secure-codinglisted

# Secure Coding Standards ## When to use This skill is the substrate layer for code work. It triggers when Claude is writing or reviewing code and there's no framework-specific skill that goes deeper. Activates on: - A question like "is this safe?", "review for security issues", "could someone abuse this?", "what could go wrong?". - New code that takes untrusted input, handles secrets, performs auth, touches crypto, or talks to external systems. - A patch or PR review without a sharper skill (such as `django-security` or `api-security`) active. - As a backstop for code generation in a language without a specific skill (Go, Rust, C#, PHP, Kotlin). ### When NOT to use (handoff to sharper skills) - Framework-specific: Django → `django-security`, Rails → `rails-security`, Spring Boot → `spring-security`, Next.js → `nextjs-security`. - API design or REST/GraphQL endpoints → `api-security`. - Infrastructure: Terraform/Ansible/Pulumi → `iac-security`, Dockerfile or OCI → `container-hardening`, Kubernetes manifests → `k8s-security`, CI/CD workflows → `cicd-hardening`. - Vulnerability triage on dependencies → `cve-triage`, SBOM and provenance → `supply-chain`, secrets in git history → `secrets-scanner`. - Full PR review as a workflow (not just patterns) → `security-review`. This skill is its pattern library. If one of the above skills applies, use that first. `secure-coding` remains relevant for the parts they don't cover. ## Approach Six phases. Work through them sequentiall