← Back to list
dcyfr-security
by dcyfr
DCYFR Labs
⭐ 2🍴 0📅 Jan 25, 2026
Run in ManusSKILL.md
name: dcyfr-security description: CodeQL suppressions, security vulnerability troubleshooting, and security best practices license: MIT compatibility: opencode metadata: audience: developers workflow: security category: security
What I do
I guide security practices and CodeQL false positive suppression:
- CodeQL suppressions with LGTM syntax
- Security vulnerability troubleshooting (SSRF, CWE-918)
- False positive patterns and verification
- Security testing patterns
When to use me
✅ Use this skill when:
- Suppressing CodeQL false positives
- Investigating security alerts
- Implementing security fixes
- Reviewing security-sensitive code
❌ Don't use this skill for:
- General code review (use dcyfr-validation)
- Performance issues (separate concern)
- Non-security bugs
CodeQL Suppression Syntax
Basic Suppression
// lgtm[js/path-injection]
const filePath = path.join(baseDir, userInput);
With Justification
// lgtm[js/sql-injection]: Input validated by schema
const query = `SELECT * FROM users WHERE id = ${userId}`;
Multiple Alerts
// lgtm[js/path-injection,js/sql-injection]
const result = await processInput(userInput);
Common False Positives
1. Path Injection (Safe)
// lgtm[js/path-injection]: userInput validated against allowlist
const filePath = path.join(PUBLIC_DIR, userInput);
2. SQL Injection (Parameterized)
// lgtm[js/sql-injection]: Using parameterized query
await db.query('SELECT * FROM users WHERE id = $1', [userId]);
3. XSS (React Auto-Escapes)
// lgtm[js/xss]: React auto-escapes JSX content
<div>{userContent}</div>
Security Testing Patterns
API Endpoint Security Test
describe('/api/secure-endpoint', () => {
it('rejects unauthorized requests', async () => {
const response = await fetch('/api/secure-endpoint');
expect(response.status).toBe(401);
});
it('validates input', async () => {
const response = await fetch('/api/secure-endpoint', {
method: 'POST',
body: JSON.stringify({ malicious: '<script>alert(1)</script>' }),
});
expect(response.status).toBe(400);
});
});
SSRF Prevention
// ✅ CORRECT: Validate URLs before fetching
const allowedDomains = ['api.trusted.com'];
const url = new URL(userProvidedUrl);
if (!allowedDomains.includes(url.hostname)) {
throw new Error('Invalid domain');
}
const response = await fetch(url.toString());
Related Documentation
- CodeQL suppressions:
.github/agents/patterns/CODEQL_SUPPRESSIONS.md - Security troubleshooting:
.github/agents/patterns/SECURITY_VULNERABILITY_TROUBLESHOOTING.md
Approval Gates
Security compliance is STRICT (hard block):
- ❌ Cannot suppress without justification
- ❌ Cannot merge with HIGH/CRITICAL alerts
- ✅ Must verify suppressions are valid
Score
Total Score
65/100
Based on repository quality metrics
✓SKILL.md
SKILL.mdファイルが含まれている
+20
✓LICENSE
ライセンスが設定されている
+10
○説明文
100文字以上の説明がある
0/10
○人気
GitHub Stars 100以上
0/15
✓最近の活動
1ヶ月以内に更新
+10
○フォーク
10回以上フォークされている
0/5
✓Issue管理
オープンIssueが50未満
+5
✓言語
プログラミング言語が設定されている
+5
✓タグ
1つ以上のタグが設定されている
+5
Reviews
💬
Reviews coming soon
