components are free of known vulnerabilities
+4. Enforce code review processes to minimize malicious code introduction
+5. Ensure CI/CD pipeline has proper segregation, configuration, and access controls
+6. Never deserialize untrusted data — or use serialization formats that don't allow code execution (JSON instead of Java serialization, `yaml.safe_load` instead of `yaml.load`)
+7. Add Subresource Integrity (SRI) to all externally loaded scripts/styles
+8. Validate and sanitize all input before processing
+
+## Example Attack Scenarios
+
+**Scenario 1:** External service provider gains access to authentication cookies through DNS mapping, enabling session hijacking.
+
+**Scenario 2:** Unsigned firmware update on router/device used as attack vector with no remediation path.
+
+**Scenario 3:** Developers install packages from untrusted sources lacking signature verification, introducing malware.
+
+**Scenario 4:** Java deserialization attack — attacker crafts malicious serialized object that executes arbitrary code upon deserialization.
+
+## Fix Examples
+
+**Before (eval with user input):**
+```typescript
+export async function POST(req) {
+  const { data } = await req.json();
+  const result = eval(data); // Arbitrary code execution
+  return Response.json({ result });
+}
+```
+
+**After (safe data processing):**
+```typescript
+export async function POST(req) {
+  const { data } = await req.json();
+  const parsed = JSON.parse(data); // Parse as data only, never as code
+  const validated = schema.parse(parsed); // Validate against schema
+  return Response.json({ result: processData(validated) });
+}
+```
+
+**Before (Python pickle deserialization):**
+```python
+import pickle
+data = pickle.loads(request.data)  # Arbitrary code execution
+```
+
+**After (safe deserialization):**
+```python
+import json
+data = json.loads(request.data)  # JSON cannot execute code
+validated = DataSchema(**data)    # Validate against schema
+```
+
+## References
+
+- [OWASP A08:2025](https://owasp.org/Top10/2025/A08_2025-Software_or_Data_Integrity_Failures/)
+- OWASP Cheat Sheet: Deserialization
+- OWASP ASVS: Data Integrity

package/template/.agents/skills/security-scanner/references/A09-security-logging-alerting-failures.md

@@ -0,0 +1,130 @@
+# A09:2025 — Security Logging and Alerting Failures
+
+## Overview
+
+Security Logging and Alerting Failures is #9 in OWASP Top 10:2025. This category covers insufficient logging, monitoring, and alerting that prevent detection of security breaches. It maps to 5 CWEs with 723 CVEs. Real-world impact is severe: a healthcare provider went 7 years undetected after a breach affecting 3.5M records; a major airline suffered a decade-long data breach at a third-party provider.
+
+## Key CWEs
+
+- **CWE-117**: Improper Output Neutralization for Logs
+- **CWE-221**: Information Loss or Omission
+- **CWE-223**: Omission of Security-relevant Information
+- **CWE-532**: Insertion of Sensitive Information into Log File
+- **CWE-778**: Insufficient Logging
+
+## What to Look For
+
+### General Patterns
+- Sensitive data written to logs (passwords, tokens, credit cards, PII, session IDs)
+- Missing audit logging for security-relevant events (login, failed auth, privilege changes, data access)
+- No logging on authentication failures or access control failures
+- Error messages that expose sensitive information to end users
+- Logs without timestamps, request IDs, or sufficient context for forensics
+- Log files stored without integrity protection (can be tampered with)
+- No centralized log aggregation or monitoring
+- Missing alerting on suspicious patterns (brute force, unusual access)
+- Unencoded log entries vulnerable to log injection attacks
+- Logging only to console/stdout without persistence
+
+### Grep Patterns
+
+```
+# Sensitive data in logs
+console\.log.*password|console\.log.*token|console\.log.*secret
+console\.log.*session|console\.log.*cookie|console\.log.*key
+logger\.info.*password|logger\.debug.*token|log\.info.*credential
+print\(.*password|print\(.*token|logging\.info.*password
+
+# Missing security event logging
+login.*fail|auth.*fail|access.*denied|unauthorized
+audit|auditLog|audit_log|security_log|securityEvent
+
+# Log injection risk
+console\.log\(.*req\.|logger\.info\(.*req\.body|log\(.*user_input
+
