security-review

작성자: github

AI 기반 코드베이스 보안 스캐너로, 보안 연구원처럼 코드를 추론하며 데이터 흐름을 추적하고, 구성 요소 간 상호작용을 이해하며…

npx skills add https://github.com/github/awesome-copilot --skill security-review

Security Review

An AI-powered security scanner that reasons about your codebase the way a human security researcher would — tracing data flows, understanding component interactions, and catching vulnerabilities that pattern-matching tools miss.

When to Use This Skill

Use this skill when the request involves:

  • Scanning a codebase or file for security vulnerabilities
  • Running a security review or vulnerability check
  • Checking for SQL injection, XSS, command injection, or other injection flaws
  • Finding exposed API keys, hardcoded secrets, or credentials in code
  • Auditing dependencies for known CVEs
  • Reviewing authentication, authorization, or access control logic
  • Detecting insecure cryptography or weak randomness
  • Performing a data flow analysis to trace user input to dangerous sinks
  • Any request phrasing like "is my code secure?", "scan this file", or "check my repo for vulnerabilities"
  • Running /security-review or /security-review <path>

How This Skill Works

Unlike traditional static analysis tools that match patterns, this skill:

  1. Reads code like a security researcher — understanding context, intent, and data flow
  2. Traces across files — following how user input moves through your application
  3. Self-verifies findings — re-examines each result to filter false positives
  4. Assigns severity ratings — CRITICAL / HIGH / MEDIUM / LOW / INFO
  5. Proposes targeted patches — every finding includes a concrete fix
  6. Requires human approval — nothing is auto-applied; you always review first

Execution Workflow

Follow these steps in order every time:

Step 1 — Scope Resolution

Determine what to scan:

  • If a path was provided (/security-review src/auth/), scan only that scope
  • If no path given, scan the entire project starting from the root
  • Identify the language(s) and framework(s) in use (check package.json, requirements.txt, go.mod, Cargo.toml, pom.xml, Gemfile, composer.json, etc.)
  • Read references/language-patterns.md to load language-specific vulnerability patterns

Step 2 — Dependency Audit

Before scanning source code, audit dependencies first (fast wins):

  • Node.js: Check package.json + package-lock.json for known vulnerable packages
  • Python: Check requirements.txt / pyproject.toml / Pipfile
  • Java: Check pom.xml / build.gradle
  • Ruby: Check Gemfile.lock
  • Rust: Check Cargo.toml
  • Go: Check go.sum
  • Flag packages with known CVEs, deprecated crypto libs, or suspiciously old pinned versions
  • Read references/vulnerable-packages.md for a curated watchlist

Step 3 — Secrets & Exposure Scan

Scan ALL files (including config, env, CI/CD, Dockerfiles, IaC) for:

  • Hardcoded API keys, tokens, passwords, private keys
  • .env files accidentally committed
  • Secrets in comments or debug logs
  • Cloud credentials (AWS, GCP, Azure, Stripe, Twilio, etc.)
  • Database connection strings with credentials embedded
  • Read references/secret-patterns.md for regex patterns and entropy heuristics to apply

Step 4 — Vulnerability Deep Scan

This is the core scan. Reason about the code — don't just pattern-match. Read references/vuln-categories.md for full details on each category.

Injection Flaws

  • SQL Injection: raw queries with string interpolation, ORM misuse, second-order SQLi
  • XSS: unescaped output, dangerouslySetInnerHTML, innerHTML, template injection
  • Command Injection: exec/spawn/system with user input
  • LDAP, XPath, Header, Log injection

Authentication & Access Control

  • Missing authentication on sensitive endpoints
  • Broken object-level authorization (BOLA/IDOR)
  • JWT weaknesses (alg:none, weak secrets, no expiry validation)
  • Session fixation, missing CSRF protection
  • Privilege escalation paths
  • Mass assignment / parameter pollution

Data Handling

  • Sensitive data in logs, error messages, or API responses
  • Missing encryption at rest or in transit
  • Insecure deserialization
  • Path traversal / directory traversal
  • XXE (XML External Entity) processing
  • SSRF (Server-Side Request Forgery)

Cryptography

  • Use of MD5, SHA1, DES for security purposes
  • Hardcoded IVs or salts
  • Weak random number generation (Math.random() for tokens)
  • Missing TLS certificate validation

Business Logic

  • Race conditions (TOCTOU)
  • Integer overflow in financial calculations
  • Missing rate limiting on sensitive endpoints
  • Predictable resource identifiers

Step 5 — Cross-File Data Flow Analysis

After the per-file scan, perform a holistic review:

  • Trace user-controlled input from entry points (HTTP params, headers, body, file uploads) all the way to sinks (DB queries, exec calls, HTML output, file writes)
  • Identify vulnerabilities that only appear when looking at multiple files together
  • Check for insecure trust boundaries between services or modules

Step 6 — Self-Verification Pass

For EACH finding:

  1. Re-read the relevant code with fresh eyes
  2. Ask: "Is this actually exploitable, or is there sanitization I missed?"
  3. Check if a framework or middleware already handles this upstream
  4. Downgrade or discard findings that aren't genuine vulnerabilities
  5. Assign final severity: CRITICAL / HIGH / MEDIUM / LOW / INFO

Step 7 — Generate Security Report

Output the full report in the format defined in references/report-format.md.

