Security Audit

AI-powered security analysis for your applications (Ultra plan feature).

Overview

Security Audit automatically scans your code for:

• Common vulnerabilities (OWASP Top 10)
• Security best practices violations
• Exposed secrets and API keys
• Authentication weaknesses
• Data validation issues

How to Use

Run Security Audit

1. Open your project
2. Click Tools → Security Audit
3. Wait for AI analysis (30-60 seconds)
4. Review findings and recommendations

In Chat

Ask the AI directly:

"Run a security audit on my project"
"Check for security vulnerabilities"
"Analyze authentication security"

What Gets Checked

Authentication & Authorization

Checks:

• Password strength requirements
• Session management
• JWT token security
• OAuth implementation
• Role-based access control (RBAC)

Example Issues:

// ❌ Weak: No password requirements
const password = userInput;

// ✅ Strong: Validated password
const schema = z.string()
  .min(8)
  .regex(/[A-Z]/, 'Must contain uppercase')
  .regex(/[0-9]/, 'Must contain number');

Input Validation

Checks:

• SQL injection prevention
• XSS (Cross-Site Scripting) protection
• Command injection prevention
• Path traversal protection

Example Issues:

// ❌ Vulnerable to SQL injection
const query = `SELECT * FROM users WHERE id = ${userId}`;

// ✅ Protected with parameterized query
const { data } = await supabase
  .from('users')
  .select('*')
  .eq('id', userId);

Data Exposure

Checks:

• Exposed API keys
• Hardcoded secrets
• Sensitive data in logs
• Unencrypted sensitive data

Example Issues:

// ❌ Exposed secret
const apiKey = "sk_live_abc123";

// ✅ Environment variable
const apiKey = process.env.STRIPE_SECRET_KEY;

HTTPS & Transport Security

Checks:

• HTTPS enforcement
• Secure cookie flags
• CORS configuration
• Content Security Policy (CSP)

Example Issues:

// ❌ Insecure cookie
res.cookie('session', token);

// ✅ Secure cookie
res.cookie('session', token, {
  httpOnly: true,
  secure: true,
  sameSite: 'strict'
});

Dependencies

Checks:

• Known vulnerable packages
• Outdated dependencies
• Unused dependencies
• License compliance

Example Issues:

// ❌ Vulnerable version
"lodash": "4.17.15"

// ✅ Patched version
"lodash": "4.17.21"

File Upload Security

Checks:

• File type validation
• File size limits
• Malicious file detection
• Storage security

Example Issues:

// ❌ No validation
const file = req.file;
await storage.upload(file);

// ✅ Validated upload
const allowedTypes = ['image/jpeg', 'image/png'];
if (!allowedTypes.includes(file.mimetype)) {
  throw new Error('Invalid file type');
}
if (file.size > 5 * 1024 * 1024) {
  throw new Error('File too large');
}

Severity Levels

🔴 Critical

Immediate action required. Exploitable vulnerabilities.

Examples:

• SQL injection
• Exposed API keys
• Authentication bypass
• Remote code execution

🟠 High

Should be fixed soon. Significant security risk.

Examples:

• XSS vulnerabilities
• Weak password requirements
• Missing authentication
• Insecure direct object references

🟡 Medium

Should be addressed. Moderate security risk.

Examples:

• Missing HTTPS
• Weak CORS policy
• Insufficient logging
• Outdated dependencies

🟢 Low

Best practice improvements. Minor security concerns.

