원클릭으로
security-review
Apply OWASP top 10 and core security checks (injection, authz, secrets, exposure) to a change before issuing a review verdict.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Apply OWASP top 10 and core security checks (injection, authz, secrets, exposure) to a change before issuing a review verdict.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Keep commits atomic — split a mixed change set into scoped, reviewable commits.
The one-time procedure to take an exported project to live — understand it, confirm the name/goal/stack with the user, run the deterministic `aspis bootstrap`, enrich the judgment files (AGENTS.md, ARCHITECTURE, context), verify, and let the package self-clean. Followed by the bootstrap agent.
Keep per-subsystem architectural intent current through the planning loop — read before designing, record an impact report on change, confirm with the user, apply a dated update, and verify the build against approved intent.
Audit a plan's task dependency graph for structural integrity — circular dependencies, missing prerequisites, orphan tasks, and dependency classification (hard/soft/warning). Produces a pass/warn/fail audit report per dependency so planners catch graph errors before build starts.
Every editing agent should start on a clean working tree so parallel work never collides.
Verify hooks ran, no secrets, protected paths untouched, and commit message valid before committing. Owned by the reviewer.
| name | security-review |
| description | Apply OWASP top 10 and core security checks (injection, authz, secrets, exposure) to a change before issuing a review verdict. |
Evaluate a code change for security vulnerabilities before the reviewer issues a verdict. Covers the OWASP top 10 categories plus ASPIS-specific concerns (secret leakage, permission escalation, protected-path access). Security findings are always at least HIGH severity; a CRITICAL security finding is an automatic REJECTED verdict.
production — the Security dimension is Full.git diff + manual review (no secret-scanning tool assumed)..opencode/, .claude/,
rules/**, **/permissions*.yaml, or .aspis/current/active_feature.json?
If yes and no R-008 approval exists → CRITICAL finding.file:line — what's wrong — why — severity — fix — evidence.