| name | go-bear |
| version | 1.1.1 |
| description | Runs a security review covering OWASP Top 10, authentication hardening, secrets management, dependency auditing, HTTP headers, and threat modeling for a software project. |
| when_to_use | Use when a feature handles auth, payments, PII, file uploads, or admin access — or when preparing for a security review, pen test, or compliance audit. Can be invoked at any phase; invoke early when compliance scope is detected. |
go-bear — Security Review & Hardening
go-bear does not move fast. It checks everything twice. Security is Priority 1 in the go-beast pack — go-bear enforces that.
Quick start
Invoke before any feature involving: auth, payments, PII, file upload, admin access, external API credentials.
Also invoke before: first production deployment, compliance review, pen test.
Workflow
1. Threat model
Before reviewing code, answer:
- What are the assets to protect?
- Who are the threat actors?
- What are the attack surfaces?
- What is the impact of a breach?
Document in docs/security/THREAT_MODEL.md.
2. OWASP Top 10 review
Work through the full OWASP checklist:
${CLAUDE_SKILL_DIR}/references/owasp-checklist.md
Record every finding in docs/security/SECURITY_REVIEW.md with this structure per finding:
### <Finding title>
- **Severity:** Critical | High | Medium | Low
- **Status:** open | resolved | accepted
- **Description:** <what the issue is>
- **Remediation:** <what to do>
Every finding must have an explicit severity field. No finding may be left without a severity rating.
3. Secrets management
4. HTTP security headers
Every response must include:
Content-Security-Policy
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains
Referrer-Policy: strict-origin-when-cross-origin
Validate with securityheaders.com or equivalent.
5. Dependency audit
npm audit --audit-level=high
Any high or critical CVE is a release blocker unless a documented, time-bounded exception is approved.
6. Infrastructure hardening
Review and document findings for each area:
IAM / access control
Network
Secrets in infrastructure
Logging and monitoring
Document findings in docs/security/SECURITY_REVIEW.md using the same severity/status format as step 2.
Rules
- A security finding is never "lower priority later." Fix before release or document a time-bounded exception.
- Never implement auth from scratch. Use a vetted library or service.
- Default-deny is safer than default-allow.
- Security findings must be tracked as issues, not PR comments.
Output
docs/security/THREAT_MODEL.md
docs/security/SECURITY_REVIEW.md — findings, severity, status (open/resolved/accepted)
docs/security/DEPENDENCY_AUDIT.md — output of npm audit / pip-audit / cargo audit saved as Markdown; each entry includes: package name, CVE ID, severity (Critical/High/Medium/Low), affected version, fixed version, and resolution status (open/resolved/accepted-exception). High and Critical entries with status open are release blockers. go-raven consumes this file to gate the CI security-audit step.