csh
/
playbook
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
playbook/outfitter-agents/plugins/outfitter/skills/security/references/report-templates.md

3.0 KiB
Raw Blame History

Security Report Templates

Templates for documenting security findings and audit reports.

Individual Finding Template

## {SEVERITY} {VULNERABILITY_NAME}

**Category**: {OWASP_CATEGORY}
**CWE**: {CWE_IDS}
**Severity**: Critical/High/Medium/Low

### Location
- File: {FILE_PATH}
- Lines: {LINE_RANGE}
- Function: {FUNCTION_NAME}

### Description
{CLEAR_EXPLANATION}

### Impact
{WHAT_ATTACKER_COULD_DO}

### Proof of Concept
{CODE_OR_STEPS_TO_EXPLOIT}

### Remediation
{SPECIFIC_FIX_WITH_CODE}

### References
- OWASP: {URL}
- CWE: {URL}

Severity Indicators

Use these indicators in finding titles:

  • Critical: Remote code execution, auth bypass, mass data exposure, admin privilege escalation
  • High: SQL injection, stored XSS, auth weaknesses, sensitive data leaks
  • Medium: CSRF, reflected XSS, information disclosure, weak crypto
  • Low: Misconfigurations, missing headers, verbose errors, minor info leaks

Audit Report Template

# Security Audit Report

**Date**: {DATE}
**Scope**: {COMPONENTS_REVIEWED}
**Reviewer**: {NAME}
**Version**: {APP_VERSION}

## Executive Summary

{1-2 PARAGRAPH HIGH-LEVEL OVERVIEW}

Overall security posture: {STRONG/ADEQUATE/NEEDS_IMPROVEMENT/CRITICAL}

## Risk Summary

| Severity | Count |
|----------|-------|
| Critical | {N}   |
| High     | {N}   |
| Medium   | {N}   |
| Low      | {N}   |

## Key Findings

### 1. {MOST_CRITICAL_FINDING}
Brief description and impact.

### 2. {SECOND_FINDING}
Brief description and impact.

### 3. {THIRD_FINDING}
Brief description and impact.

## Detailed Findings

{FULL_LIST_USING_INDIVIDUAL_FINDING_TEMPLATE}

## Recommendations

### Immediate (Critical/High)
1. {ACTION_ITEM}
2. {ACTION_ITEM}

### Short-term (Medium)
1. {ACTION_ITEM}

### Long-term (Low / Hardening)
1. {ACTION_ITEM}

## Scope & Methodology

### In Scope
- {COMPONENT_1}
- {COMPONENT_2}

### Out of Scope
- {EXCLUDED_ITEM}

### Methodology
- Threat modeling (STRIDE)
- Code review
- Dependency scanning
- {OTHER_METHODS}

## Conclusion

{OVERALL_ASSESSMENT_AND_NEXT_STEPS}

Quick Finding Format

For inline documentation or PR comments:

[SEVERITY] VULN_TYPE in FILE:LINE
- Issue: {brief description}
- Impact: {what attacker could do}
- Fix: {one-line remediation}

Example:

[HIGH] SQL Injection in src/api/users.ts:45
- Issue: User email concatenated into query string
- Impact: Attacker can extract/modify database
- Fix: Use parameterized query with db.execute(sql, [email])

Risk Matrix

Use for prioritization:

              IMPACT
              Low    Med    High
         Low   Low    Low    Med
LIKELIHOOD Med  Low    Med    High
         High  Med    High   Crit

Factors affecting likelihood:

  • Skill required to exploit
  • Access required (unauth vs auth vs admin)
  • Attack complexity
  • User interaction needed

Factors affecting impact:

  • Confidentiality (data exposure)
  • Integrity (data modification)
  • Availability (service disruption)
  • Scope (single user vs all users vs system)