| name | security-review |
| description | Use when reviewing code for vulnerabilities, implementing authentication or authorization, handling user input, storing sensitive data, or before any feature that touches security boundaries goes to production |
Security Review
Overview
Security is not a feature — it's a property of the entire system.
Review security boundaries systematically, not ad-hoc.
When to Use
- Authentication, authorization, session management code
- Any user input that touches storage, commands, or rendering
- Secrets, credentials, API keys in code or config
- Before a security-sensitive feature ships
- After any change to auth flows or data access controls
OWASP Top 10 Checklist
Work through these for every security-relevant code change:
A01 - Broken Access Control
A02 - Cryptographic Failures
A03 - Injection
A04 - Insecure Design
A05 - Security Misconfiguration
A06 - Vulnerable and Outdated Components
A07 - Authentication Failures
A08 - Software and Data Integrity
A09 - Logging and Monitoring
Common Vulnerabilities to Check
| Vulnerability | Check |
|---|
| SQL Injection | All queries parameterized? |
| XSS | All user content escaped before rendering? |
| CSRF | State-changing requests have CSRF protection? |
| Path traversal | File paths sanitized and validated? |
| Secret exposure | No hardcoded keys/tokens in code? |
| Mass assignment | Only allowed fields accepted from user input? |
Red Flags in Code
These patterns require immediate review:
eval(), exec(), system() with any user-influenced input
- String concatenation in SQL:
"SELECT * FROM users WHERE id = " + userId
innerHTML = userContent (XSS)
require(userInput) or dynamic imports with user data
- Secrets in
.env files committed to git
- MD5 or SHA1 for password hashing
Output
For each finding, document:
- Vulnerability type (OWASP category)
- Severity (Critical/High/Medium/Low)
- Location (file:line)
- Description (what's wrong and why)
- Fix (specific code change or pattern to use)
If no vulnerabilities found: output "Security Review: PASS. No issues found in [scope]. Reviewed: [list of OWASP categories checked]. Verified: [date and reviewer]."