From spring-boot-claude
Security review checklists for Java/Spring Boot apps covering path traversal, injection, credential handling, and input validation. Load when conducting security reviews.
How this skill is triggered — by the user, by Claude, or both
Slash command
/spring-boot-claude:security-reviewThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
This review enforces four non-negotiable laws: security as an emergent property, defense in depth, least privilege, fail secure. They are harness-owned, defined in [`tdd-principles.md`](../tdd-workflow/tdd-principles.md) § Secure by Design. How this project meets them — its trust boundaries and the stack's high-bar defaults — lives in the project-owned [`docs/security-principles.md`](../../../d...
This review enforces four non-negotiable laws: security as an emergent property, defense in depth, least privilege, fail secure. They are harness-owned, defined in tdd-principles.md § Secure by Design. How this project meets them — its trust boundaries and the stack's high-bar defaults — lives in the project-owned docs/security-principles.md, the same brief the feature-implementer designs against. Read both before reviewing and enforce what they say, not remembered defaults. This skill holds the exhaustive checklist that turns the laws and defaults into specific, gradeable items.
../, symlinks).scratch/tmp/, never system /tmpRuntime.exec() / ProcessBuilder<, >, &, ", ' properly escaped in text content and attributes<script>, <link>, <img> with remote URLs)href attributes use relative paths only, not javascript: or data: URIs@JsonTypeInfo annotations that enable arbitrary class instantiationbuild.gradledocs/system-design.md)System.out.println or System.err.printlnWhen an IDE semantic oracle is available, use it to complement (never replace) the Grep patterns above: check the resolved dependency set for the Dependency Security checklist, and answer access-control / route-exposure questions by resolving security-relevant symbols and their references rather than text-matching config. The latter is required, not optional: when the oracle is connected, an access-control / route-exposure claim that turns on how a symbol or its references resolve (e.g. "this endpoint is the only unauthenticated caller", "the filter chain covers this route") must cite the search_symbol / get_symbol_info call that backs it (see intellij-idea § Cite the call that backs a claim) — without the oracle, cite the grep and label it the weaker basis. The resolved-dependency check stays an accelerator; a client without an oracle relies on Grep alone. Tool mechanics — and the Actuator alternative for the live bean/route graph — live in the intellij-idea skill.
Rate by reachability and the harm an attacker gains, not by which bucket the issue's name suggests. Severity drives the blocked gate, so a reachable medium outranks an unreachable critical.
Use Grep to search for dangerous code patterns during review:
| Pattern | What It Detects |
|---|---|
append|concat|format|printf|+.*html|\.write( in src/main/java/ | Unescaped output |
Runtime|ProcessBuilder|exec( in src/main/java/ | Shell execution |
enableDefaultTyping|JsonTypeInfo|WRAPPER_ARRAY in src/main/java/ | Unsafe Jackson config |
Files\.|FileWriter|FileOutputStream|BufferedWriter in src/main/java/ | File operations |
followLinks|NOFOLLOW in src/main/java/ | Symlink handling |
/tmp/ in src/main/java/ | System tmp usage (should use .scratch/tmp/) |
Run the dependency check when the project configures it:
./gradlew dependencyCheckAnalyze # OWASP Dependency-Check, if configured
./gradlew dependencies # resolved dependency tree
dependencyCheckAnalyze matches resolved artifacts against the NVD; judge each finding by reachability per § Severity Classification, not by raw score. Without the plugin, no NVD match runs in this review — the reviewer has no network access. Instead, read the framework versions (Spring Boot, Jackson) from the dependencies output and report them under a "not verified against the NVD" finding, so a human or CI closes the check. Report only checks that actually ran — an un-run check is "not run", never clean.
3plugins reuse this skill
First indexed Jul 17, 2026
npx claudepluginhub woditschka/agentic-coding-reference --plugin spring-boot-claudeSecurity review checklists for Java/Spring Boot apps covering path traversal, injection, credential handling, and input validation. Load when conducting security reviews.
Enforces security checklists and PR reviews for code handling user input, authentication, access control, cryptography, error handling, file uploads, and dependencies. Covers OWASP Top 10 and ASVS.
Audits codebases for vulnerabilities, OWASP Top 10 issues, and security anti-patterns. Checks Claude Code file denial settings first and invokes security subagent.