| name | differential-review |
| description | Security-focused review of code diffs and PRs with surface classification and Semgrep on changed files. Use when reviewing pull requests, branch diffs, or validating security regressions before merge. |
When to use
- reviewing pull requests, branch diffs, or validating security regressions before merge
On-demand loading: Read this skill only when reviewing diffs or PRs for security impact. Do not load for unrelated work.
Related: Full audit → security-review. Staff gate → tech-lead-review. Pre-done smoke → review-and-secure.
Differential Security Review Skill
Use this skill to perform a security-focused review of code changes (diffs). Invoke when reviewing pull requests, auditing a feature branch, or validating that a changeset does not introduce security regressions.
Trigger phrases
- "review this diff for security"
- "security review of changes"
- "audit the PR"
- "check what changed for vulnerabilities"
- "differential security review"
Skill instructions
Step 1: Obtain the diff
Get the changeset to review via one of:
git diff HEAD
git diff main...feature-branch
git diff <base-sha>..<head-sha>
git diff --cached
Or use the user-github MCP to fetch a PR diff directly.
Step 2: Classify changed surfaces
For each changed file, classify the security surface using the table in references/review-surfaces.md.
Step 3: Security-focused diff review
For each high/critical surface change, apply the checklist from references/review-surfaces.md covering: Authentication & Authorization, Injection, Secrets & Credentials, Data Exposure, Dependencies, and Logic & Business Rules.
Step 4: Run targeted static analysis
For changed files, run Semgrep on just the diff scope:
CHANGED=$(git diff --name-only HEAD)
semgrep --config p/security-audit --config p/secrets $CHANGED
Or invoke the semgrep-audit skill on the changed file set.
Step 5: Report
Structure the report as:
## Differential Security Review
**Base:** <base ref>
**Head:** <head ref>
**Changed files:** N
**Security-relevant surfaces touched:** <list>
---
### Critical Issues (must fix before merge)
...
### High Issues (should fix before merge)
...
### Medium Issues (fix in follow-up)
...
### Positive Security Changes
(changes that improve security posture)
...
### Verdict
- [ ] **APPROVED** — no security concerns found
- [ ] **APPROVED WITH CONDITIONS** — minor issues to address
- [ ] **NEEDS CHANGES** — significant issues require remediation
- [ ] **BLOCKED** — critical security issues found
Notes
- This skill draws from Trail of Bits' differential review methodology. Their full methodology (
methodology.md, adversarial.md, cognitive-biases.md) documents an adversarial review mindset not included here.
- Key principle from ToB: review changes from an attacker's perspective, not a developer's perspective.
- Pay extra attention to: removed security controls, new code paths that bypass existing checks, and changes to error handling that might swallow security exceptions.
- For cryptographic changes, always consult a cryptography specialist.