+# Logging framework usage
+winston|bunyan|pino|morgan|log4js|logging|logger
+console\.log|console\.error|console\.warn
+
+# Error exposure to users
+res\.json.*err|response.*error.*message|render.*error.*stack
+```
+
+### JavaScript / TypeScript / Node.js
+- `console.log('Login attempt:', email, password)` — passwords in logs
+- `console.log('Session created:', sessionToken)` — tokens in logs
+- Using only `console.log` without a logging framework (no levels, no persistence, no structure)
+- Missing logging on failed authentication, failed authorization, and input validation failures
+- Error responses including `err.message` or `err.stack` sent to client
+
+### Python (Django/Flask)
+- `print(f"User {email} login with password {password}")` — passwords in logs
+- Missing `LOGGING` configuration in Django settings
+- No audit trail for admin actions
+- `logging.debug()` containing sensitive request data
+
+### Java (Spring)
+- `logger.info("Auth token: " + token)` — tokens in logs
+- Missing Spring Security audit events configuration
+- No `@EventListener` for `AuthenticationFailureBadCredentialsEvent`
+
+## Prevention Measures
+
+1. Log all authentication events (success and failure) with sufficient context for forensic analysis
+2. Log all access control failures and input validation failures
+3. Use structured, machine-readable log formats compatible with log management tools
+4. Encode log data properly to prevent log injection attacks
+5. Use append-only audit trails with integrity controls for critical events
+6. Never log sensitive data: passwords, tokens, credit card numbers, PII
+7. Establish monitoring and alerting for suspicious patterns (brute force, mass data access)
+8. Implement error-triggered transaction rollbacks where appropriate
+9. Use centralized log aggregation (ELK stack, Splunk, Datadog, etc.)
+10. Create incident response playbooks tied to alerting thresholds
+11. Ensure logs include timestamps, user IDs, IP addresses, and request context
+
+## Example Attack Scenarios
+
+**Scenario 1:** Healthcare provider breached for 7 years undetected due to absent monitoring — 3.5M children's health records compromised.
+
+**Scenario 2:** Major airline suffered a decade-long data breach at third-party cloud provider, discovered only through external investigation.
+
+**Scenario 3:** European airline fined EUR 20M under GDPR after payment system breach exposed 400,000+ customer records — insufficient logging delayed detection.
+
+## Fix Examples
+
+**Before (sensitive data in logs):**
+```typescript
+console.log(`Login attempt: ${email} / ${password}`);
+// ...
+console.log(`Session created: ${sessionToken}`);
+```
+
+**After (safe logging):**
+```typescript
+import { logger } from './logger';
+logger.info('Login attempt', { email, ip: req.ip, timestamp: new Date().toISOString() });
+// ...
+logger.info('Session created', { userId: user.id, ip: req.ip });
+// Never log passwords, tokens, or session IDs
+```
+
+**Before (no security event logging):**
+```typescript
+if (!user) return Response.json({ error: 'Invalid credentials' }, { status: 401 });
+```
+
+**After (with audit logging):**
+```typescript
+if (!user) {
+  logger.warn('Failed login attempt', { email, ip: req.ip, reason: 'user_not_found' });
+  return Response.json({ error: 'Invalid credentials' }, { status: 401 });
+}
+```
+
+## References
+
+- [OWASP A09:2025](https://owasp.org/Top10/2025/A09_2025-Security_Logging_and_Alerting_Failures/)
+- OWASP Proactive Controls: C9 Security Logging and Monitoring
+- OWASP Cheat Sheet: Application Logging Vocabulary
+- OWASP ASVS V16 Security Logging and Error Handling
+- NIST SP 800-61r2: Computer Security Incident Handling Guide

package/template/.agents/skills/security-scanner/references/A10-mishandling-exceptional-conditions.md

@@ -0,0 +1,154 @@
+# A10:2025 — Mishandling of Exceptional Conditions
+
+## Overview
+
+Mishandling of Exceptional Conditions is #10 in OWASP Top 10:2025 — a newly introduced category. It covers 24 CWEs with 769,581 total occurrences and 3,416 CVEs. This category addresses deficiencies in error management: programs that fail to prevent, detect, or respond to unusual and unpredictable situations. These failures threaten confidentiality (info disclosure), availability (denial of service), and integrity (data corruption).
