Skip to content

Improve API cross-protocol evidence review#1559

Open
wowsofine wants to merge 1 commit into
UnitOneAI:mainfrom
wowsofine:improve/api-cross-protocol-evidence
Open

Improve API cross-protocol evidence review#1559
wowsofine wants to merge 1 commit into
UnitOneAI:mainfrom
wowsofine:improve/api-cross-protocol-evidence

Conversation

@wowsofine
Copy link
Copy Markdown

@wowsofine wowsofine commented Jun 7, 2026

Pull Request Checklist

  • Skill follows the format specification in CONTRIBUTING.md
  • At least one real framework is cited with correct control IDs
  • All framework references verified against primary sources (not blogs or AI output)
  • Prompt Injection Safety Notice section included
  • injection-hardened: true set in frontmatter
  • allowed-tools scoped to minimum necessary permissions
  • Tested with Codex against the api-security skill file
  • No prohibited patterns per SECURITY.md
  • index.yaml update not required because this improves an existing skill

What This PR Does

This improves skills/appsec/api-security/SKILL.md by adding cross-protocol evidence gates for mixed REST, GraphQL, gRPC, and gateway-backed APIs.

The new API-EVID-01 through API-EVID-08 checks require reviewers to tie API contract evidence back to the implementation layer that actually enforces authentication, object authorization, function authorization, property filtering, cost controls, upstream trust boundaries, and production deployment context.

I also added a Cross-Protocol Evidence Matrix to the output template, an Evidence Gate(s) field for each finding, and an Inconclusive status for cases where the implementation artifact is missing.

Framework References

  • OWASP API Security Top 10:2023: API1 through API10
  • OWASP ASVS
  • NIST SP 800-204, already cited in the skill references

Testing

  • git diff --check -- skills/appsec/api-security/SKILL.md
  • frontmatter required-field check
  • Markdown fence balance check
  • content marker check for API-EVID-01 through API-EVID-08
  • prompt-injection phrase scan

Bounty Tier

  • Minor ($50) - Doc update, small logic tweak, typo fix
  • Moderate ($100) - New edge case coverage, FP reduction with evidence
  • Substantial ($150) - Rewritten detection logic, major coverage expansion

Bounty Info

  • I have read and agree to the CONTRIBUTING.md bounty terms
  • Preferred payment method: GitHub Sponsors or maintainer-confirmed private method

@wowsofine
Copy link
Copy Markdown
Author

wowsofine commented Jun 7, 2026

Bounty claim note: requesting consideration for the moderate improver bounty (USD 100).

This PR adds API-EVID-01 through API-EVID-08 and the Cross-Protocol Evidence Matrix to reduce missed API review evidence across REST, GraphQL, gRPC, and gateway-backed APIs. It keeps the skill read-only and injection-hardened, with local validation listed in the PR description.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@wowsofine