rodin/security-patterns
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

refactor: collapse 23 pattern files into focused checklist

Browse Source 
Models already know what SQL injection and XSS are. They don't need
tutorials - they need a checklist to ensure nothing is missed.

Before: 23 individual pattern files (~100KB total)
After: 1 focused checklist (~4KB)

Same coverage, better signal-to-noise ratio for review context.
This commit is contained in:
Rodin
2026-05-11 00:18:36 -07:00
parent 1eac5d3bcc
commit b988751861
25 changed files with 128 additions and 3753 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+31 -88
View File
@@ -1,95 +1,38 @@
# Security Patterns
Scannable patterns for security code review. Each file has:
- **Rule** — what to do
- **Correct Pattern** — code that works (Python)
- **Incorrect Pattern** — common mistakes
- **Edge Cases** — gotchas
A focused security checklist for AI-assisted code review.
Based on OWASP Top 10:2025 and recent security research.
## Philosophy
## Patterns
### Fundamentals
| File | Topic | OWASP 2025 |
|------|-------|------------|
| [secure-defaults.md](secure-defaults.md) | Fail closed, deny by default, defense in depth | A06 |
| [input-validation.md](input-validation.md) | Allowlist > blocklist, validate at boundaries | A03 |
| [credential-handling.md](credential-handling.md) | No hardcoded secrets, environment/secret manager | — |
| [audit-logging.md](audit-logging.md) | What to log, what not to log | A09 |
| [error-handling.md](error-handling.md) | Fail closed, no sensitive info in errors | A10 |
### Identity & Session
| File | Topic | OWASP 2025 |
|------|-------|------------|
| [authentication.md](authentication.md) | Passwords, tokens, MFA, brute force protection | A07 |
| [authorization.md](authorization.md) | Permission checks, IDOR prevention, privilege escalation | A01 |
| [jwt-security.md](jwt-security.md) | Algorithm confusion, weak secrets, expiration | A07 |
| [session-management.md](session-management.md) | Session fixation, hijacking, secure cookies | A07 |
### Injection & Request Attacks
| File | Topic | OWASP 2025 |
|------|-------|------------|
| [injection-prevention.md](injection-prevention.md) | SQL, command, template, path traversal | A05 |
| [ssrf.md](ssrf.md) | Server-side request forgery, metadata endpoints | A10 |
| [xxe.md](xxe.md) | XML external entities, DTD attacks | A05 |
| [deserialization.md](deserialization.md) | Untrusted data deserialization, pickle, yaml | A08 |
| [open-redirect.md](open-redirect.md) | URL validation, OAuth redirect URI | A01 |
### Client-Side Security
| File | Topic | OWASP 2025 |
|------|-------|------------|
| [csp.md](csp.md) | Content Security Policy, nonces, hashes | A05 |
| [cors.md](cors.md) | Origin validation, credential handling | A01 |
| [clickjacking.md](clickjacking.md) | X-Frame-Options, frame-ancestors | A01 |
### Application Logic
| File | Topic | OWASP 2025 |
|------|-------|------------|
| [race-conditions.md](race-conditions.md) | TOCTOU, atomic check-and-act, database locks | — |
| [dos-prevention.md](dos-prevention.md) | Rate limiting, resource bounds, algorithmic complexity | — |
| [file-upload.md](file-upload.md) | Content validation, safe storage, malware scanning | A04 |
### AI/LLM Security
| File | Topic | OWASP 2025 |
|------|-------|------------|
| [prompt-injection.md](prompt-injection.md) | LLM security, data/instruction separation | — |
### Infrastructure
| File | Topic | OWASP 2025 |
|------|-------|------------|
| [supply-chain.md](supply-chain.md) | SBOM, dependency scanning, signed packages | A03 |
| [cryptography.md](cryptography.md) | Strong algorithms, key management, TLS | A04 |
## OWASP Top 10:2025 Coverage
| # | Category | Patterns |
|---|----------|----------|
| A01 | Broken Access Control | authorization, cors, clickjacking, open-redirect |
| A02 | Security Misconfiguration | secure-defaults |
| A03 | Software Supply Chain Failures | supply-chain |
| A04 | Cryptographic Failures | cryptography, file-upload |
| A05 | Injection | injection-prevention, xxe, csp |
| A06 | Insecure Design | secure-defaults |
| A07 | Authentication Failures | authentication, jwt-security, session-management |
| A08 | Software or Data Integrity Failures | deserialization |
| A09 | Security Logging and Alerting Failures | audit-logging |
| A10 | Mishandling of Exceptional Conditions | error-handling, ssrf |
## Sources
- [OWASP Top 10:2025](https://owasp.org/Top10/2025/)
- [OWASP Cheat Sheet Series](https://cheatsheetseries.owasp.org/)
- [OWASP LLM Top 10](https://owasp.org/www-project-top-10-for-large-language-model-applications/)
- [CWE (Common Weakness Enumeration)](https://cwe.mitre.org/)
Models already know *what* SQL injection or XSS are. What they need is a checklist to ensure nothing is missed during review. This repo provides that checklist, not tutorials.
## Usage
Reference these patterns when building or reviewing systems. Code examples are in Python for universal model comprehension; concepts apply to any language.
The `SECURITY-CHECKLIST.md` file is designed to be loaded as context for a security-focused code reviewer. Point your review bot's `patterns-files` at this repo.
## Contents
- `SECURITY-CHECKLIST.md` - The review checklist covering:
- Input & Validation
- Authentication & Sessions
- Authorization
- Secrets & Credentials
- Request Handling
- Response & Headers
- Concurrency & State
- File Operations
- Logging & Audit
- Dependencies & Supply Chain
- AI/LLM Specific
## Integration
```yaml
# In your review workflow
patterns-repo: rodin/security-patterns
patterns-files: '.'
```
## License
MIT