Aidya is running Vibe Coding camps for High Schoolers & Middle Schoolers in the Bay Area!

Using Replit agent 3 for a security review

This blog post contains the prompt to feed into Replit agent 3 to use it to conduct a comprehensive security review

@ankuroberai

10/11/20253 min read

photo of white staircase
photo of white staircase

Paste everything bleow into Replit

Perform a comprehensive security assessment of the entire current codebase and configuration without making any code changes and without assuming the tech stack (infer it from the repo). Produce a single Markdown report plus any referenced artifacts. The goal is a clear, actionable assessment only—no remediation PRs or code edits.

Scope

  • Include all subprojects in the monorepo, server/backend, frontend/clients, scripts, jobs/workers, CLI tools, infrastructure-as-code (Dockerfiles, Kubernetes, Terraform, CloudFormation), CI/CD pipelines, cron jobs, serverless functions, configurations, environment templates, and deployment manifests.

  • Include third-party integrations (e.g., payments, auth, analytics, messaging, storage, webhooks), databases, caches, queues, object storage, and any admin or internal tools.

Methods (non-destructive)

  • Static analysis (code review).

  • (If supported in this environment) Safe, read-only dynamic checks against local/dev builds without mutating data.

  • Dependency & supply-chain review (licenses, SBOM, pinned versions, transitive risks).

  • Secret discovery (including .env*, config files, code, commit history/metadata if accessible).

  • Configuration review (security headers, TLS, CORS, CSP, cookie/session settings, role & permission models).

  • Access control design review (authN/authZ, RBAC/ABAC, multi-tenancy boundaries).

What to Check (organize findings by category)

  1. Authentication & Session

    • Login/registration/reset flows; MFA support; brute-force protection; rate limiting; account lockout; session timeout/rotation; logout invalidation.

    • Cookie flags (Secure, HttpOnly, SameSite), token storage (JWT/refresh), replay prevention, clock skew handling.

  2. Authorization

    • Broken object level auth (IDOR), function-level auth, vertical/horizontal privilege escalation, multi-tenant isolation and data partitioning.

  3. Input Handling & Injection

    • XSS (stored/reflected/DOM), SQL/NoSQL/ORM injection, command injection, template injection, LDAP, path traversal, deserialization, SSRF, request smuggling, open redirects.

  4. Webhooks & Callbacks

    • Signature verification (e.g., HMAC/PKI), secret usage, timestamp/replay windows, origin validation, idempotency, event validation.

  5. API Security

    • Schema validation, strict content types, pagination limits, resource quotas, error leakage, GraphQL introspection & depth/complexity limits (if applicable).

  6. Security Headers & Browser Controls

    • HSTS, CSP (and violations), X-Frame-Options/Frame-Ancestors, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, CORP/COEP/CORP if relevant.

  7. CORS

    • Allowed origins, credentials usage, wildcards, preflight handling, method/header restrictions.

  8. File Uploads

    • Content validation, extension/MIME checks, storage location, AV scanning hooks, path traversal, executable bit, public exposure, signed URL expiry.

  9. Secrets & Config

    • Hardcoded secrets/keys/tokens; .env consistency; least-privilege for credentials; rotated/pinned keys; separation of prod vs. non-prod configs.

  10. Data Protection & Privacy

    • PII/PHI handling patterns, encryption at rest/in transit, key management, data retention/deletion, logs redaction. Note any likely compliance risks (e.g., GDPR/FERPA/HIPAA) as flags only.

  11. Cloud/Infra

    • Publicly exposed services/ports, default creds, network policies, security groups, bucket/container ACLs, IAM roles & boundaries, image hardening, SBOMs, provenance (SLSA-like).

  12. CI/CD & Supply Chain

    • Protected branches, required reviews, dependency pinning/lockfiles, build secrets exposure, artifact signing/verification, tamper checks.

  13. DoS & Abuse Controls

    • Rate limits, timeouts, circuit breakers, expensive query guards, file size limits, pagination caps, cache poisoning.

  14. Observability

    • Sensitive data in logs, structured logging, correlation IDs, security event logging, alerting hooks.

  15. Business-Logic & Race Conditions

    • Invariants (e.g., inventory/seats/payments), idempotency, double-spend/overbooking risks, concurrency issues.

  16. Frontend/App Clients

    • Client-side secret exposure, unsafe sinks, DOM API misuse, third-party widgets, CSP-unsafe inline scripts/styles.

Deliverables (Markdown Report)

  1. Executive Summary (1–2 pages)

    • Overall risk posture; top 10 risks; immediate attention items.

  2. Risk Matrix

    • Severity per OWASP style + CVSS v3.1 score (Base vector shown).

  3. Findings Catalog
    For each finding:

    • Title, Category, Severity + CVSS, Affected assets (service/app/path), Evidence (file:line, endpoint, config), Proof-of-Concept (curl/request/payload/steps), Impact, Likelihood/Exploitability, Dependencies involved (if any), References (OWASP/CWE/CVE).

    Do not include code fixes. Limit to description and evidence.

  4. Dependency & SBOM Appendix

    • SBOM (format: SPDX or CycloneDX), vulnerable packages (direct/transitive), versions, advisories, and where they are used.

  5. Secrets & Exposure Appendix

    • Any discovered secrets/tokens/keys with locations (mask sensitive parts), suggested owners (if inferable), and blast radius description (no rotation steps).

  6. Config & Surface Maps

    • Table of externally exposed endpoints/services/ports; CORS/headers snapshot; storage buckets and access levels; auth flows.

  7. Safe Reproduction Guide

    • Steps to reproduce key issues in a non-destructive way using local/dev targets.

Output & Artifacts

  • Primary output: SECURITY_REVIEW_REPORT.md.

  • Additional machine-readable files:

    • findings.json (array with fields mirroring the catalog above).

    • sbom.(spdx|cdx).json if generated.

    • dependencies-audit.json (vuln summary).

  • Cross-link all file:line references and endpoints within the Markdown for quick navigation.

Constraints

  • Do not modify code, configs, secrets, or pipelines.

  • Do not run destructive payloads or seed real external calls.

  • Assume the environment has the necessary permissions to read the repo and run local builds/tests where safe.

  • Detect the stack automatically from the repository; do not guess.

When complete, return the full Markdown report and attach the JSON/SBOM artifacts.

Built with AI and Humans Working in Harmony