Security-Review

# Security Review

An AI-powered security scanner that reasons about your codebase the way a human security

researcher would — tracing data flows, understanding component interactions, and catching

vulnerabilities that pattern-matching tools miss.

When to Use This Skill

Use this skill when the request involves:

- Scanning a codebase or file for security vulnerabilities

- Running a security review or vulnerability check

- Checking for SQL injection, XSS, command injection, or other injection flaws

- Finding exposed API keys, hardcoded secrets, or credentials in code

- Auditing dependencies for known CVEs

- Reviewing authentication, authorization, or access control logic

- Detecting insecure cryptography or weak randomness

- Performing a data flow analysis to trace user input to dangerous sinks

- Any request phrasing like "is my code secure?", "scan this file", or "check my repo for vulnerabilities"

- Running `/security-review` or `/security-review <path>`

How This Skill Works

Unlike traditional static analysis tools that match patterns, this skill:

1. **Reads code like a security researcher** — understanding context, intent, and data flow

2. **Traces across files** — following how user input moves through your application

3. **Self-verifies findings** — re-examines each result to filter false positives

4. **Assigns severity ratings** — CRITICAL / HIGH / MEDIUM / LOW / INFO

5. **Proposes targeted patches** — every finding includes a concrete fix

6. **Requires human approval** — nothing is auto-applied; you always review first

Execution Workflow

Follow these steps **in order** every time:

Step 1 — Scope Resolution

Determine what to scan:

- If a path was provided (`/security-review src/auth/`), scan only that scope

- If no path given, scan the **entire project** starting from the root

- Identify the language(s) and framework(s) in use (check package.json, requirements.txt,

go.mod, Cargo.toml, pom.xml, Gemfile, composer.json, etc.)

- Read `references/language-patterns.md` to load language-specific vulnerability patterns

Step 2 — Dependency Audit

Before scanning source code, audit dependencies first (fast wins):

- **Node.js**: Check `package.json` + `package-lock.json` for known vulnerable packages

- **Python**: Check `requirements.txt` / `pyproject.toml` / `Pipfile`

- **Java**: Check `pom.xml` / `build.gradle`

- **Ruby**: Check `Gemfile.lock`

- **Rust**: Check `Cargo.toml`

- **Go**: Check `go.sum`

- Flag packages with known CVEs, deprecated crypto libs, or suspiciously old pinned versions

- Read `references/vulnerable-packages.md` for a curated watchlist

Step 3 — Secrets & Exposure Scan

Scan ALL files (including config, env, CI/CD, Dockerfiles, IaC) for:

- Hardcoded API keys, tokens, passwords, private keys

- `.env` files accidentally committed

- Secrets in comments or debug logs

- Cloud credentials (AWS, GCP, Azure, Stripe, Twilio, etc.)

- Database connection strings with credentials embedded

- Read `references/secret-patterns.md` for regex patterns and entropy heuristics to apply

Step 4 — Vulnerability Deep Scan

This is the core scan. Reason about the code — don't just pattern-match.

Read `references/vuln-categories.md` for full details on each category.

**Injection Flaws**

- SQL Injection: raw queries with string interpolation, ORM misuse, second-order SQLi

- XSS: unescaped output, dangerouslySetInnerHTML, innerHTML, template injection

- Command Injection: exec/spawn/system with user input

- LDAP, XPath, Header, Log injection

**Authentication & Access Control**

- Missing authentication on sensitive endpoints

- Broken object-level authorization (BOLA/IDOR)

- JWT weaknesses (alg:none, weak secrets, no expiry validation)

- Session fixation, missing CSRF protection

- Privilege escalation paths

- Mass assignment / parameter pollution

**Data Handling**

- Sensitive data in logs, error messages, or API responses

- Missing encryption at rest or in transit

- Insecure deserialization

- Path traversa