pradeepmouli/speckit-security-review-branch
.agents/skills/speckit-security-review-branch/SKILL.md
Security review of changes introduced on a branch compared to a base branch
$ install --global
skillsauthnpx skillsauth add pradeepmouli/lspeasy speckit-security-review-branchInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 24, 2026, 8:51 PM1.8s1 file scanned
SKILL.md
- name:
- speckit-security-review-branch
- description:
- Security review of changes introduced on a branch compared to a base
- compatibility:
- Requires spec-kit project structure with .specify/ directory
- author:
- github-spec-kit
- source:
- security-review:prompts/security-review-branch.prompt.md
Security Review — Branch Changes
User Input
$ARGUMENTS
Objective
Review only the code changes introduced between a target branch and a base branch — the output of git diff <base>..<target>. Do not review unchanged code in the full codebase. Produce targeted security findings with severity, location, and remediation guidance.
Steps
- Parse
$ARGUMENTSto extract:- target branch — the branch to review (required)
- base branch — the branch to compare against (default:
main) - Format:
<target>or<target> <base> - Examples:
feature/authorfeature/payment mainorfeature/payment develop - If no target branch is provided, ask the user to specify one before continuing.
- Run
git diff <base>..<target>to retrieve the branch diff. - If the output is empty, stop and respond:
"No differences found between
<base>and<target>. Ensure both branches exist and the target has commits not in the base." - Analyze only the diff for security issues across these domains:
- Injection vulnerabilities (SQL, NoSQL, command, template)
- Hardcoded secrets or credentials
- Broken access control or missing authorization checks
- Cryptographic failures (weak algorithms, hardcoded keys)
- Security misconfiguration
- Input validation gaps
- Authentication or session weaknesses
- Insecure data handling
- Vulnerable or newly added dependencies
- Supply chain risks in newly added packages
- For each finding, report:
- Severity: Critical / High / Medium / Low / Informational
- Location: file path and line number from the diff
- OWASP Category: 2025 code (e.g.
A05:2025-Injection) - Description: what the issue is and why it matters
- Remediation: specific fix with corrected code example where applicable
- Spec-Kit Task:
TASK-SEC-NNNaction item
- Produce an Executive Summary section with total finding counts by severity.
- Explicitly confirm any patterns in the diff that appear secure.
When user input contains additional instructions beyond branch names (e.g. "focus on auth flows"), use them to prioritize specific concerns within the diff.
Output Format
Use the same report structure as the full audit command:
# SECURITY REVIEW REPORT — BRANCH: <target> vs <base>
## Executive Summary
...
## Branch Diff Reviewed
Target: <target>
Base: <base>
(show files changed)
## Vulnerability Findings
### [SEVERITY] Title
**Location:** file:line
**OWASP Category:** AXX:2025-...
**Description:** ...
**Remediation:** ...
**Spec-Kit Task:** TASK-SEC-NNN
...
## Confirmed Secure Patterns
...
Related Skills
pradeepmouli/lsp-refactor
tools
VerifiedTrustedCommunity
Use for ANY rename, file-move, or move-symbol refactor — especially rename-heavy work across multiple files. Claude Code's built-in LSP tool is READ-ONLY (find references, but no rename / file-move / move-symbol). Hand-editing those refactors silently misses re-exports, aliased imports, type-only imports, and {@link} doc references. This skill drives a real language server via the `lspeasy` CLI to apply a correct WorkspaceEdit that catches every reference. Trigger when the user asks to rename a function/class/variable/type project-wide, move a file and fix its importers, or pull a symbol out into another module.
2SKILL.mdUpdated Jun 3, 2026
pradeepmouli/lspeasy-core
tools
VerifiedTrustedCommunity
Documentation site for lspeasy Use when: You are building a browser-based LSP client, a WebSocket-backed language....
2SKILL.mdUpdated Apr 17, 2026
pradeepmouli/lspeasy-client
tools
VerifiedTrustedCommunity
Documentation site for lspeasy Use when: You are implementing a custom client layer and need the same validation....
2SKILL.mdUpdated Apr 17, 2026
pradeepmouli/lspeasy
tools
VerifiedTrustedCommunity
Use when working with lspeasy (client, core, server). Covers: lsp, language-server-protocol, lsp-client, language-client, jsonrpc, transport, lsp-server, language-server.
1SKILL.mdUpdated Apr 25, 2026