← ClaudeAtlas

spring-boot-securitylisted

Security audit for Spring Boot Java/Kotlin applications including Spring Security configuration, @PreAuthorize/@Secured, JPA queries (@Query, JPQL injection), CSRF setup, CORS, actuator endpoints exposure, application.yml secrets, Jackson deserialization, and Spring-specific CVE awareness (Spring4Shell). Use this skill whenever the user mentions Spring Boot, Spring Security, @PreAuthorize, JpaRepository, application.yml/properties, actuator, @SpringBootApplication, or asks "audit my Spring app", "Spring Boot security review". Trigger when the codebase contains `pom.xml` or `build.gradle` with `spring-boot-starter`, or Java/Kotlin files with `@SpringBootApplication`.
hlsitechio/claude-skills-security · ★ 1 · AI & Automation · score 65
Install: claude install-skill hlsitechio/claude-skills-security
# Spring Boot Security Audit Audit Spring Boot applications (Java and Kotlin, 2.7+ and 3.x). ## When this skill applies - Reviewing Spring Security configuration classes - Auditing JPA repository methods and queries - Reviewing controller-level authorization annotations - Checking actuator endpoint exposure - Reviewing application.yml / application.properties for secrets ## Workflow Follow `../_shared/audit-workflow.md`. ### Phase 1: Stack detection ```bash grep -E 'spring-boot-starter' pom.xml build.gradle build.gradle.kts 2>/dev/null grep -E 'org.springframework' pom.xml 2>/dev/null | head ``` ### Phase 2: Inventory ```bash # Security configuration grep -rn 'SecurityFilterChain\|WebSecurityConfigurerAdapter\|EnableWebSecurity\|EnableMethodSecurity' src/ --include='*.java' --include='*.kt' # Controllers grep -rn '@RestController\|@Controller\|@RequestMapping\|@GetMapping\|@PostMapping' src/ --include='*.java' --include='*.kt' | head # Authorization annotations grep -rn '@PreAuthorize\|@PostAuthorize\|@Secured\|@RolesAllowed' src/ --include='*.java' --include='*.kt' # Custom queries grep -rn '@Query\|@NativeQuery\|createNativeQuery\|createQuery' src/ --include='*.java' --include='*.kt' # Config files ls src/main/resources/application*.yml src/main/resources/application*.properties 2>/dev/null ``` ### Phase 3: Detection — the checks #### Spring Security configuration Modern Spring Security 6 uses `SecurityFilterChain` bean. Older used `WebSecurityConfigurerAdap