insecure-defaults

Solid

Detect fail-open configurations, hardcoded secrets, weak authentication defaults, permissive CORS, disabled security features, and other insecure-by-default patterns. Adapted from Trail of Bits. Use during security review or when auditing configuration and initialization code.

AI & Automation 501 stars 42 forks Updated yesterday MIT

Install

View on GitHub

Quality Score: 91/100

Stars 20%
90
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Insecure Defaults Detection Systematic detection of security misconfigurations where the default behavior is insecure. These are the bugs that ship because "it worked in development." ## Detection Categories ### 1. Fail-Open Configurations Code that defaults to allowing access when a security check fails. ```typescript // BAD: Fail-open -- if auth service is down, everyone gets in async function checkAuth(token: string): Promise<boolean> { try { return await authService.verify(token) } catch { return true // INSECURE: fails open } } // GOOD: Fail-closed -- if auth service is down, deny access async function checkAuth(token: string): Promise<boolean> { try { return await authService.verify(token) } catch { return false // SECURE: fails closed } } ``` **Detection pattern**: Look for `catch` blocks that return truthy/permissive values in auth/authz code. ### 2. Hardcoded Secrets ```typescript // BAD patterns -- detect ALL of these const API_KEY = "sk-proj-abc123" const DB_PASSWORD = "admin123" const JWT_SECRET = "super-secret-key" const ENCRYPTION_KEY = Buffer.from("0123456789abcdef") // GOOD const API_KEY = process.env.API_KEY if (!API_KEY) throw new Error('API_KEY environment variable required') ``` **Detection patterns**: - String literals assigned to variables named `*key*`, `*secret*`, `*password*`, `*token*`, `*credential*` - Base64-encoded strings in source (potential embedded keys) - `Bearer ` followed by a string literal - AWS ...

Details

Author
vibeeval
Repository
vibeeval/vibecosystem
Created
2 months ago
Last Updated
yesterday
Language
C#
License
MIT

Integrates with

Anthropic · AI

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Listed

insecure-defaults

Detects fail-open insecure defaults (hardcoded secrets, weak auth, permissive security) that allow apps to run insecurely in production. Use when auditing security, reviewing config management, or analyzing environment variable handling.

1 Updated 1 weeks ago
kevinvwong
AI & Automation Solid

insecure-defaults

Detects fail-open insecure defaults (hardcoded secrets, weak auth, permissive security) that allow apps to run insecurely in production. Use when auditing security, reviewing config management, or analyzing environment variable handling.

5,673 Updated today
trailofbits
AI & Automation Listed

sharp-edges

Find footgun APIs, dangerous defaults, and misuse-prone designs (where the secure path isn't the default). The sharp-edges-analyzer agent reasons through three adversaries (scoundrel / lazy dev / confused dev) across six categories and promotes real edges into .kuzushi/findings.json (source "sharp-edges"). Distinct from /sast (injection) and the insecure-defaults companion (config values).

0 Updated today
allsmog