Security Code Review

This skill acts as an automated security auditor for software projects, specifically targeting the OWASP Top 10 critical web application security risks. Designed for developers and security engineers, it provides systematic scanning of codebases to identify common pitfalls like injection attacks, broken authentication, sensitive data exposure, and insecure deserialization. It is particularly effective for reviewing Java, Python, and JavaScript applications, offering actionable code-level improvements to harden your software against modern threats.

• Detects SQL, NoSQL, and Command injection vulnerabilities by flagging unsanitized user inputs and dangerous execution patterns.

• Identifies broken authentication flows, such as hardcoded or weak credentials and insecure session management.

• Scans for sensitive data exposure issues, including hardcoded API keys, unmasked log data, and insecure error reporting.

• Checks for common misconfigurations like debug mode enabled in production or missing security headers in Spring Boot and Flask applications.

• Analyzes XML parsing logic for XXE (XML External Entities) risks and audits deserialization processes to prevent object injection attacks.

• Evaluates front-end code for XSS (Cross-Site Scripting) vulnerabilities by flagging improper handling of user-provided content in DOM or HTML templates.

• Provide the specific file or code snippet to the agent to trigger a focused security scan; for comprehensive audits, point the agent to the root of your application module.

• Expect outputs to include the identified vulnerability, an explanation of the security risk, and a secure code alternative using industry-standard libraries like BCrypt, Prepared Statements, or safe JSON mappers.

• Use this skill during the development lifecycle, preferably at the Pull Request or pre-commit phase, to ensure security best practices are baked into the codebase.

• Remember that while the tool automates vulnerability identification, it does not replace a comprehensive human-led penetration test or architectural security review.

• Ensure environment variables are used for secrets and avoid pasting production credentials into the chat interface for analysis.