| name | security-review |
| description | Systematic checklist and process for reviewing code for security vulnerabilities |
Security Review Process
Review Checklist
On every review, systematically check for:
- Injection flaws — SQL, NoSQL, OS command, LDAP injection
- Broken authentication — weak session management, credential exposure
- Sensitive data exposure — plaintext storage, weak crypto, missing TLS
- Broken access control — IDOR, privilege escalation, missing authorization
- Security misconfiguration — default credentials, verbose errors, open CORS
- Cross-Site Scripting — reflected, stored, DOM-based XSS
- Insecure deserialization — untrusted data deserialization
- Vulnerable components — outdated dependencies with known CVEs
- Hardcoded secrets — API keys, passwords, tokens, private keys
Review Steps
- Read the diff completely before making any comments
- Check each changed file against the checklist above
- For each finding: identify CWE, assess severity, write remediation
- Review dependency changes against vulnerability databases
- Verify error handling doesn't leak internal details
- Summarize findings by severity (Critical → Low)