Step 8 — Propose Patches

For every CRITICAL and HIGH finding, generate a concrete patch:

  • Show the vulnerable code (before)
  • Show the fixed code (after)
  • Explain what changed and why
  • Preserve the original code style, variable names, and structure
  • Add a comment explaining the fix inline

Explicitly state: "Review each patch before applying. Nothing has been changed yet."

Severity Guide

SeverityMeaningExample
🔴 CRITICALImmediate exploitation risk, data breach likelySQLi, RCE, auth bypass
🟠 HIGHSerious vulnerability, exploit path existsXSS, IDOR, hardcoded secrets
🟡 MEDIUMExploitable with conditions or chainingCSRF, open redirect, weak crypto
🔵 LOWBest practice violation, low direct riskVerbose errors, missing headers
⚪ INFOObservation worth noting, not a vulnerabilityOutdated dependency (no CVE)

Output Rules

  • Always produce a findings summary table first (counts by severity)
  • Never auto-apply any patch — present patches for human review only
  • Always include a confidence rating per finding (High / Medium / Low)
  • Group findings by category, not by file
  • Be specific — include file path, line number, and the exact vulnerable code snippet
  • Explain the risk in plain English — what could an attacker do with this?
  • If the codebase is clean, say so clearly: "No vulnerabilities found" with what was scanned

Reference Files

For detailed detection guidance, load the following reference files as needed:

  • references/vuln-categories.md — Deep reference for every vulnerability category with detection signals, safe patterns, and escalation checkers
    • Search patterns: SQL injection, XSS, command injection, SSRF, BOLA, IDOR, JWT, CSRF, secrets, cryptography, race condition, path traversal
  • references/secret-patterns.md — Regex patterns, entropy-based detection, and CI/CD secret risks
    • Search patterns: API key, token, private key, connection string, entropy, .env, GitHub Actions, Docker, Terraform
  • references/language-patterns.md — Framework-specific vulnerability patterns for JavaScript, Python, Java, PHP, Go, Ruby, and Rust
    • Search patterns: Express, React, Next.js, Django, Flask, FastAPI, Spring Boot, PHP, Go, Rails, Rust
  • references/vulnerable-packages.md — Curated CVE watchlist for npm, pip, Maven, Rubygems, Cargo, and Go modules
    • Search patterns: lodash, axios, jsonwebtoken, Pillow, log4j, nokogiri, CVE
  • references/report-format.md — Structured output template for security reports with finding cards, dependency audit, secrets scan, and patch proposal formatting
    • Search patterns: report, format, template, finding, patch, summary, confidence

github의 다른 스킬

console-rendering
github
Go에서 struct 태그 기반 콘솔 렌더링 시스템 사용 지침
official
acquire-codebase-knowledge
github
사용자가 기존 코드베이스에 대한 매핑, 문서화, 또는 온보딩을 명시적으로 요청할 때 이 스킬을 사용하세요. "이 코드베이스를 매핑해줘", "문서화해줘"와 같은 프롬프트에서 트리거됩니다.
official
acreadiness-assess
github
현재 리포
official
acreadiness-generate-instructions
github
AgentRC 명령어를 통해 맞춤형 AI 에이전트 지침 파일을 생성합니다. .github/copilot-instructions.md 파일을 생성합니다(기본값, VS Code의 Copilot에 권장됨).
official
acreadiness-policy
github
사용자가 AgentRC 정책을 선택, 작성 또는 적용할 수 있도록 지원합니다. 정책은 관련 없는 검사를 비활성화하고, 영향/수준을 재정의하며, 설정을 통해 준비 상태 점수를 사용자 지정합니다.
official
add-educational-comments
github
코드 파일에 교육용 주석을 추가하여 효과적인 학습 자료로 변환합니다. 설명의 깊이와 어조를 세 가지 설정 가능한 지식 수준(초급, 중급, 고급)에 맞게 조정합니다. 파일이 제공되지 않으면 자동으로 요청하며, 빠른 선택을 위해 번호 목록 매칭을 제공합니다. 교육용 주석만을 사용하여 파일을 최대 125%까지 확장합니다(엄격한 제한: 새 줄 400개, 1,000줄 초과 파일의 경우 300개). 파일 인코딩, 들여쓰기 스타일, 구문 정확성 등을 유지합니다.
official
adobe-illustrator-scripting
github
Adobe Illustrator 자동화 스크립트를 ExtendScript(JavaScript/JSX)로 작성, 디버깅 및 최적화합니다. 스크립트를 생성하거나 수정하여 조작할 때 사용합니다.
official
agent-governance
github
선언적 정책, 의도 분류, AI 에이전트 도구 접근 및 행동 제어를 위한 감사 추적. 구성 가능한 거버넌스 정책은 허용/차단된 도구, 콘텐츠 필터, 속도 제한, 승인 요구 사항을 정의하며, 코드가 아닌 구성으로 저장됨. 의미론적 의도 분류는 패턴 기반 신호를 사용하여 도구 실행 전에 위험한 프롬프트(데이터 유출, 권한 상승, 프롬프트 인젝션)를 탐지함. 도구 수준 거버넌스 데코레이터는 함수에서 정책을 적용함...
official