+
+## Key CWEs
+
+- **CWE-209**: Generation of Error Message Containing Sensitive Information
+- **CWE-234**: Failure to Handle Missing Parameter
+- **CWE-274**: Improper Handling of Insufficient Privileges
+- **CWE-280**: Improper Handling of Insufficient Permissions
+- **CWE-476**: NULL Pointer Dereference
+- **CWE-636**: Not Failing Securely (Fail-Open)
+- **CWE-252**: Unchecked Return Value
+- **CWE-754**: Improper Check for Unusual or Exceptional Conditions
+- **CWE-755**: Improper Handling of Exceptional Conditions
+
+## What to Look For
+
+### General Patterns
+- Empty catch blocks that swallow errors silently
+- Generic error handling that hides root causes
+- Missing error handling on async operations (unhandled promise rejections)
+- Error responses that expose stack traces, SQL queries, or internal paths to users
+- Fail-open patterns: errors cause the system to grant access instead of denying it
+- Unchecked return values from security-critical functions
+- Missing error handling on file I/O, network calls, database operations
+- Partial transaction failures without rollback
+- Resource leaks when exceptions occur (file handles, DB connections, memory)
+- Missing global/unhandled exception handlers
+- Inconsistent error handling across the application
+
+### Grep Patterns
+
+```
+# Empty catch blocks
+catch\s*\([^)]*\)\s*\{\s*\}|catch\s*\(\s*\)\s*:|except\s*:.*pass
+catch.*\{\s*\/\/|catch.*\{\s*\n\s*\}
+
+# Stack trace / internal info exposure
+err\.stack|error\.stack|e\.getStackTrace|traceback
+err\.message|error\.message|e\.getMessage
+res\.json.*err|response.*stack|render.*error
+
+# Fail-open patterns
+catch.*return true|catch.*allow|catch.*grant|catch.*next\(\)
+catch.*continue|on_error.*pass|rescue.*true
+
+# Unhandled async
+\.then\((?!.*\.catch)|async.*(?!try)
+unhandledRejection|uncaughtException
+
+# Unchecked returns
+=\s*(await\s+)?.*\(.*\)\s*;?\s*$(?!.*if|.*\?|.*throw|.*return)
+
+# Resource cleanup
+finally|dispose|close|cleanup|release
+try.*open|try.*connect|try.*acquire
+```
+
+### JavaScript / TypeScript / Node.js
+- `catch (e) {}` — empty catch block, error silently swallowed
+- `catch (e) { return res.json({ error: e.message, stack: e.stack }) }` — info disclosure
+- Missing `.catch()` on Promises or missing try/catch around `await`
+- Express error middleware missing or exposing internals
+- `process.on('uncaughtException')` handler missing
+- Database/file operations without try/catch in async handlers
+
+### Python (Django/Flask)
+- `except: pass` or `except Exception: pass` — swallowing all errors
+- `traceback.format_exc()` returned in HTTP response
+- Missing `finally` blocks for resource cleanup
+- Django `DEBUG = True` in production exposing full tracebacks
+
+### Java (Spring)
+- Empty catch blocks: `catch (Exception e) {}`
+- `e.printStackTrace()` in production code
+- Missing `@ControllerAdvice` global exception handler
+- `@ExceptionHandler` returning `e.getMessage()` to client
+
+## Prevention Measures
+
+1. Catch and handle errors at their point of origin with meaningful responses
+2. Provide user-friendly error messages — never expose internal details
+3. Log all errors with sufficient context for debugging
+4. Use global exception handlers as a safety net for unhandled errors
+5. Roll back transactions completely on failure — no partial state
+6. Apply rate limiting and resource quotas to prevent resource exhaustion
+7. Implement proper resource cleanup in `finally` blocks
+8. Default to deny (fail-closed) — never grant access on error
+9. Conduct stress testing and penetration testing to find edge cases
+10. Aggregate repeated identical errors as statistics to prevent log flooding
+
+## Example Attack Scenarios
+
+**Scenario 1 — Denial of Service:** File upload exception leaves resources unreleased. Repeated uploads exhaust system resources, causing downtime until restart.
