pradeepmouli/speckit-security-review-branch
.claude/skills/speckit-security-review-branch/SKILL.md
Security review of changes introduced on a branch compared to a base branch
$ install --global
skillsauthnpx skillsauth add pradeepmouli/rune-langium speckit-security-review-branchInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 29, 2026, 11:39 PM3.9s1 file scanned
SKILL.md
- name:
- speckit-security-review-branch
- description:
- Security review of changes introduced on a branch compared to a base
- compatibility:
- Requires spec-kit project structure with .specify/ directory
- author:
- github-spec-kit
- source:
- security-review:prompts/security-review-branch.prompt.md
Security Review — Branch Changes
User Input
$ARGUMENTS
Objective
Review only the code changes introduced between a target branch and a base branch — the output of git diff <base>..<target>. Do not review unchanged code in the full codebase. Produce targeted security findings with severity, location, and remediation guidance.
Steps
- Parse
$ARGUMENTSto extract:- target branch — the branch to review (required)
- base branch — the branch to compare against (default:
main) - Format:
<target>or<target> <base> - Examples:
feature/authorfeature/payment mainorfeature/payment develop - If no target branch is provided, ask the user to specify one before continuing.
- Run
git diff <base>..<target>to retrieve the branch diff. - If the output is empty, stop and respond:
"No differences found between
<base>and<target>. Ensure both branches exist and the target has commits not in the base." - Analyze only the diff for security issues across these domains:
- Injection vulnerabilities (SQL, NoSQL, command, template)
- Hardcoded secrets or credentials
- Broken access control or missing authorization checks
- Cryptographic failures (weak algorithms, hardcoded keys)
- Security misconfiguration
- Input validation gaps
- Authentication or session weaknesses
- Insecure data handling
- Vulnerable or newly added dependencies
- Supply chain risks in newly added packages
- For each finding, report:
- Severity: Critical / High / Medium / Low / Informational
- Location: file path and line number from the diff
- OWASP Category: 2025 code (e.g.
A05:2025-Injection) - Description: what the issue is and why it matters
- Remediation: specific fix with corrected code example where applicable
- Spec-Kit Task:
TASK-SEC-NNNaction item
- Produce an Executive Summary section with total finding counts by severity.
- Explicitly confirm any patterns in the diff that appear secure.
When user input contains additional instructions beyond branch names (e.g. "focus on auth flows"), use them to prioritize specific concerns within the diff.
Output Format
Use the same report structure as the full audit command:
# SECURITY REVIEW REPORT — BRANCH: <target> vs <base>
## Executive Summary
...
## Branch Diff Reviewed
Target: <target>
Base: <base>
(show files changed)
## Vulnerability Findings
### [SEVERITY] Title
**Location:** file:line
**OWASP Category:** AXX:2025-...
**Description:** ...
**Remediation:** ...
**Spec-Kit Task:** TASK-SEC-NNN
...
## Confirmed Secure Patterns
...
Related Skills
pradeepmouli/rune-langium
tools
VerifiedTrustedCommunity
Router skill for the rune-langium monorepo. Use it to choose the right package skill before working in core, cli, lsp-server, codegen, or visual-editor.
1SKILL.mdUpdated Apr 28, 2026
pradeepmouli/rune-langium
tools
VerifiedTrustedCommunity
Router skill for the rune-langium monorepo. Use it to choose the right package skill before working in core, cli, lsp-server, codegen, or visual-editor.
1SKILL.mdUpdated Apr 20, 2026
pradeepmouli/rune-langium-visual-editor
tools
VerifiedTrustedCommunity
Langium port for Rune DSL tooling Use when working with rune, rosetta, dsl, langium, cdm, isda, drr, finos, language-server, lsp, visual-editor, reactflow.
1SKILL.mdUpdated Apr 20, 2026
pradeepmouli/rune-langium-design-system
tools
VerifiedTrustedCommunity
Langium port for Rune DSL tooling Use when working with rune, rosetta, dsl, langium, cdm, isda, drr, finos, language-server, lsp, visual-editor, reactflow.
1SKILL.mdUpdated Apr 20, 2026