performing-security-code-review

Performing Security Code Review

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "performing-security-code-review" with this command: npx skills add jeremylongshore/claude-code-plugins-plus-skills/jeremylongshore-claude-code-plugins-plus-skills-performing-security-code-review

Performing Security Code Review

Overview

Conducts security-focused code reviews by scanning source files for common vulnerability patterns including SQL injection, XSS, authentication flaws, insecure dependencies, and secret exposure. Produces structured severity-rated reports with specific remediation guidance.

Prerequisites

  • Read access to all source files in the target project

  • grep available on PATH for pattern matching

  • Access to package.json or equivalent dependency manifest for dependency auditing

  • Familiarity with OWASP Top 10 vulnerability categories

Instructions

  • Identify the scope of the review: specific files, directories, or the entire codebase. Confirm the primary language(s) and framework(s) in use.

  • Scan for hardcoded secrets and credentials:

  • Search for patterns matching API keys, tokens, passwords, AWS access keys (AKIA... ), and private key headers (BEGIN PRIVATE KEY ).

  • Flag any .env files or configuration files containing plaintext secrets.

  • Analyze code for injection vulnerabilities:

  • Identify raw SQL string concatenation (SQL injection risk).

  • Locate unsanitized user input rendered in HTML (XSS risk).

  • Check for eval() , exec() , or Function() calls with dynamic input (code injection risk).

  • Review authentication and authorization logic:

  • Verify password hashing uses strong algorithms (bcrypt, argon2) rather than MD5/SHA1.

  • Check for missing authentication on sensitive endpoints.

  • Identify overly permissive CORS configurations.

  • Audit dependencies for known vulnerabilities:

  • Run npm audit or equivalent package manager audit command.

  • Cross-reference dependency versions against known CVE databases.

  • Check for insecure communication patterns:

  • Flag HTTP URLs where HTTPS is expected.

  • Identify disabled TLS certificate verification.

  • Compile findings into a structured report sorted by severity (Critical, High, Medium, Low), including the vulnerable code location, explanation, and remediation steps.

Output

A structured security review report containing:

  • Summary with total findings count by severity level

  • Per-finding entries with: file path, line number, vulnerability type, severity, code snippet, explanation, and recommended fix

  • Dependency audit results with CVE identifiers where applicable

  • Overall risk assessment (Critical / High / Medium / Low / Clean)

Error Handling

Error Cause Solution

No source files found Incorrect scope path or empty directory Verify the target directory path and confirm it contains source files

Binary files in scan Non-text files matched by search patterns Exclude binary extensions and node_modules/ from scans

Dependency manifest missing No package.json , requirements.txt , or equivalent Skip dependency audit; note in report that dependency analysis was not possible

Permission denied on files Restricted file access Request read permissions or narrow the review scope to accessible files

False positive on secret pattern Benign string matching secret regex Verify context before reporting; mark as potential false positive if the match appears in test fixtures or documentation

Examples

SQL injection review: Trigger: "Review this database query code for SQL injection vulnerabilities." Process: Scan all files containing SQL query construction. Identify string concatenation with user input ("SELECT * FROM users WHERE id = " + userId ). Report as High severity with remediation: use parameterized queries or prepared statements.

Dependency vulnerability scan: Trigger: "Check this project's dependencies for known security vulnerabilities." Process: Run npm audit on the project. Parse output for vulnerabilities. Report each finding with CVE identifier, affected package, installed version, and patched version. Recommend npm audit fix or manual version pinning.

Full codebase security audit: Trigger: "Run a security scan on this codebase." Process: Execute all seven scan categories (secrets, injection, auth, dependencies, communication, dangerous commands, obfuscation). Produce a comprehensive report with findings grouped by category and sorted by severity.

Resources

  • OWASP Top 10 -- industry-standard vulnerability classification

  • Node.js Security Checklist -- Node-specific security guidance

  • CWE/SANS Top 25 -- most dangerous software weaknesses

  • ${CLAUDE_SKILL_DIR}/references/README.md -- bundled reference materials

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

xss-vulnerability-scanner

No summary provided by upstream source.

Repository SourceNeeds Review
-44
jeremylongshore
Security

session-security-checker

No summary provided by upstream source.

Repository SourceNeeds Review
-41
jeremylongshore
Security

cookie-security-analyzer

No summary provided by upstream source.

Repository SourceNeeds Review
-41
jeremylongshore