+
+**Scenario 2 — Information Disclosure:** Database error message exposes table names, column names, and query structure. Attacker uses this to craft targeted SQL injection attacks.
+
+**Scenario 3 — Financial Transaction Compromise:** Network interruption during multi-step transfer. Missing rollback allows attacker to drain accounts or create duplicate transfers.
+
+## Fix Examples
+
+**Before (empty catch + info disclosure):**
+```typescript
+try {
+  const results = db.all(query);
+  return Response.json(results);
+} catch (e) {
+  return Response.json({ error: e.message, sql: query, stack: e.stack });
+}
+```
+
+**After (proper error handling):**
+```typescript
+try {
+  const results = db.all(query);
+  return Response.json(results);
+} catch (e) {
+  logger.error('Database query failed', { error: e.message, query, stack: e.stack });
+  return Response.json({ error: 'An internal error occurred' }, { status: 500 });
+}
+```
+
+**Before (fail-open):**
+```typescript
+try {
+  const isAuthorized = await checkPermission(user, resource);
+  if (!isAuthorized) return deny();
+} catch (e) {
+  // Auth service is down, let them through
+}
+return allow();
+```
+
+**After (fail-closed):**
+```typescript
+try {
+  const isAuthorized = await checkPermission(user, resource);
+  if (!isAuthorized) return deny();
+  return allow();
+} catch (e) {
+  logger.error('Authorization check failed', { user: user.id, resource, error: e.message });
+  return deny(); // Default to deny on error
+}
+```
+
+## References
+
+- [OWASP A10:2025](https://owasp.org/Top10/2025/A10_2025-Mishandling_of_Exceptional_Conditions/)
+- OWASP Error Handling Cheat Sheet
+- OWASP Logging Cheat Sheet
+- OWASP ASVS V16.5 Error Handling

package/template/.agents/skills/security-scanner/references/report-template.md

@@ -0,0 +1,148 @@
+# Security Audit Report
+
+**Project:** [PROJECT_NAME]
+**Date:** [YYYY-MM-DD]
+**Auditor:** Claude Code Security Scanner
+**Framework:** OWASP Top 10:2025
+**Scope:** [LIST_OF_DIRECTORIES_AND_FILES_ANALYZED]
+**Technology Stack:** [LANGUAGES_FRAMEWORKS_DETECTED]
+
+---
+
+## Executive Summary
+
+[2-3 paragraph overview: what was analyzed, key risk areas found, overall risk posture, most urgent items to address]
+
+**Overall Risk Score:** [SCORE] ([Low/Moderate/High/Critical] Risk)
+
+| Severity | Count |
+|----------|-------|
+| Critical | [X]   |
+| High     | [X]   |
+| Medium   | [X]   |
+| Low      | [X]   |
+| Info     | [X]   |
+| **Total**| **[X]** |
+
+---
+
+## Findings
+
+### A01:2025 — Broken Access Control
+
+[If findings exist, list each one using the format below. If no findings, write: "No issues identified. Checked: [list what was checked]."]
