michaelalber/security-review-federal
skills/team/security-review-federal/SKILL.md
Federal / government security overlay applied ON TOP OF a base language security review (dotnet/python/php/rust/react). Language-agnostic: adds NIST SP 800-53 control mapping, FIPS 140-2/3 cryptographic compliance (with a per-language crypto table), CUI handling, EO 14028 supply-chain requirements, and DOE Order 205.1B, and emits POA&M-ready findings with FIPS 199 impact levels. Use for federal/DOE/DOD/national-laboratory systems. Triggers on "federal security review", "NIST compliance", "NIST 800-53", "FISMA", "CUI", "FIPS audit", "DOE security", "POA&M", "ATO review". Do NOT use alone — run the matching <lang>-security-review FIRST; this overlay maps and extends it.
development
Updated Jun 4, 2026
$ install --global
skillsauthnpx skillsauth add michaelalber/ai-toolkit security-review-federalInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 4, 2026, 8:51 AM213.1s7 files scanned
SKILL.md
- name:
- security-review-federal
- audience:
- team
- description:
- >
- (dotnet/python/php/rust/react). Language-agnostic:
- adds NIST SP 800-53 control mapping, FIPS 140-2/3
Security Review — Federal Overlay
"Compliance is the floor, not the ceiling." — NIST Cybersecurity Framework guidance
Core Philosophy
This is a language-agnostic federal overlay, not a standalone review. It assumes the OWASP Top 10
baseline has already been covered by a base <lang>-security-review (.NET / Python / PHP / Rust / React)
and adds the regulatory, cryptographic, and procedural requirements of U.S. federal systems —
particularly DOE and national-laboratory environments.
Non-negotiables:
- Base review first, always. Run the matching
<lang>-security-review; OWASP coverage is a prerequisite. A federal review that skips the baseline is incomplete. - NIST SP 800-53 Rev 5 is the framework. Every finding maps to a control family (AC, IA, SC, AU, SI, …).
- Compliance is legally binding. FISMA, FIPS, EO 14028 — gaps can revoke an ATO. Findings are POA&M entries, not suggestions.
Workflow
Shared skeleton: CONFIRM BASE → MAP → ASSESS → REPORT.
CONFIRM BASE Verify a base <lang>-security-review ran and its findings are available. If not, run it first.
MAP Map every base finding to its NIST SP 800-53 control family (references/nist-800-53-mapping.md).
Assign a FIPS 199 impact level (Low/Moderate/High) by data sensitivity.
ASSESS Apply the four federal dimensions below; each gap is a new finding with a control ID.
REPORT Emit the POA&M (references/poam-template.md) + federal executive summary with impact levels.
Federal Dimensions
| Dimension | What to verify | Control family | |---|---|---| | NIST 800-53 mapping | Every finding cites the control it violates; missing controls flagged | AC · IA · SC · AU · SI · CM | | FIPS 140-2/3 crypto | Only FIPS-validated modules/algorithms for security functions (per-language table below); no MD5/SHA1/DES; approved RNG | SC-13 | | CUI handling | CUI not in logs, dev/test data, or error output; encrypted in transit (TLS 1.2+) and at rest; access-controlled (references/cui-handling.md) | MP · SC · AC | | EO 14028 supply chain | SBOM produced; dependencies provenance-checked; signed artifacts | SR · SA | | DOE Order 205.1B | DOE cybersecurity program requirements where applicable (references/doe-cybersecurity.md) | PM |
FIPS 140-2/3 crypto — per-language approved usage
| Language | Use (FIPS-validated) | Avoid for security functions |
|----------|----------------------|------------------------------|
| .NET | CNG / System.Security.Cryptography in FIPS mode; Aes, SHA256+, RandomNumberGenerator | MD5, SHA1, DES, RNGCryptoServiceProvider deprecated paths |
| Python | cryptography in FIPS mode; hashlib SHA-256+; secrets/os.urandom | hashlib.md5/sha1 for security, random for tokens |
| PHP | openssl_* with AES-GCM, sodium_*, password_hash (Argon2id) | md5, sha1, mcrypt, mt_rand/uniqid |
| Rust | ring / rustls / aws-lc-rs (FIPS module); sha2, getrandom | custom crypto, md5/sha1 crates for security |
| React/TS | Do crypto server-side behind FIPS-validated TLS; crypto.getRandomValues / Web Crypto only for non-secret nonces; tokens in httpOnly cookies | any client-side encryption/hashing as a security control, Math.random for tokens, secrets shipped in the bundle (VITE_/NEXT_PUBLIC_) |
Deeper FIPS module/algorithm detail: fips crypto requirements.
