CodyMaster takes security seriously. Here's how the skill kit prevents and detects security vulnerabilities.
| Skill | What it does |
|---|---|
| cm-secret-shield | Pre-commit secret scanning, repo-wide pattern detection, token lifecycle management |
| cm-identity-guard | Verify git/deploy identity before push — prevents wrong-account deploys |
| cm-quality-gate | Layer 8: XSS scan + Gate 6: Snyk SAST integration |
Five skills enforce security patterns when generating or reviewing code:
- Frontend: No
innerHTMLwithoutescapeHtml(), prefertextContent, validate URLs - Python: All paths from config/input must use
safe_resolve(), noshell=True - Node/Express: Disable
x-powered-by, set body limits, filter prototype pollution
Requires answering: How will dynamic data be rendered? before starting frontend work.
Every XSS, path traversal, or injection fix starts with a failing test.
Mandatory security pass covering frontend, backend, and general patterns.
- Layer 8: Grep scan for unescaped
innerHTMLpatterns - Gate 6: Snyk Code SAST with severity-based gate decisions
Shared utility loaded in all HTML pages:
escapeHtml(str)— Prevents DOM XSS in innerHTMLescapeHtmlWithBreaks(str)— Preserves\nas<br>while escaping HTMLescapeAttr(str)— Prevents attribute injection
Path traversal prevention:
safe_resolve(base, path)— Validates path stays within base directorysafe_join(base, *parts)— Safe path joiningsafe_open(base, path)— Safe file open
| Scan | Result |
|---|---|
| Snyk Code (SAST) | ✅ 0 medium+ issues |
| innerHTML grep scan | ✅ 0 unescaped patterns |
| Secret scan | ✅ 0 real issues (2 false positives in docs) |
If you discover a security vulnerability, please report it responsibly by opening a private issue on GitHub.