sdcorejs-review-security-nestjs

What problem does it solve?

Prevents common NestJS backend security regressions by systematically auditing permissions, guard order, injection risks, CORS, secrets, rate limiting, and sensitive data handling before shipping.

Core Features & Use Cases

• Cross-track + NestJS-specific baseline: Runs the shared review/security/shared.md first, then adds NestJS checks like @HasPermission on write endpoints and AuthGuard vs ZodValidationGuard order.
• Targeted vulnerability detection: Flags likely issues for Broken Access Control (A01), Injection (A03), permissive CORS, missing upload limits, weak JWT secret handling, missing rate limits, potential secrets logging, mass assignment patterns, and soft-delete leakage.
• Actionable audit output: Produces Critical/Important/Minor findings and requires a mandatory manual section tested in a production-like configuration.

Quick Start

Run the skill when you need a pre-release NestJS security gate by invoking it with the request "security review nestjs".