Vulnerability Management Guide

This guide outlines the technical procedures for detecting, analyzing, and fixing security vulnerabilities within the CodyMaster ecosystem.

🛡️ Security Mechanisms

CodyMaster employs a Defense-in-Depth strategy across five critical layers:

Layer	Mechanism	Tool	Goal
1: Write	Write Guard	AI Rules	Prevent secrets from being written in the first place.
2: Commit	Pre-commit Guard	Gitleaks / Hooks	Block secrets from entering Git history.
3: Repo	Repo Scan	`security:scan`	Detect existing secrets or patterns in the codebase.
4: Deploy	Deploy Gate	`cm-safe-deploy`	Final audit before code reaches production.
5: Runtime	Runtime Guard	Env Var Lifecycle	Secure management and rotation of production keys.

🔍 Vulnerability Scanning Procedures

1. Static Analysis (SAST)

We use Snyk Code for continuous security auditing.

How to run: Integrated into the cm-quality-gate (Gate 6).
Threshold: Any vulnerability with severity High or Critical will block the deployment pipeline.

2. Manual Grep Auditing

For patterns that SAST might miss (like unescaped innerHTML), we use targeted grep scans:

bash

# Scan for unsafe DOM sinks
grep -r "innerHTML =" ./src --exclude-dir=node_modules

3. Secret Scanning

Use cm-secret-shield for repo-wide scans:

bash

npm run security:scan

🛠️ Fixing Vulnerabilities (Root Cause Protocol)

When a vulnerability is detected, do not just "patch the symptom." Follow the AI-Native Root Cause Path:

Isolate & Reproduce: Use cm-debugging to understand the data flow.
Failing Test: Create a cm-tdd test case that demonstrates the exploit.
Core Fix: Implement the fix (e.g., replace innerHTML with textContent or add safe_resolve() for paths).
Verify: Pass the test and run a full security scan.

🛡️ Advanced `cm-secret-shield` Suggestions

Custom Gitleaks Rules

Add specific patterns for your project's unique identifiers in .gitleaks.toml:

toml

[[rules]]
id = "custom-app-token"
description = "Project-Specific Application Token"
regex = '''MYAPP-[a-zA-Z0-9]{32}'''
tags = ["custom", "token"]

Secret Rotation Playbook

Never wait for a leak. Schedule rotation for high-value keys:

Supabase Service Key: Every 30 days.
Cloudflare API Token: Every 90 days.
Emergency Rotation: If a key is accidentally committed, invoke the Emergency Rotation Playbook immediately (Revoke → Rotate → Update → Deploy).

Environment Variable Hygiene

Always provide a .dev.vars.example without values.
Never track .env or .dev.vars in Git.
Use platform-specific vaults (e.g., Cloudflare Secrets, Supabase Vault) for production.

TIP

Use @/cm-secret-shield whenever you're adding a new integration or third-party API to ensure your keys stay local and secure.

Vulnerability Management Guide ​

🛡️ Security Mechanisms ​

🔍 Vulnerability Scanning Procedures ​

1. Static Analysis (SAST) ​

2. Manual Grep Auditing ​

3. Secret Scanning ​

🛠️ Fixing Vulnerabilities (Root Cause Protocol) ​

🛡️ Advanced cm-secret-shield Suggestions ​

Custom Gitleaks Rules ​

Secret Rotation Playbook ​

Environment Variable Hygiene ​