Cc Skill Security Kit
Comprehensive skill designed for skill, adding, authentication, handling. Includes structured workflows, validation checks, and reusable patterns for development.
Security Review Skill
A comprehensive Claude Code skill for automated security auditing, vulnerability detection, and secure coding enforcement across your entire codebase.
When to Use This Skill
Choose this skill when:
- Implementing authentication, authorization, or session management
- Handling user input, file uploads, or external data processing
- Creating or modifying API endpoints that accept untrusted data
- Working with secrets, credentials, tokens, or encryption
- Preparing code for production deployment or compliance review
- Reviewing pull requests for security implications
Consider alternatives when:
- You need runtime security monitoring (use a SIEM or WAF instead)
- You need penetration testing (use dedicated pentest tools)
- You only need linting without security focus (use a standard linter skill)
Quick Start
# Add to your Claude Code project claude mcp add security-review # Run a security audit on your project claude "run a security review on the authentication module"
# .claude/skills/security-review.yml name: security-review description: Automated security auditing and vulnerability detection triggers: - "security review" - "audit code" - "check vulnerabilities" config: severity_threshold: medium scan_scope: changed_files owasp_categories: all
Core Concepts
OWASP Top 10 Coverage
| Category | Check | Severity |
|---|---|---|
| Injection | SQL, NoSQL, OS command, LDAP injection patterns | Critical |
| Broken Auth | Weak password policies, missing MFA, session fixation | Critical |
| Sensitive Data | Hardcoded secrets, unencrypted storage, PII exposure | High |
| XXE | XML external entity processing, DTD attacks | High |
| Broken Access | Missing authorization checks, IDOR vulnerabilities | Critical |
| Misconfig | Default credentials, verbose errors, open CORS | Medium |
| XSS | Reflected, stored, and DOM-based cross-site scripting | High |
| Deserialization | Unsafe object deserialization, prototype pollution | High |
| Components | Known vulnerable dependencies, outdated packages | Medium |
| Logging | Insufficient logging, missing audit trails | Low |
Security Pattern Detection
// FLAGGED: SQL injection vulnerability const query = `SELECT * FROM users WHERE id = ${userId}`; // RECOMMENDED: Parameterized query const query = 'SELECT * FROM users WHERE id = $1'; const result = await pool.query(query, [userId]); // FLAGGED: Hardcoded secret const API_KEY = 'sk-live-abc123def456'; // RECOMMENDED: Environment variable const API_KEY = process.env.API_KEY; // FLAGGED: Missing input validation app.post('/upload', (req, res) => { fs.writeFile(req.body.filename, req.body.content); }); // RECOMMENDED: Validated and sanitized app.post('/upload', (req, res) => { const filename = path.basename(req.body.filename); const safePath = path.join(UPLOAD_DIR, filename); if (!safePath.startsWith(UPLOAD_DIR)) throw new Error('Path traversal'); fs.writeFile(safePath, sanitize(req.body.content)); });
Configuration
| Parameter | Type | Default | Description |
|---|---|---|---|
severity_threshold | string | "medium" | Minimum severity to report: low, medium, high, critical |
scan_scope | string | "changed_files" | Scope of scan: changed_files, all_files, directory |
owasp_categories | string | "all" | Comma-separated OWASP categories or "all" |
auto_fix | boolean | false | Automatically apply safe fixes for common issues |
ignore_patterns | array | [] | File patterns to exclude from scanning |
secret_scanning | boolean | true | Scan for hardcoded secrets and credentials |
dependency_check | boolean | true | Check for known vulnerable dependencies |
report_format | string | "inline" | Output format: inline, markdown, json |
Best Practices
-
Run security reviews on every PR — integrate the skill into your review workflow so vulnerabilities are caught before merging, not after deployment.
-
Set severity thresholds appropriately for your context — use
criticalthreshold during rapid prototyping butlowthreshold before production releases to catch everything. -
Combine with dependency auditing — enable
dependency_checkalongside code scanning since vulnerable packages are one of the most common attack vectors. -
Never suppress findings without documentation — if you ignore a security warning, add a comment explaining why and what mitigations are in place.
-
Review secrets scanning results immediately — hardcoded credentials in version control are the fastest path to a breach; rotate any exposed secrets right away.
Common Issues
False positives on test fixtures — The skill may flag hardcoded tokens or passwords in test files. Add test directories to ignore_patterns or use clearly fake values like test-token-do-not-use that the skill can recognize as non-sensitive.
Missing context for authorization checks — The skill flags endpoints without visible authorization but your auth might be handled by middleware. Add a comment like // auth: middleware or configure the skill to recognize your middleware patterns.
Slow scans on large codebases — Scanning all files on every run can be slow for large projects. Use scan_scope: changed_files for PR reviews and reserve all_files scans for periodic full audits on a schedule.
Reviews
No reviews yet. Be the first to review this template!
Similar Templates
Full-Stack Code Reviewer
Comprehensive code review skill that checks for security vulnerabilities, performance issues, accessibility, and best practices across frontend and backend code.
Test Suite Generator
Generates comprehensive test suites with unit tests, integration tests, and edge cases. Supports Jest, Vitest, Pytest, and Go testing.
Pro Architecture Workspace
Battle-tested skill for architectural, decision, making, framework. Includes structured workflows, validation checks, and reusable patterns for development.