Security-focused code review mapped to OWASP Top 10 and ASVS. Use when reviewing pull requests, auditing files or modules for vulnerabilities, or performing pre-merge security gate checks. Covers injection, auth, authorization, cryptography, data exposure, misconfiguration, and deserialization.
설치
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
Security-focused code review mapped to OWASP Top 10 and ASVS. Use when reviewing pull requests, auditing files or modules for vulnerabilities, or performing pre-merge security gate checks. Covers injection, auth, authorization, cryptography, data exposure, misconfiguration, and deserialization.
license
CC-BY-4.0
Security Code Review
Review code for security vulnerabilities by following the full procedure in plays/code-review-security.md.
Steps
Scope & Context — Establish language/framework, trust boundary (server/client/library/CLI), data sensitivity (PII, credentials, financial), and exposure (internet-facing, internal, local).
Systematic Review by Vulnerability Class (priority order):
Diff-Specific Analysis (for PRs) — Focus on changed lines plus context, verify security controls preserved, check new endpoints match auth patterns, look for removed security controls.
Produce Findings — Cite file:line, show vulnerable snippet, explain attack scenario, provide fixed code, rate confidence.
Output
Scope summary, findings sorted by severity using templates/finding.md, positive observations (good security controls in place), and severity count table.