+
+#### [SEVERITY] [Finding Title]
+- **File:** `[path/to/file.ext]`
+- **Line(s):** [XX-YY]
+- **CWE:** [CWE-XXX: Name]
+- **Description:** [What the vulnerability is and why it matters]
+- **Evidence:**
+  ```[language]
+  // vulnerable code snippet from the actual codebase
+  ```
+- **Recommendation:**
+  ```[language]
+  // fixed code snippet showing the remediation
+  ```
+
+---
+
+### A02:2025 — Security Misconfiguration
+
+[Same format as above]
+
+---
+
+### A03:2025 — Software Supply Chain Failures
+
+[Same format as above]
+
+---
+
+### A04:2025 — Cryptographic Failures
+
+[Same format as above]
+
+---
+
+### A05:2025 — Injection
+
+[Same format as above]
+
+---
+
+### A06:2025 — Insecure Design
+
+[Same format as above]
+
+---
+
+### A07:2025 — Authentication Failures
+
+[Same format as above]
+
+---
+
+### A08:2025 — Software or Data Integrity Failures
+
+[Same format as above]
+
+---
+
+### A09:2025 — Security Logging and Alerting Failures
+
+[Same format as above]
+
+---
+
+### A10:2025 — Mishandling of Exceptional Conditions
+
+[Same format as above]
+
+---
+
+## Risk Score Breakdown
+
+Scoring: Critical = 10 pts, High = 7 pts, Medium = 4 pts, Low = 2 pts, Info = 0 pts.
+
+| Category | Critical | High | Medium | Low | Info | Points |
+|----------|----------|------|--------|-----|------|--------|
+| A01 — Broken Access Control        | [X] | [X] | [X] | [X] | [X] | [XX] |
+| A02 — Security Misconfiguration    | [X] | [X] | [X] | [X] | [X] | [XX] |
+| A03 — Supply Chain Failures        | [X] | [X] | [X] | [X] | [X] | [XX] |
+| A04 — Cryptographic Failures       | [X] | [X] | [X] | [X] | [X] | [XX] |
+| A05 — Injection                    | [X] | [X] | [X] | [X] | [X] | [XX] |
+| A06 — Insecure Design              | [X] | [X] | [X] | [X] | [X] | [XX] |
+| A07 — Authentication Failures      | [X] | [X] | [X] | [X] | [X] | [XX] |
+| A08 — Data Integrity Failures      | [X] | [X] | [X] | [X] | [X] | [XX] |
+| A09 — Logging & Alerting Failures  | [X] | [X] | [X] | [X] | [X] | [XX] |
+| A10 — Exceptional Conditions       | [X] | [X] | [X] | [X] | [X] | [XX] |
+| **Total**                           |     |     |     |     |     | **[XX]** |
+
+**Risk Rating:** 0-10 = Low | 11-30 = Moderate | 31-60 = High | 61+ = Critical
+
+---
+
+## Remediation Priority
+
+[Ordered list of the most critical items to fix first, with brief rationale]
+
+1. **[Most critical finding]** — [why this is urgent and what to do]
+2. **[Second most critical]** — [why and what]
+3. **[Third most critical]** — [why and what]
+[Continue as needed...]
+
+---
+
+## Methodology
+
+This audit was performed using static analysis against the OWASP Top 10:2025 framework. Each category was evaluated using pattern-matching (grep), code review (file reading), dependency analysis, and configuration inspection. The analysis covered source code, configuration files, dependency manifests, and environment settings.
+
+**Limitations:** This is a static analysis — it does not include dynamic/runtime testing, penetration testing, or network-level analysis. Some vulnerabilities may only be discoverable through dynamic testing.
+
+## References
+
+- [OWASP Top 10:2025](https://owasp.org/Top10/2025/)
+- [OWASP Application Security Verification Standard](https://owasp.org/www-project-application-security-verification-standard/)
+- [OWASP Cheat Sheet Series](https://cheatsheetseries.owasp.org/)