From 77b0f31e175cbc26c1b98bbb9fab0343b5a121c7 Mon Sep 17 00:00:00 2001 From: Commando-X Date: Sat, 28 Feb 2026 16:37:32 +0100 Subject: [PATCH 01/13] user3 --- badApi/account.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/badApi/account.js b/badApi/account.js index 1f1c97c..9ef7770 100644 --- a/badApi/account.js +++ b/badApi/account.js @@ -4,7 +4,7 @@ const router = express.Router(); // In-memory database for storing user information (including sensitive data) const usersInfo = [ { username: 'user1', dob: '1990-01-01', address: '5, 3rd mainland Bridge', cardInfo: '1234-5678-9012-3456', children: ['Child1', 'Child2'], balance: 1000, role: 'user' }, - { username: 'user2', dob: '1985-05-15', address: '7, Ghost street', cardInfo: '9876-5432-1098-7654', children: ['Child3'], balance: 500, role: 'user' }, + { username: 'user3', dob: '1985-05-15', address: '7, Ghost street', cardInfo: '9876-5432-1098-7654', children: ['Child3'], balance: 500, role: 'user' }, ]; /** From f17854b29ec8aeeffa0b68cf5412528ca4a574a7 Mon Sep 17 00:00:00 2001 From: Commando-X Date: Sat, 28 Feb 2026 16:45:28 +0100 Subject: [PATCH 02/13] here we go --- .github/workflows/ai-security-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ai-security-review.yml b/.github/workflows/ai-security-review.yml index adb8ff9..241b92a 100644 --- a/.github/workflows/ai-security-review.yml +++ b/.github/workflows/ai-security-review.yml @@ -18,7 +18,7 @@ jobs: permissions: contents: read pull-requests: write - id-token: write + # id-token: write steps: - name: Checkout PR From 5c4bc5202f672ff9038341395887aac62aadd43b Mon Sep 17 00:00:00 2001 From: Commando-X Date: Sat, 28 Feb 2026 16:48:39 +0100 Subject: [PATCH 03/13] here we go 2 --- .github/workflows/ai-security-review.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ai-security-review.yml b/.github/workflows/ai-security-review.yml index 241b92a..386ea24 100644 --- a/.github/workflows/ai-security-review.yml +++ b/.github/workflows/ai-security-review.yml @@ -18,7 +18,7 @@ jobs: permissions: contents: read pull-requests: write - # id-token: write + id-token: write steps: - name: Checkout PR @@ -29,7 +29,7 @@ jobs: - name: Claude security review uses: anthropics/claude-code-action@v1 with: - anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} + # anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} prompt: | REPO: ${{ github.repository }} PR NUMBER: ${{ github.event.pull_request.number }} From 216a3e02605ed11a33710e554ebdd1dfefe3ca4b Mon Sep 17 00:00:00 2001 From: Commando-X Date: Sat, 28 Feb 2026 16:56:31 +0100 Subject: [PATCH 04/13] loan --- badApi/loan.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/badApi/loan.js b/badApi/loan.js index 15eb7fb..c1891b5 100644 --- a/badApi/loan.js +++ b/badApi/loan.js @@ -3,7 +3,7 @@ const router = express.Router(); // In-memory database for loan applications let loanApplications = [ - { username: 'user1', amount: 1000, status: 'pending' }, + { username: 'user1', amount: 2000, status: 'pending' }, ]; /** From 422dc35395b66e59d468de88a540cabcfe76537e Mon Sep 17 00:00:00 2001 From: Commando-X Date: Sat, 28 Feb 2026 17:05:45 +0100 Subject: [PATCH 05/13] otp update --- badApi/otp.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/badApi/otp.js b/badApi/otp.js index 7e76b7f..60cf6f6 100644 --- a/badApi/otp.js +++ b/badApi/otp.js @@ -25,7 +25,7 @@ const router = express.Router(); * properties: * otp: * type: integer - * example: 123456 + * example: 1234567 * 500: * description: Internal server error * content: From caafe2314930f9b58ed70be459ca45f47c94ab8c Mon Sep 17 00:00:00 2001 From: Badmus Date: Sat, 28 Feb 2026 17:26:56 +0100 Subject: [PATCH 06/13] hmm --- .github/workflows/ai-security-review.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ai-security-review.yml b/.github/workflows/ai-security-review.yml index 386ea24..241b92a 100644 --- a/.github/workflows/ai-security-review.yml +++ b/.github/workflows/ai-security-review.yml @@ -18,7 +18,7 @@ jobs: permissions: contents: read pull-requests: write - id-token: write + # id-token: write steps: - name: Checkout PR @@ -29,7 +29,7 @@ jobs: - name: Claude security review uses: anthropics/claude-code-action@v1 with: - # anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} + anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} prompt: | REPO: ${{ github.repository }} PR NUMBER: ${{ github.event.pull_request.number }} From 2f96571c6959f5bbd2f8d23e013e14a30d6399fb Mon Sep 17 00:00:00 2001 From: Badmus Date: Sat, 28 Feb 2026 17:41:08 +0100 Subject: [PATCH 07/13] pword --- badApi/db.