From cc-arsenal
Perform comprehensive security review targeting OWASP Top 10 2025 vulnerabilities for PRs, commits, or entire codebases. This skill should be used when a user wants to audit code security, scan for vulnerabilities, review security posture, or check for OWASP compliance. Analysis only - identifies vulnerabilities without modifying code.
npx claudepluginhub mgiovani/cc-arsenal --plugin cc-arsenal-teamsThis skill is limited to using the following tools:
> **Cross-Platform AI Agent Skill**
Creates isolated Git worktrees for feature branches with prioritized directory selection, gitignore safety checks, auto project setup for Node/Python/Rust/Go, and baseline verification.
Executes implementation plans in current session by dispatching fresh subagents per independent task, with two-stage reviews: spec compliance then code quality.
Dispatches parallel agents to independently tackle 2+ tasks like separate test failures or subsystems without shared state or dependencies.
Cross-Platform AI Agent Skill This skill works with any AI agent platform that supports the skills.sh standard.
Comprehensive security analysis targeting OWASP Top 10 2025 vulnerabilities, common bytecode security issues, and language-specific security patterns. This skill performs analysis only - it identifies vulnerabilities, explains findings, and suggests fix approaches without making code changes.
CRITICAL: Security reviews must be based on ACTUAL code analysis and VERIFIED patterns:
Parse arguments to determine what to scan:
Arguments:
- <pr_number>: Scan only files changed in PR (e.g., "123", "#123")
- <commit_sha>: Scan only files changed in commit (e.g., "abc123")
- "--all" or no args: Scan entire codebase
- "--scope [web|api|mobile|backend|frontend]": Focus on specific vulnerability categories
If PR or commit specified, use Bash to get changed files:
```bash
# For PR
gh pr view <pr_number> --json files --jq '.files[].path'
# For commit
git diff-tree --no-commit-id --name-only -r <commit_sha>
### Phase 1: Project Technology Discovery
Explore the codebase to understand the project technology stack:
### Phase 2: Initialize Progress Tracking
Use TodoWrite to track comprehensive scan progress across all OWASP categories (A01-A10), bytecode security, and report generation.
### Phase 3: Parallel Vulnerability Scanning
Spawn parallel Explore agents for comprehensive security analysis. Each agent targets specific OWASP categories using Grep patterns to find actual vulnerable code.
For detailed agent prompts and grep patterns for each vulnerability category, see [references/agent-prompts.md](references/agent-prompts.md).
**Agent assignments:**
- **Agent 1**: Access Control & Authentication (A01, A07)
- **Agent 2**: Configuration & Design (A02, A06)
- **Agent 3**: Injection & Data Integrity (A05, A08)
- **Agent 4**: Cryptography & Supply Chain (A04, A03)
- **Agent 5**: Bytecode & Compiled Code Security
- **Agent 6**: Logging, Monitoring & Exception Handling (A09, A10)
Each agent must:
1. Grep for vulnerability patterns across files in scope
2. Read each match to verify context
3. Extract exact code snippets (5-10 lines)
4. Explain why the code is vulnerable
5. Classify severity (Critical/High/Medium/Low)
6. Provide fix recommendations (2-3 approaches)
### Phase 4: Consolidate & Analyze Findings
After all agents complete:
1. **Collect all findings** from the 6 parallel agents
2. **Deduplicate** - Remove duplicate findings across agents
3. **Prioritize by severity**:
- **Critical**: RCE, SQLi, Authentication bypass, Hardcoded secrets
- **High**: XSS, CSRF, Broken access control, Weak crypto
- **Medium**: Information disclosure, Missing logging, Insecure design
- **Low**: Code quality issues with minor security impact
4. **Categorize by OWASP Top 10 2025**: Group findings under A01-A10 categories
5. **Statistics**: Count total vulnerabilities, by severity, by category, files scanned vs files with issues
### Phase 5: Generate Security Report
Generate a comprehensive markdown report following the template in [references/report-template.md](references/report-template.md).
