code-security

The code-security skill provides an extensive framework for identifying and preventing software vulnerabilities across the entire development lifecycle. Designed for software engineers, security researchers, and DevOps professionals, this skill acts as an automated security reviewer that monitors code for common flaws. It provides expert guidance on mitigating critical risks like SQL injection, command injection, XSS, XXE, path traversal, insecure deserialization, and hardcoded secrets. Beyond application code, it offers detailed security rules for infrastructure-as-code including Terraform, Kubernetes, Docker, and GitHub Actions, ensuring that cloud environments are hardened against misconfigurations and unauthorized access.

• Performs automated proactive security analysis when writing or reviewing code in languages such as Python, JavaScript/TypeScript, Java, Go, Ruby, PHP, C/C++, Rust, and C#.

• Covers 28 distinct rule categories including OWASP Top 10, cryptographic best practices (SHA-256, AES), secure transport (TLS/HTTPS), and authentication standards (JWT, CSRF).

• Provides granular security checks for cloud infrastructure, including AWS/Azure/GCP Terraform providers, container security (non-root containers), and CI/CD security (GitHub Actions).

• Offers reactive guidance by mapping security queries to specific rule files containing clear, side-by-side 'Incorrect' vs 'Correct' code implementation patterns.

• Supports memory safety analysis for low-level languages like C and C++ to prevent buffer overflows and use-after-free vulnerabilities.

• Always consult this skill when handling user input, database queries, network requests, file system operations, or authentication logic.

• Apply this skill during code reviews, pull requests, and architecture design phases to identify risks early.

• When implementing cloud configuration, leverage the infrastructure-specific modules for Terraform, Kubernetes, and Docker to enforce least-privilege principles.

• Use the provided rule files as a knowledge base to educate development teams on secure coding patterns and threat mitigation.

• Note that this skill is a diagnostic and educational tool; it is intended to supplement, not replace, automated static analysis tools like Semgrep or dynamic security testing (DAST).