Examples:

• Missing security headers
• Verbose error messages
• Unused dependencies
• Code quality issues

Audit Report

Report Sections

Executive Summary

• Total issues found
• Severity breakdown
• Overall security score (0-100)
• Top recommendations

Detailed Findings For each issue:

• Description
• Severity level
• Affected files and line numbers
• Explanation of risk
• Remediation steps
• Code examples

Best Practices

• Security recommendations
• Framework-specific guidance
• Industry standards (OWASP, NIST)

Export Report

Download audit report as:

• PDF (formatted report)
• JSON (machine-readable)
• Markdown (for documentation)

Auto-Fix

For some issues, AI can automatically fix:

1. Review finding in audit report
2. Click Auto-Fix button
3. AI generates secure code
4. Review changes
5. Apply fix

Auto-fixable issues:

• Exposed secrets → Environment variables
• Weak validation → Zod schemas
• Missing HTTPS → Redirect rules
• Insecure cookies → Secure flags

Continuous Monitoring

Scheduled Audits

Set up automatic audits:

1. Go to Settings → Security
2. Enable Scheduled Audits
3. Choose frequency:
   • Daily
   • Weekly
   • On every deployment

Audit Webhooks

Get notified of new issues:

{
  "event": "security_audit_completed",
  "project_id": "abc123",
  "severity": {
    "critical": 0,
    "high": 2,
    "medium": 5,
    "low": 8
  },
  "score": 78,
  "url": "https://prompttoapp.dev/projects/abc123/audit"
}

Integration with CI/CD

GitHub Actions

name: Security Audit
on: [push, pull_request]
jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Run Security Audit
        run: npx prompttoapp-cli audit
        env:
          PROMPTTOAPP_API_KEY: ${{ secrets.PROMPTTOAPP_API_KEY }}

Pre-Commit Hook

#!/bin/sh
# .git/hooks/pre-commit

echo "Running security audit..."
npx prompttoapp-cli audit --fail-on-critical

if [ $? -ne 0 ]; then
  echo "❌ Security audit failed. Fix critical issues before committing."
  exit 1
fi

Best Practices

Regular Audits

• Run audit before every deployment
• Schedule weekly automated audits
• Audit after adding new features
• Audit third-party integrations

Fix Priority

1. Critical: Fix immediately
2. High: Fix within 24 hours
3. Medium: Fix within 1 week
4. Low: Fix in next sprint

Team Workflow

1. Developer runs audit locally
2. Fix critical/high issues
3. Create PR with fixes
4. Automated audit in CI/CD
5. Security review before merge

Common Vulnerabilities

XSS (Cross-Site Scripting)

Problem:

// ❌ Vulnerable
<div dangerouslySetInnerHTML={{ __html: userInput }} />

Solution:

// ✅ Safe
<div>{userInput}</div>
// Or sanitize:
<div dangerouslySetInnerHTML={{ 
  __html: DOMPurify.sanitize(userInput) 
}} />

CSRF (Cross-Site Request Forgery)

Problem:

// ❌ No CSRF protection
app.post('/api/transfer', async (req, res) => {
  await transferMoney(req.body);
});

Solution:

// ✅ CSRF token validation
app.post('/api/transfer', csrfProtection, async (req, res) => {
  await transferMoney(req.body);
});

Insecure Deserialization

Problem:

// ❌ Unsafe
const data = JSON.parse(userInput);

Solution:

// ✅ Validated
const schema = z.object({
  name: z.string(),
  age: z.number()
});
const data = schema.parse(JSON.parse(userInput));

Compliance

Security Audit helps with:

• GDPR: Data protection requirements
• HIPAA: Healthcare data security
• PCI DSS: Payment card security
• SOC 2: Security controls
• ISO 27001: Information security

Limitations

What's Not Checked

• Business logic flaws
• Social engineering vulnerabilities
• Physical security
• Third-party service security
• Runtime behavior (only static analysis)

False Positives

Some findings may be false positives. Review each issue carefully.

Support

Need help with security?

• Best Practices Guide
• Troubleshooting
• Security email: security@prompttoapp.dev
• Enterprise: Dedicated security consultation

Pricing

Security Audit is included in:

• ❌ Essentials plan
• ❌ Plus plan
• ✅ Ultra plan ($99/month)
• ✅ Enterprise plan

Upgrade to Ultra to access Security Audit.