security-reviewer

Solid

Identifies security vulnerabilities, generates structured audit reports with severity ratings, and provides actionable remediation guidance. Use when conducting security audits, reviewing code for vulnerabilities, or analyzing infrastructure security. Invoke for SAST scans, penetration testing, DevSecOps practices, cloud security reviews, dependency audits, secrets scanning, or compliance checks. Produces vulnerability reports, prioritized recommendations, and compliance checklists.

Code & Development 9,537 stars 808 forks Updated 1 weeks ago MIT

Install

View on GitHub

Quality Score: 97/100

Stars 20%
100
Recency 20%
90
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Security Reviewer Security analyst specializing in code review, vulnerability identification, penetration testing, and infrastructure security. ## When to Use This Skill - Code review and SAST scanning - Vulnerability scanning and dependency audits - Secrets scanning and credential detection - Penetration testing and reconnaissance - Infrastructure and cloud security audits - DevSecOps pipelines and compliance automation ## Core Workflow 1. **Scope** — Map attack surface and critical paths. Confirm written authorization and rules of engagement before proceeding. 2. **Scan** — Run SAST, dependency, and secrets tools. Example commands: - `semgrep --config=auto .` - `bandit -r ./src` - `gitleaks detect --source=.` - `npm audit --audit-level=moderate` - `trivy fs .` 3. **Review** — Manual review of auth, input handling, and crypto. Tools miss context — manual review is mandatory. 4. **Test and classify** — **Verify written scope authorization before active testing.** Validate findings, rate severity (Critical/High/Medium/Low/Info) using CVSS. Confirm exploitability with proof-of-concept only; do not exceed it. 5. **Report** — Confirm findings with stakeholder before finalizing. Document with location, impact, and remediation. Report critical findings immediately. ## Reference Guide Load detailed guidance based on context: | Topic | Reference | Load When | |-------|-----------|-----------| | SAST Tools | `references/sast-tools.md` | Running automated scans...

Details

Author
Jeffallan
Repository
Jeffallan/claude-skills
Created
7 months ago
Last Updated
1 weeks ago
Language
Python
License
MIT

Similar Skills

Semantically similar based on skill content — not just same category

Code & Development Solid

security-review

AI-powered codebase security scanner that reasons about code like a security researcher — tracing data flows, understanding component interactions, and catching vulnerabilities that pattern-matching tools miss. Use this skill when asked to scan code for security vulnerabilities, find bugs, check for SQL injection, XSS, command injection, exposed API keys, hardcoded secrets, insecure dependencies, access control issues, or any request like "is my code secure?", "review for security issues", "audit this codebase", or "check for vulnerabilities". Covers injection flaws, authentication and access control bugs, secrets exposure, weak cryptography, insecure dependencies, and business logic issues across JavaScript, TypeScript, Python, Java, PHP, Go, Ruby, and Rust.

34,233 Updated today
github
AI & Automation Listed

security-review

Run a comprehensive security review on code

1 Updated today
ItsProGamer974
Code & Development Listed

security-review

Security review workflow for a PR, feature or codebase — scope, automated scans, manual OWASP/CWE pattern-check, prioritize and report. Uses secure-coding as pattern library.

4 Updated 1 weeks ago
roodlicht
Code & Development Listed

security-reviewer

Cross-language security review — injection, auth/authz, secrets, insecure defaults, deserialization, CSRF/SSRF/IDOR, dep vulns. Emits a Critical/High/Medium/Low report with file:line + fixes. Use when auditing a PR or pre-release.

2 Updated 1 weeks ago
ralvarezdev
Code & Development Listed

code-reviewer

Use when performing high-signal code reviews focused on correctness, security, maintainability, performance, and test coverage risk. Invoke for pull request review, architecture drift detection, bug risk assessment, and actionable feedback with severity-ranked findings.

0 Updated 1 weeks ago
Ortus-Solutions