core/agent
8
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
agent/claude/review/commands/security.md
Snider b633ae81f6 feat: add README and flesh out all plugins 
README.md:
- GitHub-friendly documentation
- Installation instructions
- Plugin overview with commands

review plugin:
- /review:security - Security-focused review
- /review:pr - PR review
- hooks.json - Post PR create suggestion
- scripts/post-pr-create.sh

verify plugin:
- /verify:ready - Quick readiness check
- /verify:tests - Test verification
- hooks.json - Pre-push warning
- scripts/pre-push-check.sh

qa plugin:
- /qa:check - Report only, no fixes
- /qa:lint - Lint with fix option
- hooks.json - QA output filtering

ci plugin:
- /ci:status - CI status display
- /ci:run - Trigger workflows
- /ci:fix - Analyse and fix failures
- hooks.json - Post-push CI hint
- scripts/post-push-ci.sh

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-01 19:48:51 +00:00

1.6 KiB
Raw Permalink Blame History

name description args
security Security-focused code review
commit-range|--pr=N

Security Review

Perform a security-focused code review.

Focus Areas

1. Injection Vulnerabilities

  • SQL injection
  • Command injection
  • XSS (Cross-Site Scripting)
  • LDAP injection
  • XML injection

2. Authentication & Authorisation

  • Hardcoded credentials
  • Weak password handling
  • Missing auth checks
  • Privilege escalation paths

3. Data Exposure

  • Sensitive data in logs
  • PII in error messages
  • Secrets in version control
  • Insecure data transmission

4. Cryptography

  • Weak algorithms (MD5, SHA1 for security)
  • Hardcoded keys/IVs
  • Insecure random number generation

5. Dependencies

  • Known vulnerable packages
  • Outdated dependencies

Process

  1. Get diff for specified range
  2. Scan for security patterns
  3. Check for common vulnerabilities
  4. Report findings with severity

Patterns to Check

Go

// SQL injection
db.Query("SELECT * FROM users WHERE id = " + id)

// Command injection
exec.Command("bash", "-c", userInput)

// Hardcoded secrets
apiKey := "sk_live_..."

PHP

// SQL injection
$db->query("SELECT * FROM users WHERE id = $id");

// XSS
echo $request->input('name');

// Command injection
shell_exec($userInput);

Output Format

## Security Review

### Critical
- **file:line** - SQL Injection: User input directly in query

### High
- **file:line** - Hardcoded API key detected

### Medium
- **file:line** - Missing CSRF protection

### Low
- **file:line** - Debug endpoint exposed

---
**Summary**: X critical, Y high, Z medium, W low