pradeepmouli/speckit-security-review-staged
.github/skills/speckit-security-review-staged/SKILL.md
Security review of staged changes only (git diff --cached)
$ install --global
skillsauthnpx skillsauth add pradeepmouli/lspeasy speckit-security-review-stagedInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 17, 2026, 8:01 AM33.3s1 file scanned
SKILL.md
- name:
- speckit-security-review-staged
- description:
- Security review of staged changes only (git diff --cached)
- compatibility:
- Requires spec-kit project structure with .specify/ directory
- author:
- github-spec-kit
- source:
- extension:security-review
Security Review Staged Skill
Security Review — Staged Changes
User Input
$ARGUMENTS
Objective
Review only the code that is currently staged for commit — the output of git diff --cached. Do not review the rest of the codebase. Produce targeted security findings with severity, location, and remediation guidance.
Steps
- Run
git diff --cachedto retrieve the staged diff. - If the output is empty, stop and respond:
"No staged changes found. Stage files with
git addbefore running this command." - Analyze only the staged diff for security issues across these domains:
- Injection vulnerabilities (SQL, NoSQL, command, template)
- Hardcoded secrets or credentials
- Broken access control or missing authorization checks
- Cryptographic failures (weak algorithms, hardcoded keys)
- Security misconfiguration
- Input validation gaps
- Authentication or session weaknesses
- Insecure data handling
- Vulnerable or newly added dependencies
- Supply chain risks in newly added packages
- For each finding, report:
- Severity: Critical / High / Medium / Low / Informational
- Location: file path and line number from the diff
- OWASP Category: 2025 code (e.g.
A05:2025-Injection) - Description: what the issue is and why it matters
- Remediation: specific fix with corrected code example where applicable
- Spec-Kit Task:
TASK-SEC-NNNaction item
- Produce an Executive Summary section with total finding counts by severity.
- Explicitly confirm any patterns in the diff that appear secure.
When user input is provided via $ARGUMENTS, use it to prioritize specific concerns (e.g. "focus on secrets and injection") within the staged changes.
Output Format
Use the same report structure as the full audit command:
# SECURITY REVIEW REPORT — STAGED CHANGES
## Executive Summary
...
## Staged Diff Reviewed
(show files changed)
## Vulnerability Findings
### [SEVERITY] Title
**Location:** file:line
**OWASP Category:** AXX:2025-...
**Description:** ...
**Remediation:** ...
**Spec-Kit Task:** TASK-SEC-NNN
...
## Confirmed Secure Patterns
...
Related Skills
pradeepmouli/lsp-refactor
tools
VerifiedTrustedCommunity
Use for ANY rename, file-move, or move-symbol refactor — especially rename-heavy work across multiple files. Claude Code's built-in LSP tool is READ-ONLY (find references, but no rename / file-move / move-symbol). Hand-editing those refactors silently misses re-exports, aliased imports, type-only imports, and {@link} doc references. This skill drives a real language server via the `lspeasy` CLI to apply a correct WorkspaceEdit that catches every reference. Trigger when the user asks to rename a function/class/variable/type project-wide, move a file and fix its importers, or pull a symbol out into another module.
2SKILL.mdUpdated Jun 3, 2026
pradeepmouli/lspeasy-core
tools
VerifiedTrustedCommunity
Documentation site for lspeasy Use when: You are building a browser-based LSP client, a WebSocket-backed language....
2SKILL.mdUpdated Apr 17, 2026
pradeepmouli/lspeasy-client
tools
VerifiedTrustedCommunity
Documentation site for lspeasy Use when: You are implementing a custom client layer and need the same validation....
2SKILL.mdUpdated Apr 17, 2026
pradeepmouli/lspeasy
tools
VerifiedTrustedCommunity
Use when working with lspeasy (client, core, server). Covers: lsp, language-server-protocol, lsp-client, language-client, jsonrpc, transport, lsp-server, language-server.
1SKILL.mdUpdated Apr 25, 2026