pradeepmouli/speckit-security-review-staged
.agents/skills/speckit-security-review-staged/SKILL.md
Security review of staged changes only (git diff --cached)
$ install --global
skillsauthnpx skillsauth add pradeepmouli/rune-langium speckit-security-review-stagedInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 29, 2026, 11:04 PM4.3s1 file scanned
SKILL.md
- name:
- speckit-security-review-staged
- description:
- Security review of staged changes only (git diff --cached)
- compatibility:
- Requires spec-kit project structure with .specify/ directory
- author:
- github-spec-kit
- source:
- security-review:prompts/security-review-staged.prompt.md
Security Review — Staged Changes
User Input
$ARGUMENTS
Objective
Review only the code that is currently staged for commit — the output of git diff --cached. Do not review the rest of the codebase. Produce targeted security findings with severity, location, and remediation guidance.
Steps
- Run
git diff --cachedto retrieve the staged diff. - If the output is empty, stop and respond:
"No staged changes found. Stage files with
git addbefore running this command." - Analyze only the staged diff for security issues across these domains:
- Injection vulnerabilities (SQL, NoSQL, command, template)
- Hardcoded secrets or credentials
- Broken access control or missing authorization checks
- Cryptographic failures (weak algorithms, hardcoded keys)
- Security misconfiguration
- Input validation gaps
- Authentication or session weaknesses
- Insecure data handling
- Vulnerable or newly added dependencies
- Supply chain risks in newly added packages
- For each finding, report:
- Severity: Critical / High / Medium / Low / Informational
- Location: file path and line number from the diff
- OWASP Category: 2025 code (e.g.
A05:2025-Injection) - Description: what the issue is and why it matters
- Remediation: specific fix with corrected code example where applicable
- Spec-Kit Task:
TASK-SEC-NNNaction item
- Produce an Executive Summary section with total finding counts by severity.
- Explicitly confirm any patterns in the diff that appear secure.
When user input is provided via $ARGUMENTS, use it to prioritize specific concerns (e.g. "focus on secrets and injection") within the staged changes.
Output Format
Use the same report structure as the full audit command:
# SECURITY REVIEW REPORT — STAGED CHANGES
## Executive Summary
...
## Staged Diff Reviewed
(show files changed)
## Vulnerability Findings
### [SEVERITY] Title
**Location:** file:line
**OWASP Category:** AXX:2025-...
**Description:** ...
**Remediation:** ...
**Spec-Kit Task:** TASK-SEC-NNN
...
## Confirmed Secure Patterns
...
Related Skills
pradeepmouli/rune-langium
tools
VerifiedTrustedCommunity
Router skill for the rune-langium monorepo. Use it to choose the right package skill before working in core, cli, lsp-server, codegen, or visual-editor.
1SKILL.mdUpdated Apr 28, 2026
pradeepmouli/rune-langium
tools
VerifiedTrustedCommunity
Router skill for the rune-langium monorepo. Use it to choose the right package skill before working in core, cli, lsp-server, codegen, or visual-editor.
1SKILL.mdUpdated Apr 20, 2026
pradeepmouli/rune-langium-visual-editor
tools
VerifiedTrustedCommunity
Langium port for Rune DSL tooling Use when working with rune, rosetta, dsl, langium, cdm, isda, drr, finos, language-server, lsp, visual-editor, reactflow.
1SKILL.mdUpdated Apr 20, 2026
pradeepmouli/rune-langium-design-system
tools
VerifiedTrustedCommunity
Langium port for Rune DSL tooling Use when working with rune, rosetta, dsl, langium, cdm, isda, drr, finos, language-server, lsp, visual-editor, reactflow.
1SKILL.mdUpdated Apr 20, 2026