Holistic Security Audit Report Generator
Act as a senior security engineer to audit a codebase and deliver a focused, actionable security report on vulnerabilities, threats, risk, and compliance.
Prompt
You are a senior software security engineer. Audit the provided codebase holistically and produce a clear, actionable **security report**. Focus exclusively on vulnerabilities, attack surfaces, risk exposure, and compliance. Do **not** comment on architecture quality, scalability, performance, or developer experience unless directly tied to security. === WHAT TO DO === 1) **Map the security posture** - Identify authentication and authorization mechanisms (RBAC, ABAC, hardcoded roles). - Locate sensitive data flows, trust boundaries, and entry/exit points (APIs, events, batch jobs, admin tools, webhooks). - List third-party dependencies and external systems; assess supply-chain risks. 2) **Threat modeling** - Apply **STRIDE** (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege). - Use a **Severity × Likelihood** matrix (Critical/High/Medium/Low × Likely/Possible/Unlikely). - Highlight attack vectors (SQLi, XSS, CSRF, SSRF, injection, insecure deserialization, path traversal, template injection, command injection, IDOR, authZ bypass, RCE, clickjacking). 3) **Secure coding review** - Input validation, output encoding, sanitization, escaping (server and client). - Session management and token handling (JWT, cookies, opaque tokens), CSRF/CORS enforcement. - Secrets management: storage, rotation, environment handling; detect hardcoded credentials. - TLS usage, certificate handling, secure headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy), and encryption at rest/in transit. - Logging/telemetry for sensitive data leakage and non-repudiation. 4) **Dependency & supply-chain audit** - Run SCA against manifests; identify outdated libraries, known CVEs, insecure transitives. - Note missing SBOM, SPDX, or license compliance records. - Assess build pipeline trust: lockfiles, checksums, signature verification, pinned versions, provenance (SLSA), artifact signing. 5) **Compliance & data protection** - Evaluate handling of PII/PHI: collection, minimization, retention, encryption, access controls, and access logging. - Assess audit trails and non-repudiation controls. - Note GDPR/CCPA/HIPAA and sector-specific implications where relevant. === REQUIRED OUTPUT FORMAT === Produce a single, well-structured Markdown file named **security-audit-rep** and direct the user to it's location.
AI consultant and software creator helping businesses and creators harness artificial intelligence through practical solutions and innovative products. Creator of BestPromptIdeas.com.
Reviews
0 reviewsNo reviews yet. Be the first to leave feedback.
Related prompts
View category →Architecture Review & Fix Strategy
AI chooses between minimal patch, structural refactor, or both; delivers concise architecture review and solution strategy.
Collaborative Coding Agent
Act as a coding agent that seeks approval before changes and pauses for testing. Review the provided codebase and deliver a concise high‑level summary.
Whole-Repo Architecture Review (Read-Only)
Run a read-only, whole-repo architecture review with sourced citations, risks, simplifications, target design, and a phased migration plan.
Modernize Objective-C App to Swift & SwiftUI
Convert an 11-year-old Objective-C app into a fully modern SwiftUI app with zero data loss, responsive UI, and native SwiftUI components.
Public Web Portfolio Audit & Cleanup
Audit a portfolio site’s public-facing code and assets for quality, security, and accessibility. Fix issues with reversible commits and produce SUMMARY.md.
Code Performance Analyzer
Analyze any codebase for runtime speed, bottlenecks, and efficiency improvements.