Output Template
Federal executive templates: federal executive templates.
## Federal Security Review — [System]
**Base review**: [<lang>-security-review, date] · **Categorization (FIPS 199)**: [Low/Moderate/High]
**Frameworks**: NIST SP 800-53 Rev 5 · FIPS 140-2/3 · EO 14028 · DOE 205.1B
### Executive Summary
[Posture vs ATO. The most serious compliance gap in plain language. Recommendation.]
### POA&M (Plan of Action & Milestones)
| ID | Weakness | NIST Control | Severity | Impact | Remediation | Milestone |
|----|----------|--------------|----------|--------|-------------|-----------|
| P-01 | [finding] | SC-13 | High | Moderate | [fix] | [date] |
Full POA&M format: poam template.
AI Discipline Rules
- Never run alone. If no base
<lang>-security-reviewhas been performed, run it first — this overlay maps and extends it; it does not replace OWASP coverage. - Every finding gets a control ID. "Weak crypto" is not a federal finding; "SC-13 violation: SHA1 used for token signing at
auth.py:88" is. - FIPS is about validated modules, not just strong algorithms. AES in a non-validated library is still a FIPS gap in a federal context.
- CUI is the high-stakes data class. Treat any CUI in logs, test fixtures, or error output as a Critical finding.
Integration with Other Skills
dotnet/python/php/rust-security-review — The required base review this overlay extends; run one first.supply-chain-audit— SBOM / provenance / CVE depth for the EO 14028 dimension.dotnet-security-review-federal/python-security-review-federal— Superseded by this shared overlay (removed 2026-06-03).
Related Skills
michaelalber/react-security-review
tools
VerifiedTrustedCommunity
OWASP-based security review of React / TypeScript front-end applications. Detects the framework (Vite/CRA/Next), entry points, and data flows, scans against the OWASP Top 10 (2025) mapped to React client-side patterns (XSS via raw HTML, URL/protocol injection, secrets in the bundle, insecure token storage, dependency CVEs, missing CSP, open redirects), and produces a manager-friendly executive summary plus a graded technical findings table. Use to audit React code for vulnerabilities. Triggers on "react security review", "frontend security audit", "audit react for vulnerabilities", "owasp react", "react xss", "react security posture", "npm audit review". For federal / gov / DOE / NIST / FIPS / CUI context, run security-review-federal after this base review. Do NOT use to grade architecture/structure — use react-architecture-checklist.
SKILL.mdUpdated Jun 4, 2026
michaelalber/react-modernization-analyzer
tools
VerifiedTrustedCommunity
Analyzes legacy React codebases and produces actionable modernization plans. Primary migration paths include class components to function components + hooks, Create React App to Vite, React 16/17 to 18 to 19, JavaScript to TypeScript, Enzyme to React Testing Library, legacy Redux to Redux Toolkit / Zustand / Context, and deprecated lifecycle/API removal. Does NOT perform the migration — assesses, quantifies risk, and plans. Triggers on phrases like "modernize react", "class to hooks", "upgrade react", "migrate CRA to vite", "react legacy migration", "react 17 to 18", "react js to typescript", "react technical debt", "enzyme to RTL".
SKILL.mdUpdated Jun 4, 2026
michaelalber/react-feature-slice
development
VerifiedTrustedCommunity
Scaffolds feature-based React / TypeScript architecture using feature folders, presentational + container components, custom hooks, a typed data layer, and structural CQRS (query hooks vs mutation hooks). React analog of dotnet-vertical-slice and python-feature-slice — no DI framework; uses props/context for dependency injection and a query cache for server state. Use when creating feature-based React projects, adding React features, organizing components by feature rather than by technical type, or scaffolding a feature's data layer. Triggers on phrases like "scaffold react feature", "create react slice", "react feature folder", "react vertical slice", "add react feature", "react feature architecture", "organize react by feature".
SKILL.mdUpdated Jun 4, 2026
michaelalber/react-component-scaffolder
development
VerifiedTrustedCommunity
Scaffolds a single React / TypeScript component or route with a typed props interface, a co-located React Testing Library test, an accessibility baseline, and an optional Storybook story. React analog of fastapi-scaffolder — the component/route is the front-end "unit". Use when creating a new React component, adding a route/page, generating a typed presentational or container component, or standing up a component with its test and story. Triggers on phrases like "scaffold react component", "create react component", "new react component", "add react route", "react page component", "react component with test", "react storybook component".
SKILL.mdUpdated Jun 4, 2026