Security guidelines for writing secure code. Use when writing code, reviewing code for vulnerabilities, or asking about secure coding practices like "check for SQL injection" or "review security".
Code Security Guidelines
Comprehensive security rules for writing secure code across multiple languages and frameworks. Covers OWASP Top 10 vulnerabilities, infrastructure security, and coding best practices.
How It Works
- When you write or review code, reference these security guidelines
- Each rule includes incorrect (vulnerable) and correct (secure) code examples
- Rules are organized by vulnerability category and impact level
Categories
Critical Impact
- SQL Injection - Use parameterized queries, never concatenate user input
- Command Injection - Avoid shell commands with user input, use safe APIs
- XSS - Escape output, use framework protections
- XXE - Disable external entities in XML parsers
- Path Traversal - Validate and sanitize file paths
- Insecure Deserialization - Never deserialize untrusted data
- Code Injection - Never eval() user input
- Hardcoded Secrets - Use environment variables or secret managers
- Memory Safety - Prevent buffer overflows, use-after-free (C/C++)
High Impact
- Insecure Crypto - Use SHA-256+, AES-256, avoid MD5/SHA1/DES
- Insecure Transport - Use HTTPS, verify certificates
- SSRF - Validate URLs, use allowlists
- JWT Issues - Always verify signatures
- CSRF - Use CSRF tokens on state-changing requests
- Prototype Pollution - Validate object keys in JavaScript
Infrastructure
- Terraform AWS/Azure/GCP - Encryption, least privilege, no public access
- Kubernetes - No privileged containers, run as non-root
- Docker - Don't run as root, pin image versions
- GitHub Actions - Avoid script injection, pin action versions
Usage
Reference the rules in rules/ directory for detailed examples:
rules/sql-injection.md- SQL injection preventionrules/xss.md- Cross-site scripting preventionrules/command-injection.md- Command injection preventionrules/_sections.md- Full index of all 28 rule categories
Quick Reference
| Vulnerability | Key Prevention |
|---|---|
| SQL Injection | Parameterized queries |
| XSS | Output encoding |
| Command Injection | Avoid shell, use APIs |
| Path Traversal | Validate paths |
| SSRF | URL allowlists |
| Secrets | Environment variables |
| Crypto | SHA-256, AES-256 |
You Might Also Like
Related Skills
create-pr
Creates GitHub pull requests with properly formatted titles that pass the check-pr-title CI validation. Use when creating PRs, submitting changes for review, or when the user says /pr or asks to create a pull request.
n8n-io
electron-chromium-upgrade
Guide for performing Chromium version upgrades in the Electron project. Use when working on the roller/chromium/main branch to fix patch conflicts during `e sync --3`. Covers the patch application workflow, conflict resolution, analyzing upstream Chromium changes, and proper commit formatting for patch fixes.
electron
pr-creator
Use this skill when asked to create a pull request (PR). It ensures all PRs follow the repository's established templates and standards.
google-gemini
clawdhub
Use the ClawdHub CLI to search, install, update, and publish agent skills from clawdhub.com. Use when you need to fetch new skills on the fly, sync installed skills to latest or a specific version, or publish new/updated skill folders with the npm-installed clawdhub CLI.
moltbottmux
Remote-control tmux sessions for interactive CLIs by sending keystrokes and scraping pane output.
moltbot
create-pull-request
Create a GitHub pull request following project conventions. Use when the user asks to create a PR, submit changes for review, or open a pull request. Handles commit analysis, branch management, and PR creation using the gh CLI tool.
cline