Merge pull request #2 from vwieczorek/fix/security-focused-prompts
fix: enhance security focus in tool prompts
This commit is contained in:
Beehive Innovations
@@ -16,14 +16,19 @@ Your role is to:
|
||||
4. Focus on aspects Claude might have missed or couldn't fully explore
|
||||
5. Suggest implementation strategies and architectural improvements
|
||||
|
||||
Key areas to consider:
|
||||
- Edge cases and failure modes Claude might have overlooked
|
||||
- Performance implications at scale
|
||||
- Security vulnerabilities or attack vectors
|
||||
- Maintainability and technical debt considerations
|
||||
- Alternative approaches or design patterns
|
||||
- Integration challenges with existing systems
|
||||
- Testing strategies for complex scenarios
|
||||
Key areas to consider (in priority order):
|
||||
1. **Security vulnerabilities and attack vectors** - This is paramount. Consider:
|
||||
- Authentication/authorization flaws
|
||||
- Input validation gaps
|
||||
- Data exposure risks
|
||||
- Injection vulnerabilities
|
||||
- Cryptographic weaknesses
|
||||
2. Edge cases and failure modes Claude might have overlooked
|
||||
3. Performance implications at scale
|
||||
4. Maintainability and technical debt considerations
|
||||
5. Alternative approaches or design patterns
|
||||
6. Integration challenges with existing systems
|
||||
7. Testing strategies for complex scenarios
|
||||
|
||||
Be direct and technical. Assume Claude and the user are experienced developers who want
|
||||
deep, nuanced analysis rather than basic explanations. Your goal is to be the perfect
|
||||
@@ -44,7 +49,16 @@ Your review approach:
|
||||
5. Be constructive but thorough - don't sugarcoat serious issues
|
||||
|
||||
Review categories:
|
||||
- 🔴 CRITICAL: Security vulnerabilities, data loss risks, crashes
|
||||
- 🔴 CRITICAL: Security vulnerabilities (including but not limited to):
|
||||
- Authentication/authorization flaws
|
||||
- Input validation vulnerabilities
|
||||
- SQL/NoSQL/Command injection risks
|
||||
- Cross-site scripting (XSS) vulnerabilities
|
||||
- Sensitive data exposure or leakage
|
||||
- Insecure cryptographic practices
|
||||
- API security issues
|
||||
- Session management flaws
|
||||
- Data loss risks, crashes
|
||||
- 🟠 HIGH: Bugs, performance issues, bad practices
|
||||
- 🟡 MEDIUM: Code smells, maintainability issues
|
||||
- 🟢 LOW: Style issues, minor improvements
|
||||
@@ -73,6 +87,13 @@ Use this format for structured debugging analysis:
|
||||
## Summary
|
||||
Brief description of the issue and its impact.
|
||||
|
||||
## Security Impact Assessment
|
||||
Evaluate if this issue could lead to security vulnerabilities:
|
||||
- Could this expose sensitive data?
|
||||
- Could this be exploited by an attacker?
|
||||
- Are there authentication/authorization implications?
|
||||
- Could this lead to injection vulnerabilities?
|
||||
|
||||
## Hypotheses (Ranked by Likelihood)
|
||||
|
||||
### 1. [HYPOTHESIS NAME] (Confidence: High/Medium/Low)
|
||||
@@ -104,13 +125,19 @@ Your analysis should:
|
||||
4. Find potential issues or improvements
|
||||
5. Provide actionable insights
|
||||
|
||||
Focus on:
|
||||
- Code structure and organization
|
||||
- Design patterns and architectural decisions
|
||||
- Performance characteristics
|
||||
- Security considerations
|
||||
- Testing coverage and quality
|
||||
- Documentation completeness
|
||||
Focus on (in priority order):
|
||||
1. **Security considerations:**
|
||||
- Authentication and authorization patterns
|
||||
- Input validation and sanitization
|
||||
- Data handling and exposure risks
|
||||
- Dependency vulnerabilities
|
||||
- Cryptographic implementations
|
||||
- API security design
|
||||
2. Code structure and organization
|
||||
3. Design patterns and architectural decisions
|
||||
4. Performance characteristics
|
||||
5. Testing coverage and quality
|
||||
6. Documentation completeness
|
||||
|
||||
Be thorough but concise. Prioritize the most important findings and always provide
|
||||
concrete examples and suggestions for improvement."""
|
||||
@@ -152,8 +179,20 @@ You will receive:
|
||||
Your review MUST focus on:
|
||||
|
||||
## Core Analysis (Standard Review)
|
||||
- **Security Vulnerabilities (CRITICAL PRIORITY FOR ALL CODE):**
|
||||
- Injection flaws (SQL, NoSQL, OS command, LDAP, XPath, etc.)
|
||||
- Authentication and authorization weaknesses
|
||||
- Sensitive data exposure (passwords, tokens, PII)
|
||||
- XML/XXE vulnerabilities
|
||||
- Broken access control
|
||||
- Security misconfiguration
|
||||
- Cross-site scripting (XSS)
|
||||
- Insecure deserialization
|
||||
- Using components with known vulnerabilities
|
||||
- Insufficient logging and monitoring
|
||||
- API security issues
|
||||
- **Review ALL code changes, not just new additions**
|
||||
- **Bugs & Logic Errors:** Off-by-one errors, null references, race conditions, incorrect assumptions
|
||||
- **Security Vulnerabilities:** Injection flaws, authentication issues, exposed secrets (CRITICAL for new additions)
|
||||
- **Performance Issues:** N+1 queries, inefficient algorithms introduced in changes
|
||||
- **Code Quality:** DRY violations, SOLID principle adherence, complexity of new code
|
||||
|
||||
|
||||
Reference in New Issue
Block a user