OWASP Top 10 — CLI Security Assessment
tags: - security - owasp
Assessment against OWASP Top 10 (2021) scoped to CLI applications. Web-only categories (XSS, CSRF, SSRF) are not applicable.
Assessment
| Category | Status | Priority | Notes |
|---|---|---|---|
| A01 — Broken Access Control | Pass | — | Config file written with 0o600, directory with 0o700 (internal/config/config.go) |
| A02 — Cryptographic Failures | Pass | — | Tokens stored plaintext (accepted CLI trade-off, same as gh/kubectl); file permissions restrict access to owner only. TLS enabled, no InsecureSkipVerify, password input non-echoing |
| A03 — Injection | Pass | — | No shell execution. User input flows into typed structs only. Numeric IDs validated via strconv.Atoi() |
| A04 — Insecure Design | Pass | — | Short-lived bearer tokens, explicit refresh flow, no hardcoded credentials |
| A05 — Security Misconfiguration | Pass | — | HTTP client configured with 30s timeout, 10s TLS handshake timeout, TLS 1.2 minimum (internal/apiclient/apiclient.go) |
| A06 — Vulnerable Components | Monitor | Medium | All deps pinned in go.mod/go.sum. govulncheck runs in CI on every push and scheduled pipeline |
| A07 — Auth Failures | Pass | — | Auth delegated to snackbox API. No default credentials, no hardcoded tokens |
| A08 — Software Integrity | Pass | — | go.sum checksums pin all deps. go mod verify validates cache. Release signing not yet configured (goreleaser supports cosign) |
| A09 — Logging Failures | N/A | — | CLI tool. Tokens and passwords never written to stdout/stderr. No --debug flag |
| A10 — SSRF | N/A | — | Client only, no server-side request handling |
Action Items
No open items.