| name | security-review |
| description | Security review checklist for code changes. Automatically activates when reviewing security-sensitive code, authentication, authorization, or data handling. Use when user asks to "check security", "review for vulnerabilities", "audit code", or when changes touch auth, crypto, user input, or API endpoints. |
| allowed-tools | Read, Grep, Glob |
| metadata | {"author":"ken2403","version":"1.2.0"} |
Security Review Checklist
Apply these security checks when reviewing or writing code that handles sensitive operations.
Instructions
Step 1: Identify Security-Sensitive Areas
Scan the changed files for:
- Authentication / authorization logic
- User input handling
- Database queries
- API endpoints
- File operations
- Cryptographic operations
- Secrets / credentials
Step 2: Check Security Controls
Review authentication, authorization, and input validation controls.
For the detailed checklist, consult references/checklist.md.
Step 3: Scan for Dangerous Patterns
Use Grep to search for these red-flag patterns in the codebase:
eval(user_input) # Code injection
exec(user_input) # Code injection
os.system(user_input) # Command injection
f"SELECT * FROM {table}" # SQL injection
innerHTML = userData # XSS
password = "hardcoded" # Hardcoded secret
verify=False # SSL verification disabled
shell=True # Shell injection risk
pickle.loads( # Unsafe deserialization
yaml.load( # Unsafe YAML loading
For complete vulnerability patterns and secure alternatives, consult references/vulnerabilities.md.
Step 4: Verify Data Protection
- Sensitive data encrypted at rest and in transit (TLS)
- No secrets in source code (use environment variables or vault)
- No sensitive data in logs
- PII handled according to regulations
- API keys rotatable, different per environment
Step 5: Validate Findings
For each flagged issue:
- Use Grep to check if the pattern is mitigated elsewhere (middleware, wrappers, framework protections)
- Check framework-level protections before reporting (e.g., Django ORM, React JSX auto-escaping)
- Verify the input source — internal/trusted sources may not need the same controls
- Classify severity:
- Critical: Remote code execution, authentication bypass, data breach
- High: SQL injection, XSS, privilege escalation
- Medium: Missing rate limiting, verbose error messages, weak encryption
- Low: Informational findings, minor configuration issues
Step 6: Final Security Checklist
Report Format
For each finding:
- Severity: Critical / High / Medium / Low
- Location: file:line
- Issue: Brief description
- Suggestion: Specific fix or secure alternative
Examples
Example 1: SQL Injection Prevention
query = f"SELECT * FROM users WHERE name = '{user_input}'"
query = "SELECT * FROM users WHERE name = %s"
cursor.execute(query, (user_input,))
Example 2: XSS Prevention
element.innerHTML = userComment;
element.textContent = userComment;
element.innerHTML = DOMPurify.sanitize(userComment);
Example 3: Secret Management
API_KEY = "sk-abc123..."
API_KEY = os.environ["API_KEY"]
Common Issues
If security review seems incomplete:
- Use Grep to find all usages of the flagged pattern across the codebase
- Check framework-level middleware (auth, CSRF, etc.)
- Consult
references/vulnerabilities.md for the full OWASP Top 10 mapping
