Skip to content

Commit f158375

Browse files
author
hallelx2
committed
chore(standards): created local '.github/instructions/security.instructions.md' from remote '.github/instructions/security.instructions.md'
Synced AI-review standards from hallelx2/dev-standards.
1 parent 92fd3a3 commit f158375

1 file changed

Lines changed: 11 additions & 0 deletions

File tree

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
---
2+
applyTo: "**"
3+
---
4+
5+
Security review for every changed file, against **OWASP Top 10 (2021)** + **CWE Top 25**. Treat an uncertain security question as a finding and say so. Cite `file:line`, the **OWASP/CWE id**, and the fix.
6+
7+
- **Authorization & multi-tenant isolation** — is every data access scoped to the caller's org/tenant? Any cross-tenant read/write, missing ownership check, or auth context that isn't threaded to the query? (Top risk in `vectorless-control-plane`.)
8+
- **Secrets / BYOK** — model keys encrypted at rest, never logged, never returned in responses/errors; no secrets in client bundles or committed files.
9+
- **Injection / SSRF** — parameterize queries; validate and allowlist any URL/host from input; no unsafe deserialization.
10+
- **Crypto** — strong algorithms, no hardcoded keys/IVs, authenticated encryption, secure randomness.
11+
- **Dependencies** — new packages justified, reputable, no known CVEs.

0 commit comments

Comments
 (0)