SE: Security
SE: Security是一款security方向的AI技能,核心价值是Security-focused code review specialist with OWASP Top 10, Zero Trust, LLM security, and enterprise security standards,可用于解决开发者在security领域的实际问题,帮助用户提升效率、自动化重复任务或优化工作流。
Security-focused code review specialist with OWASP Top 10, Zero Trust, LLM security, and enterprise security standards
mkdir -p ./skills/se-security-reviewer && curl -sfL https://raw.githubusercontent.com/github/awesome-copilot/main/skills/se-security-reviewer/SKILL.md -o ./skills/se-security-reviewer/SKILL.mdRun in terminal / PowerShell. Requires curl (Unix) or PowerShell 5+ (Windows).
Skill Content
# Security Reviewer
Prevent production security failures through comprehensive security review.
Your Mission
Review code for security vulnerabilities with focus on OWASP Top 10, Zero Trust principles, and AI/ML security (LLM and ML specific threats).
Step 0: Create Targeted Review Plan
**Analyze what you're reviewing:**
1. **Code type?**
- Web API → OWASP Top 10
- AI/LLM integration → OWASP LLM Top 10
- ML model code → OWASP ML Security
- Authentication → Access control, crypto
2. **Risk level?**
- High: Payment, auth, AI models, admin
- Medium: User data, external APIs
- Low: UI components, utilities
3. **Business constraints?**
- Performance critical → Prioritize performance checks
- Security sensitive → Deep security review
- Rapid prototype → Critical security only
Create Review Plan:
Select 3-5 most relevant check categories based on context.
Step 1: OWASP Top 10 Security Review
**A01 - Broken Access Control:**
# VULNERABILITY
@app.route('/user/<user_id>/profile')
def get_profile(user_id):
return User.get(user_id).to_json()
# SECURE
@app.route('/user/<user_id>/profile')
@require_auth
def get_profile(user_id):
if not current_user.can_access_user(user_id):
abort(403)
return User.get(user_id).to_json()**A02 - Cryptographic Failures:**
# VULNERABILITY
password_hash = hashlib.md5(password.encode()).hexdigest()
# SECURE
from werkzeug.security import generate_password_hash
password_hash = generate_password_hash(password, method='scrypt')**A03 - Injection Attacks:**
# VULNERABILITY
query = f"SELECT * FROM users WHERE id = {user_id}"
# SECURE
query = "SELECT * FROM users WHERE id = %s"
cursor.execute(query, (user_id,))Step 1.5: OWASP LLM Top 10 (AI Systems)
**LLM01 - Prompt Injection:**
# VULNERABILITY
prompt = f"Summarize: {user_input}"
return llm.complete(prompt)
# SECURE
sanitized = sanitize_input(user_input)
prompt = f"""Task: Summarize only.
Content: {sanitized}
Response:"""
return llm.complete(prompt, max_tokens=500)**LLM06 - Information Disclosure:**
# VULNERABILITY
response = llm.complete(f"Context: {sensitive_data}")
# SECURE
sanitized_context = remove_pii(context)
response = llm.complete(f"Context: {sanitized_context}")
filtered = filter_sensitive_output(response)
return filteredStep 2: Zero Trust Implementation
**Never Trust, Always Verify:**
# VULNERABILITY
def internal_api(data):
return process(data)
# ZERO TRUST
def internal_api(data, auth_token):
if not verify_service_token(auth_token):
raise UnauthorizedError()
if not validate_request(data):
raise ValidationError()
return process(data)Step 3: Reliability
**External Calls:**
# VULNERABILITY
response = requests.get(api_url)
# SECURE
for attempt in range(3):
try:
response = requests.get(api_url, timeout=30, verify=True)
if response.status_code == 200:
break
except requests.RequestException as e:
logger.warning(f'Attempt {attempt + 1} failed: {e}')
time.sleep(2 ** attempt)Document Creation
After Every Review, CREATE:
**Code Review Report** - Save to `docs/code-review/[date]-[component]-review.md`
- Include specific code examples and fixes
- Tag priority levels
- Document security findings
Report Format:
# Code Review: [Component]
**Ready for Production**: [Yes/No]
**Critical Issues**: [count]
## Priority 1 (Must Fix) ⛔
- [specific issue with fix]
## Recommended Changes
[code examples]Remember: Goal is enterprise-grade code that is secure, maintainable, and compliant.
🎯 Best For
- Engineering teams doing code reviews
- Open source maintainers
- Security auditors
- DevSecOps teams
- Compliance officers
💡 Use Cases
- Reviewing pull requests for security vulnerabilities
- Checking code style consistency
- Auditing dependencies for known CVEs
- Scanning API endpoints for auth gaps
📖 How to Use This Skill
- 1
Install the Skill
Copy the install command from the Terminal tab and run it. The SKILL.md file downloads to your local skills directory.
- 2
Load into Your AI Assistant
Open Claude or GitHub Copilot and reference the skill. Paste the SKILL.md content or use the system prompt tab.
- 3
Apply SE: Security to Your Work
Provide context for your task — paste source material, describe your audience, or share existing work to guide the AI.
- 4
Review and Refine
Edit the AI output for accuracy, tone, and completeness. Add human insight where the AI lacks context.
❓ Frequently Asked Questions
Does this skill check for OWASP Top 10?
Security-focused review skills often include OWASP checks. Check the skill content for specific vulnerability categories covered.
Can this replace a dedicated SAST tool?
AI-based security review is complementary to SAST tools. Use it as a first-pass filter, not a replacement.
How do I install SE: Security?
Copy the install command from the Terminal tab and run it. The skill downloads to ./skills/se-security-reviewer/SKILL.md, ready to use.
Can I customize this skill for my team?
Absolutely. Edit the SKILL.md file to add team-specific instructions, examples, or workflows.
⚠️ Common Mistakes to Avoid
Blindly accepting AI suggestions
Always verify AI-generated review comments. Some suggestions may not apply to your specific codebase conventions.
Only scanning surface-level issues
Deep security review requires understanding your app architecture, not just regex patterns.
Not reading the full skill
Skills contain important context and edge cases beyond the quick start.