From 93d59c61870b8ef888fe4249d4831a9e6665d93f Mon Sep 17 00:00:00 2001 From: QuinnDACollins Date: Thu, 11 Dec 2025 15:55:02 -0800 Subject: [PATCH] feature: Use write_todos tool to keep track of security analysis progress --- commands/security/analyze.toml | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/commands/security/analyze.toml b/commands/security/analyze.toml index cde5ded..0b9c2ce 100644 --- a/commands/security/analyze.toml +++ b/commands/security/analyze.toml @@ -16,7 +16,7 @@ The core principle is to trace untrusted or sensitive data from its entry point Your primary objective during the **"SAST Recon on [file]"** task is to identify and flag **every potential Source of untrusted or sensitive input**. * **Action:** Scan the entire file for code that brings external or sensitive data into the application. -* **Trigger:** The moment you identify a `Source`, you **MUST** immediately rewrite the `SECURITY_ANALYSIS_TODO.md` file and add a new, indented sub-task: +* **Trigger:** The moment you identify a `Source`, you **MUST** immediately update your todos using the `write_todos` tool. Add a new, indented sub-task: * `- [ ] Investigate data flow from [variable_name] on line [line_number]`. * You are not tracing or analyzing the flow yet. You are only planting flags for later investigation. This ensures you scan the entire file and identify all potential starting points before diving deep. @@ -37,15 +37,15 @@ For EVERY task, you MUST follow this procedure. This loop separates high-level s 1. **Phase 0: Initial Planning** * **Action:** First, understand the high-level task from the user's prompt. - * **Action:** If it does not already exist, create a new folder named `.gemini_security` in the user's workspace. - * **Action:** Create a new file named `SECURITY_ANALYSIS_TODO.md` in `.gemini_security`, and write the initial, high-level objectives from the prompt into it. - * **Action:** Create a new, empty file named `DRAFT_SECURITY_REPORT.md` in `.gemini_security`. - * **Action"** Prep yourself using the following possible notes files under `.gemini_security/`. If they do not exist, skip them. + * **Action:** If it does not already exist, create a new folder named `.gemini_security_new` in the user's workspace. + * **Action:** Use the `write_todos` tool to write the initial, high-level objectives from the prompt. + * **Action:** Create a new, empty file named `DRAFT_SECURITY_REPORT.md` in `.gemini_security_new`. + * **Action"** Prep yourself using the following possible notes files under `.gemini_security_new/`. If they do not exist, skip them. * `vuln_allowlist.txt`: The allowlist file has vulnerabilities to ignore during your scan. If you match a vulernability to this file, notify the user and skip it in your scan. 2. **Phase 1: Dynamic Execution & Planning** - * **Action:** Read the `SECURITY_ANALYSIS_TODO.md` file and execute the first task about determinig the scope of the analysis. - * **Action (Plan Refinement):** After identifying the scope, rewrite `SECURITY_ANALYSIS_TODO.md` to replace the generic "analyze files" task with a specific **Reconnaissance Task** for each file (e.g., `- [ ] SAST Recon on fileA.js`). + * **Action:** Read your todo list and execute the first task about determinig the scope of the analysis. + * **Action (Plan Refinement):** After identifying the scope, rewrite your todo list using 'write_todos' to replace the generic "analyze files" task with a specific **Reconnaissance Task** for each file (e.g., `- [ ] SAST Recon on fileA.js`). 3. **Phase 2: The Two-Pass Analysis Loop** * This is the core execution loop for analyzing a single file. @@ -63,7 +63,7 @@ For EVERY task, you MUST follow this procedure. This loop separates high-level s * **Action:** Repeat this Recon -> Investigate loop until all tasks and sub-tasks are complete. 4. **Phase 3: Final Review & Refinement** - * **Action:** This phase begins when all analysis tasks in `SECURITY_ANALYSIS_TODO.md` are complete. + * **Action:** This phase begins when all analysis tasks in your todo list are complete. * **Action:** Read the entire `DRAFT_SECURITY_REPORT.md` file. * **Action:** Critically review **every single finding** in the draft against the **"High-Fidelity Reporting & Minimizing False Positives"** principles and its five-question checklist. * **Action:** You must use the `gemini-cli-security` MCP server to get the line numbers for each finding. For each vulnerability you have found, you must call the `find_line_numbers` tool with the `filePath` and the `snippet` of the vulnerability. You will then add the `startLine` and `endLine` to the final report. @@ -72,10 +72,10 @@ For EVERY task, you MUST follow this procedure. This loop separates high-level s 5. **Phase 4: Final Reporting & Cleanup** * **Action:** Output the final, reviewed report as your response to the user. * **Action:** If, after the review, no vulnerabilities remain, your final output **MUST** be the standard "clean report" message specified by the task prompt. - * **Action:** Remove the temporary files (`SECURITY_ANALYSIS_TODO.md` and `DRAFT_SECURITY_REPORT.md`) from the `.gemini_security/` directory. Only remove these files and do not remove any other user files under any circumstances. + * **Action:** Remove the temporary file `DRAFT_SECURITY_REPORT.md` from the `.gemini_security_new/` directory. Only remove these files and do not remove any other user files under any circumstances. -### Example of the Workflow in `SECURITY_ANALYSIS_TODO.md` +### Example todo-list workflow 1. **Initial State:** ```markdown @@ -97,7 +97,7 @@ For EVERY task, you MUST follow this procedure. This loop separates high-level s **Step 1: Initial Planning** -Your first action is to create a `SECURITY_ANALYSIS_TODO.md` file with the following exact, high-level plan. This initial plan is fixed and must not be altered. When writing files always use absolute paths (e.g., `/path/to/file`). +Your first action is to create a todo list using 'write_todos' with the following exact, high-level plan. This initial plan is fixed and must not be altered. When writing files always use absolute paths (e.g., `/path/to/file`). - [ ] Define the audit scope. - [ ] Conduct a two-pass SAST analysis on all files within scope. @@ -112,10 +112,10 @@ You will now begin executing the plan. The following are your precise instructio * After using the tool, provide the user a list of changed files. If the list of files is empty, ask the user to provide files to be scanned. 2. **Immediately after defining the scope, you must refine your plan:** - * You will rewrite the `SECURITY_ANALYSIS_TODO.md` file. + * You will rewrite the todo list using 'write_todos' . * Out of Scope Files: Files that are primarily used for managing dependencies like lockfiles (e.g., `package-lock.json`, `package.json` `yarn.lock`, `go.sum`) should be considered out of scope and **must be omitted from the plan entirely**, as they contain no actionable code to review. * You **MUST** replace the line `- [ ] Conduct a two-pass SAST analysis on all files within scope.` with a specific **"SAST Recon on [file]"** task for each file you discovered in the previous step. After completing these two initial tasks, continue executing the dynamically generated plan according to your **Core Operational Loop**. -Proceed with the Initial Planning Phase now.""" +Proceed with the Initial Planning Phase now.""" \ No newline at end of file