Ready to fix security vulnerabilities?
Use the Fix Security Vulnerabilities Template to get started with a structured prompt
Jump to: When to Use | Prompt Structure | Key Considerations | Common Patterns | Troubleshooting
When to Use This Approach
- CVE Remediation
- Auth and Access Hardening
- Secret Management
- Compliance Readiness
Patch known vulnerabilities in your dependencies or application code before they become incidents.
Prompt Structure
Follow the Golden Rules when writing your security fix prompt. Focus especially on:- CVE References - Cite specific CVE numbers or CWE categories being addressed
- Attack Vectors - Document how the vulnerability can be exploited with examples
- Security Standards - Reference OWASP, NIST, or industry standards to follow
- Secret Management - Use placeholder pattern (
${SECRET_NAME}) for all credentials
Key Considerations
Secret Management Is Non-Negotiable
Never include actual credentials in prompts. Always use placeholder patterns (
${SECRET_NAME}) and implement runtime resolution from secure storage (Google Secret Manager, AWS Secrets Manager).Defense in Depth Over Single Controls
Implement multiple security layers (network security, application security, data security). Single control failures should not compromise the entire system.
Security Testing Validates Fixes
Automated security scanners (SAST, DAST) must confirm vulnerability remediation. Manual penetration testing validates scanner results and catches edge cases.
Compliance Documentation Tracks Controls
Security fixes for regulated environments require documentation showing which controls address specific compliance requirements (SOC 2, PCI-DSS, HIPAA).
Common Patterns
SQL injection remediation - Replace string concatenation with parameterized queries, escape LIKE wildcards, add input validation, and implement query logging without exposing sensitive parameters. OAuth 2.0 implementation - Replace basic auth with token-based authentication, validate token signatures and expiration, implement scope-based authorization, and store OAuth secrets in secure storage. Hardcoded secrets elimination - Scan codebase for credentials, migrate to placeholder pattern (${SECRET_NAME}), implement runtime secret resolution from Secret Manager, and add masked logging to prevent secret exposure.
Troubleshooting
Security scanners still report vulnerabilities
Security scanners still report vulnerabilities
Vulnerability may not be fully remediated. Re-run scanners with verbose output, review CVE remediation guidance, and add the Catalog Security Vulnerabilities rule to your project on the platform for comprehensive coverage.
Secrets still appear in logs or errors
Secrets still appear in logs or errors
Logging may not be fully masked. Implement custom log formatters that pattern-match sensitive data (tokens, keys, passwords), ensure error messages truncate or redact secrets, and review all log output.
Authentication still vulnerable after OAuth implementation
Authentication still vulnerable after OAuth implementation
Token validation may be incomplete. Verify signature validation, expiration checks, issuer validation, and scope enforcement. Add tests for token manipulation attempts.
Compliance audit fails after security fixes
Compliance audit fails after security fixes
Documentation may be incomplete. Map each security control to specific compliance requirements, update security documentation with implementation details, and provide audit trail of security changes.
Performance degrades after security implementation
Performance degrades after security implementation
Security controls may be inefficient. Profile authentication/authorization paths, implement caching for token validation, optimize encryption operations, and add the Analyze Performance Impact rule to your project on the platform.