Skill

devflow:build:security-review

Scans for security vulnerabilities in branch changes, full repo, or specific files. Supports interactive triage — fix, dismiss, create ticket, or defer each finding. Use this to perform security analysis before creating a PR/MR or on any part of the codebase.

Install

npx claudepluginhub joshuarweaver/cascade-code-general-misc-4 --plugin codingthefuturewithai-claude-code-primitives

Tool Access

This skill is limited to using the following tools:

TaskReadBashGrepGlobAskUserQuestionWriteEditmcp__atlassian__getAccessibleAtlassianResourcesmcp__atlassian__createJiraIssuemcp__atlassian__getJiraProjectIssueTypesMetadatamcp__gitlab__create_issue

Preview

I'll perform a comprehensive security analysis.

SKILL.md

Similar Skills

using-git-worktrees

Creates isolated Git worktrees for feature branches with prioritized directory selection, gitignore safety checks, auto project setup for Node/Python/Rust/Go, and baseline verification.

superpowers

168.3k

subagent-driven-development

3 files

Executes implementation plans in current session by dispatching fresh subagents per independent task, with two-stage reviews: spec compliance then code quality.

superpowers

168.3k

dispatching-parallel-agents

Dispatches parallel agents to independently tackle 2+ tasks like separate test failures or subsystems without shared state or dependencies.

superpowers

168.3k

Stats

Parent Repo Stars0

Parent Repo Forks0

Last CommitFeb 17, 2026

Actions

View Source View Plugin View on GitHub View README

Security Review

I'll perform a comprehensive security analysis.

Step 1: Parse Arguments & Determine Scope

Parse $ARGUMENTS for:

--show-dismissed flag: if present, include previously dismissed issues in report
ISSUE_KEY: if provided, scope to branch changes for that issue

Load backend configuration from devflow-config.md to determine issue tracker for ticket creation.

If ISSUE_KEY provided: Scope is branch changes — find files modified since branching from the base branch.

If no ISSUE_KEY: Ask user what to scan:

Full repository
Current branch changes
Specific files
Specific directory

Display the files that will be analyzed and their count.

Step 2: Invoke Security Scanner Agent

Use the Task tool with subagent_type="security-scanner" to analyze the scoped files.

Provide the agent with:

Scan context (issue key or scope description)
List of files to analyze
Request comprehensive analysis across all relevant vulnerability categories for the languages present

The agent autonomously reads files, identifies vulnerabilities, and provides remediation guidance.

Step 3: Present Findings

Display the security assessment summary:

Scope and file count
Findings by severity: CRITICAL, HIGH, MEDIUM, LOW
Detailed findings from agent report

If no findings: Skip to Next Steps.

Step 4: Triage Security Findings

Before triage:

If .devflow/security/[ISSUE_KEY]-dismissed.json exists, load dismissed issues
If --show-dismissed: display all dismissed issues with reasons, then show current findings
If not --show-dismissed (default): filter dismissed issues out of current findings

For each finding, present:

File, line number, severity
Current code snippet
Issue description
Recommended fix

Ask user for each finding — one at a time:

"fix" — Apply the recommended fix now
"dismiss [reason]" — Mark as false positive, accepted risk, or not applicable
"ticket" — Create issue to track for later
"manual" — Developer will fix, skip for now
"skip" — Defer to next security review

Actions:

fix: Apply the fix with Edit tool. Track as "applied."
dismiss: Save to .devflow/security/[ISSUE_KEY]-dismissed.json with reason and date. Future reviews skip these automatically.
ticket: Use build-ops to create issue in configured backend (Jira/GitLab). Map severity to priority. Display ticket ID.
- If no issue tracker configured, display finding details for manual tracking.
manual/skip: Track for summary. These reappear in next review.

Repeat for all findings.

Triage Summary

After all findings triaged, show:

Applied fixes: count and list
Dismissed: count, files, and reasons
Created tickets: count with ticket IDs
Manual/Deferred: count (note: will reappear in next review)

If fixes were applied, commit them referencing the issue key.

If dismissals were recorded, note the dismissed issues file path and how to review them with --show-dismissed.

Next Steps

If ISSUE_KEY was provided:

If unaddressed CRITICAL/HIGH findings remain: warn before proceeding
Otherwise: ready for /devflow:build:complete-issue [ISSUE_KEY]

If general scan: Review triage summary. Re-scan after manual fixes if needed.