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/badApi/db.js b/badApi/db.js index 2e88a8a..8ad51ef 100644 --- a/badApi/db.js +++ b/badApi/db.js @@ -4,7 +4,7 @@ const mysql = require('mysql2'); const connection = mysql.createConnection({ host: 'localhost', user: 'ghost', - password: 'ghost_sec', //coming back here + password: 'ghost_sec1', //coming back here database: 'badapi_db2' }); From 58acb273804173f997ed4dafa0a52561095d7390 Mon Sep 17 00:00:00 2001 From: Badmus Date: Sat, 28 Feb 2026 17:49:13 +0100 Subject: [PATCH 08/13] OKAY --- badApi/admin.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/badApi/admin.js b/badApi/admin.js index 86dc9e2..3367cca 100644 --- a/badApi/admin.js +++ b/badApi/admin.js @@ -5,7 +5,7 @@ const router = express.Router(); const users = []; // Simulated user storage for the sake of example const usersInfo = [ { username: 'user1', dob: '1990-01-01', address: '5, 3rd mainland Bridge', cardInfo: '1234-5678-9012-3456', children: ['Child1', 'Child2'], balance: 1000, role: 'user' }, - { username: 'user2', dob: '1985-05-15', address: '7, Ghost street', cardInfo: '9876-5432-1098-7654', children: ['Child3'], balance: 500, role: 'user' }, + { username: 'user2', dob: '1985-05-17', address: '7, Ghost street', cardInfo: '9876-5432-1098-7654', children: ['Child3'], balance: 500, role: 'user' }, ]; /** From 93403f1bcadeb2e1247373d23643358abc613fb3 Mon Sep 17 00:00:00 2001 From: Badmus Date: Sat, 28 Feb 2026 17:50:37 +0100 Subject: [PATCH 09/13] no wonder --- .github/workflows/ai-security-review.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ai-security-review.yml b/.github/workflows/ai-security-review.yml index 241b92a..386ea24 100644 --- a/.github/workflows/ai-security-review.yml +++ b/.github/workflows/ai-security-review.yml @@ -18,7 +18,7 @@ jobs: permissions: contents: read pull-requests: write - # id-token: write + id-token: write steps: - name: Checkout PR @@ -29,7 +29,7 @@ jobs: - name: Claude security review uses: anthropics/claude-code-action@v1 with: - anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} + # anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} prompt: | REPO: ${{ github.repository }} PR NUMBER: ${{ github.event.pull_request.number }} From 968924090db7f0157732f281ec773a8a61b65f24 Mon Sep 17 00:00:00 2001 From: Badmus Date: Sat, 28 Feb 2026 17:58:05 +0100 Subject: [PATCH 10/13] New branch --- badApi/otp.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/badApi/otp.js b/badApi/otp.js index 60cf6f6..9fcd780 100644 --- a/badApi/otp.js +++ b/badApi/otp.js @@ -39,7 +39,7 @@ const router = express.Router(); */ router.post('/otp', (req, res) => { - const otp = Math.floor(100 + Math.random() * 900); // Generate 3-digit random number + const otp = Math.floor(100 + Math.random() * 900); // Generate 3-digit random number. return res.json({ otp }); }); From be0e8f0d71ae3d9dc341cc1c98bbf13b2ae0e1aa Mon Sep 17 00:00:00 2001 From: Badmus Date: Sat, 28 Feb 2026 18:00:43 +0100 Subject: [PATCH 11/13] key --- .github/workflows/ai-security-review.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ai-security-review.yml b/.github/workflows/ai-security-review.yml index 386ea24..241b92a 100644 --- a/.github/workflows/ai-security-review.yml +++ b/.github/workflows/ai-security-review.yml @@ -18,7 +18,7 @@ jobs: permissions: contents: read pull-requests: write - id-token: write + # id-token: write steps: - name: Checkout PR @@ -29,7 +29,7 @@ jobs: - name: Claude security review uses: anthropics/claude-code-action@v1 with: - # anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} + anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} prompt: | REPO: ${{ github.repository }} PR NUMBER: ${{ github.event.pull_request.number }} From 385e713cacad7ac056166271ac533b1c15cc71b7 Mon Sep 17 00:00:00 2001 From: Badmus Date: Sat, 28 Feb 2026 18:05:44 +0100 Subject: [PATCH 12/13] hmm --- .github/workflows/ai-security-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ai-security-review.yml b/.github/workflows/ai-security-review.yml index 241b92a..adb8ff9 100644 --- a/.github/workflows/ai-security-review.yml +++ b/.github/workflows/ai-security-review.yml @@ -18,7 +18,7 @@ jobs: permissions: contents: read pull-requests: write - # id-token: write + id-token: write steps: - name: Checkout PR From 94eee1170a2c06dd5bd5f64e4536ab232c39c786 Mon Sep 17 00:00:00 2001 From: Badmus Date: