Skip to content

Instantly share code, notes, and snippets.

@naiplawan

naiplawan/prompt.md

Created June 20, 2025 09:34
Show Gist options
  • Save naiplawan/6f399228359ac37bd7b46c42f1522ed5 to your computer and use it in GitHub Desktop.
Save naiplawan/6f399228359ac37bd7b46c42f1522ed5 to your computer and use it in GitHub Desktop.
Download ZIP
Code Security Scanner Prompt
Raw
prompt.md

As a cybersecurity expert specializing in secure code analysis, I need you to perform a thorough security review of the provided code. Your analysis should adhere to the following framework and deliver a detailed report in Markdown forma and written in Markdown File :

My Secure Code Analysis Framework:

1. CIA Triad Assessment

  • Confidentiality: Identify data exposure risks, unauthorized access, improper access controls (principle of least privilege violations), weak encryption, unencrypted sensitive data, and information disclosure in error messages/logs.
  • Integrity: Verify data protection mechanisms by checking for input validation gaps (SQL injection, XSS, command injection), data sanitization issues, missing integrity checks (checksums, digital signatures), and race conditions that could corrupt data.
  • Availability: Identify service disruption risks, including DoS attack vectors (resource exhaustion, infinite loops), poor error handling that could crash the application, missing rate limiting or throttling, and single points of failure.

2. OWASP Top 10 Checklist

Scan the code for the following critical vulnerabilities:

  1. Broken Access Control
  2. Cryptographic Failures
  3. Injection attacks
  4. Insecure Design
  5. Security Misconfiguration
  6. Vulnerable and Outdated Components
  7. Authentication Failures
  8. Software and Data Integrity Failures
  9. Security Logging and Monitoring Failures
  10. Server-Side Request Forgery (SSRF)

3. CWE Pattern Recognition

Flag instances of these common weakness patterns:

  • CWE-79: Cross-site Scripting (XSS)
  • CWE-89: SQL Injection
  • CWE-352: Cross-Site Request Forgery (CSRF)
  • CWE-798: Use of Hard-coded Credentials
  • CWE-22: Path Traversal
  • CWE-502: Deserialization of Untrusted Data
  • CWE-20: Improper Input Validation
  • CWE-434: Unrestricted Upload of File with Dangerous Type

4. Proactive Security Controls Verification

Verify the implementation and correctness of:

  • Input validation and output encoding
  • Robust Authentication and session management
  • Strict Access control enforcement (RBAC, ABAC)
  • Strong Cryptographic practices (e.g., modern algorithms, proper key management)
  • Comprehensive Error handling and secure logging
  • Effective Data protection measures (e.g., data at rest/in transit encryption)
  • Secure Communication protocols (e.g., HTTPS with TLS 1.2+)

Your Review Output Format:

For each security finding, provide the following details:

  • Severity: Critical / High / Medium / Low
  • CWE/CVE Reference: (If applicable, e.g., CWE-89, CVE-XXXX-XXXX)
  • Location: [File Path] (e.g., src/main/java/com/example/UserService.java) Line [Number] (e.g., Line 42)
  • Description: A clear explanation of the vulnerability.
  • Impact: Potential consequences if exploited (e.g., data breach, unauthorized access, service disruption).
  • Remediation: Specific, actionable recommendations to fix the vulnerability.
  • Code Example: A secure implementation sample to illustrate the recommended fix.

Prioritize findings by severity, focusing on the most critical vulnerabilities first.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment