Security audit
Derive checklists from models like STRIDE—authn/z, sessions, log redaction, dependency surface—good self-check before release or pentests.
Category · Security
Security
5 skills Category 6 of 20
This category spans threat-model-driven audits, secret scanning in pipelines, SBOM and supply-chain visibility, and defenses for two high-frequency classes: SQL injection and XSS. It connects to compliance & privacy and identity & API for defense in depth from code to runtime.
In the hub it leads the “security & compliance” band. The five entries match the main hub.
Quick links
In depth
Secret scanning
Scan repos and build logs in pre-commit and CI; triage false positives and rotate on leaks—pair with KMS and short-lived credentials.
SBOM
SPDX/CycloneDX manifests linked to CVEs and license obligations—supports incident response and procurement audits; overlaps license compliance.
SQL injection
Parameterized queries, least-privilege DB roles, safe ORM usage; dynamic SQL needs allowlists and review focus.
XSS prevention
Output encoding, template auto-escaping, CSP, trusted types—cover stored, reflected, and DOM XSS with frontend and backend together.