Security-focused code review mapped to OWASP Top 10 and ASVS. Use when reviewing pull requests, auditing files or modules for vulnerabilities, or performing pre-merge security gate checks. Covers injection, auth, authorization, cryptography, data exposure, misconfiguration, and deserialization.
Installation
Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.
Security-focused code review mapped to OWASP Top 10 and ASVS. Use when reviewing pull requests, auditing files or modules for vulnerabilities, or performing pre-merge security gate checks. Covers injection, auth, authorization, cryptography, data exposure, misconfiguration, and deserialization.
license
CC-BY-4.0
Security Code Review
Review code for security vulnerabilities by following the full procedure in plays/code-review-security.md.
Steps
Scope & Context — Establish language/framework, trust boundary (server/client/library/CLI), data sensitivity (PII, credentials, financial), and exposure (internet-facing, internal, local).
Systematic Review by Vulnerability Class (priority order):
Diff-Specific Analysis (for PRs) — Focus on changed lines plus context, verify security controls preserved, check new endpoints match auth patterns, look for removed security controls.
Produce Findings — Cite file:line, show vulnerable snippet, explain attack scenario, provide fixed code, rate confidence.
Output
Scope summary, findings sorted by severity using templates/finding.md, positive observations (good security controls in place), and severity count table.