nestjs-securitylisted
Install: claude install-skill hlsitechio/claude-skills-security
# NestJS Security Audit
Audit NestJS applications. NestJS sits on top of Express or Fastify; specific patterns (decorators, DI, modules) introduce their own audit surface.
## When this skill applies
- Reviewing Guards and authorization logic
- Auditing ValidationPipe configuration
- Reviewing Interceptors for unsafe transformations
- Checking module structure and provider scoping
- Reviewing GraphQL or REST controllers built on Nest
## Workflow
Follow `../_shared/audit-workflow.md`. Companion: `nodejs-express-security` for underlying middleware concerns.
### Phase 1: Stack detection
```bash
grep -E '"@nestjs/(core|common|platform-express|platform-fastify)":' package.json
find . -name 'main.ts' -path '*src*' -not -path '*/node_modules/*'
find . -name 'nest-cli.json'
```
Detect: platform (Express vs Fastify), use of GraphQL (`@nestjs/graphql`), use of microservices (`@nestjs/microservices`).
### Phase 2: Inventory
```bash
# Controllers and routes
grep -rn '@Controller\|@Get\|@Post\|@Put\|@Delete' src/ | head -50
# Guards
grep -rn '@UseGuards\|implements CanActivate' src/
# Interceptors
grep -rn '@UseInterceptors\|implements NestInterceptor' src/
# Pipes
grep -rn 'useGlobalPipes\|@UsePipes\|ValidationPipe' src/
# CORS
grep -rn 'enableCors\|cors:' src/main.ts src/app.module.ts 2>/dev/null
# Microservices
grep -rn 'createMicroservice\|@MessagePattern\|@EventPattern' src/
```
### Phase 3: Detection — the checks
#### Guards
Guards implement `CanActivate`. They run