Map sensitive data flows for security
data-flow-tracersubagentsetup L3★26
edspencer/herdctl ↗What it does
Trace user-controlled data flows from entry points to sensitive sinks
Best for
Security audit when complete data-flow visualization and validation-gap discovery outweigh endpoint lists
Inputs
- · Codebase (CLI args, config, env vars)
- · Sensitive operations (shell exec, file I/O, Docker API)
Outputs
- · Complete data flow paths (source to sink)
- · Validation/sanitization points identified
- · Validation gaps flagged
- · Risk assessment (HIGH/MEDIUM/LOW)
Requires
- · Read
- · Bash (grep/find)
- · Glob
- · Write
Preconditions
Source and sink lists identified; codebase structure understood; trust boundaries documented
Failure modes
Indirect flows missed; validation gaps overlooked; external library flows untraced; false trust boundaries
Trust signals
- · File paths at every flow step
- · Validation status explicit (untrusted vs validated)
- · Risk level justified with reasoning
- · Findings feed security audit orchestrators