197
GitHub Stars
2
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill leavesfly/jimi --skill security-checklist- security-scan.sh5.2 KB
- SKILL.md8.4 KB
Overview
This skill provides a concise OWASP-based security checklist for Java applications, mapped to the OWASP Top 10 (2021) and common secure development controls. It collects practical mitigations, configuration examples, and recommended tools to help teams reduce common web-app risks. Use it as a review template during design, code review, and deployment checks.
How this skill works
The skill inspects application controls and configuration against OWASP Top 10 categories (access control, cryptography, injection, insecure design, configuration, vulnerable components, authentication, integrity, logging, SSRF). It highlights concrete mitigations, code snippets, configuration samples, and tool suggestions for static, dependency and dynamic testing. It outputs a compact checklist and emergency response steps for discovered issues.
When to use it
- Design reviews and threat modeling sessions
- Code reviews and pull-request security checks
- Pre-release security checklists and deployment gates
- Periodic dependency and configuration audits
- Incident triage and emergency patch planning
Best practices
- Default-deny access control and RBAC for sensitive endpoints
- Encrypt data in transit (TLS) and at rest; use strong hashes (bcrypt/Argon2)
- Use parameterized queries and validate/escape all external input
- Keep dependencies minimal and scanned; apply signed updates and patch promptly
- Centralize logs, monitor security events, and alert on anomalies
- Integrate security into SDLC: threat modeling, secure coding, SCA, and pentesting
Example use cases
- Validate API and admin endpoints enforce role checks before deployment
- Add dependency scanning (OWASP Dependency-Check, Snyk) to CI pipelines
- Harden Spring apps: disable devtools, hide stack traces, enable CSRF and security headers
- Replace insecure deserialization with safe formats (JSON) and validate payloads
- Prepare an incident runbook: assess, isolate, patch, verify, and review
FAQ
Use parameterized queries (PreparedStatement) or ORM query binding; never concatenate user input into SQL. Validate input and apply least privilege to DB accounts.
Which tools should I add to CI for dependency and code checks?
Run OWASP Dependency-Check or Snyk for libraries, SpotBugs or SonarQube for static analysis, and integrate secret scanners like git-secrets or TruffleHog.