rankion.ai
🇩🇪 Deutsch 🇬🇧 English 🇫🇷 Français 🇪🇸 Español
Open-source methodology · v1.0

Security Audit Skill

The exact methodology we use to run our monthly security audits — publicly traceable.

Translation notice — The German version of this document is the legally binding original. This English translation is provided for informational purposes only. In case of any conflict between this translation and the German version, the German text shall govern. View authoritative German version.

What is this?

This page documents rankion-security-audit — a Claude Code skill we run internally to check Rankion for security issues monthly (and ad-hoc before every major deploy). The results — in redacted form — end up at /en/trust/security-audits.

We publish methodology, checklist and redaction rules so you can understand what we check and why certain details are not public (responsible disclosure: concrete vulnerabilities remain private until they are patched).

How we run it

The audit is a Claude Code skill — a versioned workflow of prompts and bash commands an engineer triggers in a Claude Code session. This is intentionally not a black-box cron:

  • every step is documented in the skill markdown (see below)
  • every output is verified by the engineer against the checklist
  • findings are written to two files: a private JSON report (for the internal patch pipeline) and a redacted public Markdown (for the Trust Center log)

Cadence: monthly on the 15th (or next business day) plus ad-hoc before every deploy that touches auth, sessions, dependencies or environment configuration.

Skill definition

The skill consists of three Markdown files (skill definition + two reference files). The most important steps:

  1. Setup — check working directory + git status, capture date, load reference files.
  2. Dependency auditcomposer audit + npm audit --omit=dev, count results per severity.
  3. HTTP header check — live request against rankion.ai, verify six security-header classes.
  4. Configuration verification — exposure tests against `.env`, debug routes and VCS directories.
  5. Code-pattern scan — diff of the last 30 days, plus static greps for dangerous patterns.
  6. Version check — PHP and Laravel release against support matrix.
  7. Output generation — structured JSON (private) plus redacted Markdown (public).
  8. Redaction validation — automated greps against the privacy allowlist (see below).

Audit checklist — the 7 areas

A · Dependencies

composer audit + npm audit (production-only). Laravel and PHP version against support matrix.

B · HTTP headers

HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Content-Security-Policy, Permissions-Policy. The Server header must not leak versions.

C · Configuration

Environment files not retrievable, debug mode off, no dev routes reachable, no VCS directory exposed.

D · Auth / session

CSRF tokens on POST forms, session cookies with Secure + HttpOnly + SameSite, Sanctum tokens hashed, bcrypt cost >= 10.

E · Code patterns

No SQL-injection risks, no open mass-assignment, no unserialize/eval on user input, secure file-upload validation, output escaping.

F · AI-specific

Sub-processor list aligned across code inventory, privacy page and trust center; LLM calls strictly team-scoped; prompts containing PII flagged.

G · Operational

Backups current and restorable, queue workers healthy, disk usage < 80%, no brute-force anomalies.

Redaction rules

The skill writes two files per audit: a complete JSON (internal) and a redacted Markdown (public, on /en/trust/security-audits). This allowlist separates the two:

Published

  • Audit date, auditor, scope
  • Aggregated severity counts (critical / high / medium / low)
  • Status aggregates (e.g. "all high findings remediated within 24h")
  • Methodology overview and next audit date

NEVER published (until patched + 14 days)

  • File paths from the codebase
  • CVE numbers of open findings
  • Library names + versions of currently vulnerable dependencies
  • HTTP paths or parameters of vulnerable endpoints
  • Reproduction steps for exploits
  • Contents of the internal JSON fields "details" and "remediation"

Validation runs automatically before every commit: a grep set checks the public Markdown against the deny patterns. On a hit, the public file is re-redacted before commit/push is permitted.

Cadence

  • Monthly on the 15th (or next business day) — regular baseline audit; public Markdown lands on /en/trust/security-audits.
  • Ad-hoc before every major deploy with impact on auth, sessions, dependencies or environment configuration.
  • Patch deadlines: critical CVEs within 72 hours, high within 7 days, medium in the running sprint.

Found a vulnerability? Please use our responsible-disclosure procedure. We acknowledge receipt within 2 business days.

← Back to Trust Center

Last update: 2026-05-03 · Skill version 1.0

Cookies: We use necessary cookies for functionality and optional ones for improvements. Details

Necessary
Active
Analytics
Marketing