Library · git.company.com/secops/playbooks
6 playbooks · 26 uses this sprint
97% success across all playbooks · 1 ready for T1 promotion · 1 in draft. Last library update 2 days ago.
Active · 5 playbooks
spring-sql-injection@2.3
T1
Spring
Replaces unsafe String concatenation in JdbcTemplate.query() with parameterized queries. Covers CWE-89.
owner: @alice · updated 2w ago
CWE coverage
CWE-89CWE-564
Fix pattern · simplifiedOrderRepository.java
// before
String q = "SELECT * FROM orders WHERE customer='" + id + "'";
return jdbc.query(q, mapper);
// after
String q = "SELECT * FROM orders WHERE customer = ?";
return jdbc.query(q, mapper, id);
Recent uses · 3 of 12
SEC-1745 · order-service · awaiting approvaltoday
SEC-1729 · order-service · auto-merged2d ago
SEC-1718 · billing · auto-merged5d ago
Regression tests included
SQL_INJECT_HAPPYSQL_INJECT_BOUNDARYSQL_INJECT_UNICODE
spring-csrf@1.2
T2
Spring
Ready T1
Adds missing @EnableWebSecurity CSRF token configuration. Covers CWE-352. Currently in use on SEC-1747.
Ready for T1 promotion — 5 uses, 100% success. Approved at last retro. Awaiting @j.reviewer to apply policy change.
owner: @j.reviewer · updated 9d ago
sha256-migration@1.4
T1
Generic
Replaces MessageDigest.getInstance("SHA-1") and MD5 with SHA-256. Migrates stored hashes via background job. Covers CWE-327.
owner: @j.reviewer · updated 3w ago
path-traversal@1.0
T2
Generic
Wraps user-supplied paths with Path.normalize() and validates against allowed base directory. Covers CWE-22, CWE-23.
owner: @alice · updated 3w ago
hardcoded-secret@1.1
T2
Generic
Extracts hardcoded API keys / JDBC passwords to ${env.SECRET} placeholders, opens a Vault PR alongside. Covers CWE-798.
1 failure: secret rotation conflict
Draft · 1 playbook
spring-jsp-xss@0.4-draft
Draft
Spring
Escapes JSP output with <c:out> and fn:escapeXml. Targets CWE-79. 3 findings blocked on this playbook landing.
owner: @alice · from Sprint 7 Planning