### Phase 6: Verification & Quality Check
Before presenting report, verify:
1. Every finding has file path and line numbers
2. Every finding has actual code snippet (not placeholder)
3. Every finding has clear explanation of vulnerability
4. Every finding has 2-3 fix approaches with examples
5. Statistics are accurate (counted, not estimated)
6. No duplicate findings
7. Severity ratings are justified
8. Only scanned files within specified scope
9. No invented vulnerabilities or false positives
10. References to CWEs/CVEs are accurate
## Usage
```bash
# Scan specific PR
review-security 123
review-security #456
# Scan specific commit
review-security abc123def
# Scan entire codebase
review-security --all
review-security
# Focus on specific scope
review-security --all --scope web
review-security 123 --scope api
## Scope Options
- `web`: Focus on XSS, CSRF, CORS, injection (A02, A05)
- `api`: Focus on authentication, authorization, rate limiting (A01, A07, A06)
- `mobile`: Focus on insecure storage, crypto, data leakage (A04, A08)
- `backend`: Focus on injection, deserialization, business logic (A05, A06, A08)
- `frontend`: Focus on XSS, CSP, SRI, client-side security (A02, A05, A08)
If no scope specified, perform comprehensive scan across all categories.
## Additional Resources
- [references/agent-prompts.md](references/agent-prompts.md) - Detailed grep patterns and agent prompts for each OWASP category
- [references/report-template.md](references/report-template.md) - Full markdown report template with all sections
## What This Skill Does
- Identifies security vulnerabilities based on OWASP Top 10 2025
- Analyzes bytecode and compiled code security
- Provides detailed explanations of each finding
- Suggests multiple fix approaches with code examples
- Generates comprehensive markdown report
- Prioritizes findings by severity
## What This Skill Does NOT Do
- Does not modify any code
- Does not automatically fix vulnerabilities
- Does not commit changes
- Does not run dynamic security testing (DAST)
- Does not perform penetration testing
- Does not guarantee 100% vulnerability detection
## Limitations
- **Static analysis only**: Cannot detect runtime-only vulnerabilities
- **Pattern-based**: May miss context-specific security issues
- **No dynamic testing**: Cannot test actual exploitability
- **False positives possible**: Some findings may not be exploitable in context
- **Requires manual review**: Expert review recommended for critical systems
## OWASP References
- [OWASP Top 10:2025](https://owasp.org/Top10/2025/)
- [OWASP Testing Guide](https://owasp.org/www-project-web-security-testing-guide/)
- [OWASP Code Review Guide](https://owasp.org/www-project-code-review-guide/)
## Claude Code Enhanced Features
This skill includes the following Claude Code-specific enhancements:
## Scan Workflow
### Phase 0: Determine Scan Scope
Parse arguments to determine what to scan:
Arguments:
If PR or commit specified, use Bash to get changed files:
```bash
# For PR
gh pr view <pr_number> --json files --jq '.files[].path'
# For commit
git diff-tree --no-commit-id --name-only -r <commit_sha>
Use an Explore agent to understand the project technology stack:
Use Task tool with Explore agent:
- prompt: "Discover the project's technology stack and security tooling:
1. Read package.json, pyproject.toml, pom.xml, go.mod to identify languages/frameworks
2. Check for existing security tools: .pre-commit-config.yaml, .github/workflows for SAST
3. Identify web frameworks: React/Next.js, Django/Flask, Spring Boot, Express.js
4. Check database usage: SQL, NoSQL, ORM patterns
5. Look for authentication patterns: JWT, OAuth, session management
6. Note any existing SECURITY.md or security policies
Return: Technology stack summary with relevant vulnerability categories to prioritize."
- subagent_type: "Explore"
Use TodoWrite to track comprehensive scan progress across all OWASP categories (A01-A10), bytecode security, and report generation.
Spawn parallel Explore agents for comprehensive security analysis. Each agent targets specific OWASP categories using Grep patterns to find actual vulnerable code.
For detailed agent prompts and grep patterns for each vulnerability category, see references/agent-prompts.md.
Agent assignments:
Each agent must:
After all agents complete:
Generate a comprehensive markdown report following the template in references/report-template.md.
Before presenting report, verify: