security-auditor

What problem does it solve?

Identifies and prioritizes security risks in a Next.js TypeScript trading terminal codebase by detecting exposed secrets, insecure endpoints, missing rate limits, unsafe wallet handling, and misconfigured deployment settings before production deployment.

Core Features & Use Cases

• Secrets Discovery: Scans source files and environment examples for exposed API keys, private keys, and hardcoded secrets and checks Git history for leaked credentials.
• Rate Limiting & API Protection: Detects API routes lacking rate limiting, recommends Upstash/Redis patterns, and provides example enforcement code and thresholds for critical endpoints.
• Wallet and Key Safety: Audits wallet handling for privateKey/mnemonic leakage, localStorage misuse, and enforces secure key stores and transaction simulation practices.
• Webhook & Integration Checks: Validates Stripe webhook signature verification, recommends secure handling for third-party integrations, and flags insecure HTTP endpoints.
• Infrastructure & Data Controls: Verifies security headers, Supabase RLS expectations for sensitive tables, input sanitization practices, and npm dependency vulnerabilities via npm audit.
• Output: Produces an actionable, categorized audit report with Critical/High/Medium findings and remediation guidance suitable for triage and sprint planning.

Quick Start

Run the security-auditor checklist to scan the repository for exposed secrets, missing rate limits, insecure headers, unsafe wallet handling, and generate a categorized audit report.