Sat, 28 Feb 2026 22:14:44 +0100 Subject: [PATCH 13/13] update --- .github/workflows/ai-security-review.yml | 103 ++++++++++++++++++----- badApi/loan.js | 2 +- badApi/server.js | 2 +- 3 files changed, 85 insertions(+), 22 deletions(-) diff --git a/.github/workflows/ai-security-review.yml b/.github/workflows/ai-security-review.yml index adb8ff9..46b709a 100644 --- a/.github/workflows/ai-security-review.yml +++ b/.github/workflows/ai-security-review.yml @@ -3,18 +3,11 @@ name: Claude Security Review on: pull_request: types: [opened, synchronize, ready_for_review, reopened] - # Optional: only run when security-sensitive areas change - # paths: - # - "src/auth/**" - # - "src/api/**" - # - "infra/**" - # - "config/**" jobs: security: runs-on: ubuntu-latest - # Least privilege for PR review + required OIDC for the Claude GitHub App permissions: contents: read pull-requests: write @@ -24,7 +17,84 @@ jobs: - name: Checkout PR uses: actions/checkout@v6 with: - fetch-depth: 1 + fetch-depth: 2 + + - name: Generate Security Policy Instructions + run: | + cat <<'EOF' > security_policy.md + You are a Principal Application Security Engineer performing a security-focused code review. + + ## CRITICAL – Block PR if found: + - Hardcoded secrets, tokens, credentials + - SQL Injection + - Remote Code Execution + - Path traversal + - Unsafe deserialization + - Missing authentication/authorization on sensitive endpoints + - Sensitive data exposure + + ## HIGH – Must Fix: + - XSS + - SSRF + - IDOR + - CSRF missing protections + - XXE + - Weak cryptography + - Race conditions affecting security + + ## MEDIUM – Fix before production: + - Missing input validation + - Overly permissive CORS + - Missing security headers + - Missing rate limiting + - Dependency vulnerabilities + - Insufficient logging + + ## Technology Specific Checks + + ### Python + - eval(), exec() + - pickle/yaml.load unsafe + - subprocess shell=True + - missing authentication decorators + - weak password hashing + - JWT validation flaws + + ### JavaScript/TypeScript + - innerHTML with user input + - eval()/Function() + - insecure postMessage + - localStorage for sensitive data + - exposed API keys + + ### Infrastructure (Terraform) + - 0.0.0.0/0 ingress + - "*" IAM policies + - unencrypted storage + - public S3 buckets + - missing logging + + ## Output Format + + For each finding: + + :red_circle: CRITICAL | :large_yellow_circle: HIGH | :large_orange_circle: MEDIUM | :large_blue_circle: LOW + + **Issue:** + **Location:** File:Line + **Risk:** + **Fix:** + **Reference:** CWE/OWASP if applicable + + ## Summary + + - Security Score: PASS or FAIL + - Count by severity + - Must-fix before merge + - Positive security practices observed + + Focus strictly on security. Ignore style or performance unless security-related. + EOF - name: Claude security review uses: anthropics/claude-code-action@v1 @@ -34,20 +104,13 @@ jobs: REPO: ${{ github.repository }} PR NUMBER: ${{ github.event.pull_request.number }} - Perform a security-focused review. Prioritize: - - AuthN/AuthZ issues (BOLA/BFLA/BOPLA) - - Injection (SQLi/NoSQLi/Command) - - SSRF, deserialization, crypto misuse - - Sensitive data exposure, logging issues - - Security misconfig in code/config + Below is the mandatory security review policy to follow strictly: + + $(cat security_policy.md) - For each finding, include: - Severity: CRITICAL/HIGH/MEDIUM/LOW - What/Where - Impact - Recommendation + Analyze ALL changes in this PR and produce a structured security review according to the policy above. Use inline comments for line-level issues and one top-level summary comment. claude_args: | - --allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*)" + --allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*)" \ No newline at end of file diff --git a/badApi/loan.js b/badApi/loan.js index c1891b5..d466ab8 100644 --- a/badApi/loan.js +++ b/badApi/loan.js @@ -3,7 +3,7 @@ const router = express.Router(); // In-memory database for loan applications let loanApplications = [ - { username: 'user1', amount: 2000, status: 'pending' }, + { username: 'user1', amount: 5000, status: 'pending' }, ]; /** diff --git a/badApi/server.js b/badApi/server.js index a641469..cf21503 100644 --- a/badApi/server.js +++ b/badApi/server.js @@ -20,7 +20,7 @@ app.use(bodyParser.json()); // Swagger setup const swaggerOptions = { swaggerDefinition: { - openapi: '3.0.0', + openapi: '3.0.1', info: { title: 'BadAPI Documentation', version: '1.0.0',