pradeepmouli/speckit-security-review-branch
.agents/skills/speckit-security-review-branch/SKILL.md
Security review of changes introduced on a branch compared to a base branch
$ install --global
skillsauthnpx skillsauth add pradeepmouli/zod-to-form speckit-security-review-branchInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 29, 2026, 11:38 PM9.0s1 file scanned
SKILL.md
- name:
- speckit-security-review-branch
- description:
- Security review of changes introduced on a branch compared to a base
- compatibility:
- Requires spec-kit project structure with .specify/ directory
- author:
- github-spec-kit
- source:
- security-review:prompts/security-review-branch.prompt.md
Security Review — Branch Changes
User Input
$ARGUMENTS
Objective
Review only the code changes introduced between a target branch and a base branch — the output of git diff <base>..<target>. Do not review unchanged code in the full codebase. Produce targeted security findings with severity, location, and remediation guidance.
Steps
- Parse
$ARGUMENTSto extract:- target branch — the branch to review (required)
- base branch — the branch to compare against (default:
main) - Format:
<target>or<target> <base> - Examples:
feature/authorfeature/payment mainorfeature/payment develop - If no target branch is provided, ask the user to specify one before continuing.
- Run
git diff <base>..<target>to retrieve the branch diff. - If the output is empty, stop and respond:
"No differences found between
<base>and<target>. Ensure both branches exist and the target has commits not in the base." - Analyze only the diff for security issues across these domains:
- Injection vulnerabilities (SQL, NoSQL, command, template)
- Hardcoded secrets or credentials
- Broken access control or missing authorization checks
- Cryptographic failures (weak algorithms, hardcoded keys)
- Security misconfiguration
- Input validation gaps
- Authentication or session weaknesses
- Insecure data handling
- Vulnerable or newly added dependencies
- Supply chain risks in newly added packages
- For each finding, report:
- Severity: Critical / High / Medium / Low / Informational
- Location: file path and line number from the diff
- OWASP Category: 2025 code (e.g.
A05:2025-Injection) - Description: what the issue is and why it matters
- Remediation: specific fix with corrected code example where applicable
- Spec-Kit Task:
TASK-SEC-NNNaction item
- Produce an Executive Summary section with total finding counts by severity.
- Explicitly confirm any patterns in the diff that appear secure.
When user input contains additional instructions beyond branch names (e.g. "focus on auth flows"), use them to prioritize specific concerns within the diff.
Output Format
Use the same report structure as the full audit command:
# SECURITY REVIEW REPORT — BRANCH: <target> vs <base>
## Executive Summary
...
## Branch Diff Reviewed
Target: <target>
Base: <base>
(show files changed)
## Vulnerability Findings
### [SEVERITY] Title
**Location:** file:line
**OWASP Category:** AXX:2025-...
**Description:** ...
**Remediation:** ...
**Spec-Kit Task:** TASK-SEC-NNN
...
## Confirmed Secure Patterns
...
Related Skills
pradeepmouli/zod-to-form
tools
VerifiedTrustedCommunity
Use when working with zod-to-form (core, react, cli, codegen, vite).
1SKILL.mdUpdated May 10, 2026
pradeepmouli/zod-to-form-vite
tools
VerifiedTrustedCommunity
Vite plugin for zod-to-form — transforms ?z2f imports into generated form components and optionally replaces <ZodForm> JSX call sites with generated components at build time Use when: You want `import SignupForm from './signup.schema?z2f'` to Just Work in a.... Also: vite, vite-plugin, zod, zod-v4, codegen, forms, form-generation, schema-driven, react-hook-form, build-plugin, jsx-transform.
1SKILL.mdUpdated Apr 20, 2026
pradeepmouli/zod-to-form-react
development
VerifiedTrustedCommunity
Runtime <ZodForm> renderer for Zod v4 schemas Use when: You need form rendering in storybook, playgrounds, or low-traffic admin UIs —.... Also: zod, zod-v4, react, forms, form-generation, react-hook-form, schema-driven, dynamic-forms, form-renderer, hookform-resolver, zod-form-renderer.
1SKILL.mdUpdated Apr 20, 2026
pradeepmouli/zod-to-form-core
development
VerifiedTrustedCommunity
Schema walker and processor registry for Zod v4 form generation Use when: You want per-field validation instead of whole-form validation. Also: zod, zod-v4, forms, form-generation, schema, schema-walker, processor-registry, react-hook-form, schema-driven, form-schema, zod-registry.
1SKILL.mdUpdated Apr 20, 2026