pradeepmouli/speckit-security-review-staged
.claude/skills/speckit-security-review-staged/SKILL.md
Security review of staged changes only (git diff --cached)
$ install --global
skillsauthnpx skillsauth add pradeepmouli/zod-to-form speckit-security-review-stagedInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 29, 2026, 11:39 PM5.0s1 file scanned
SKILL.md
- name:
- speckit-security-review-staged
- description:
- Security review of staged changes only (git diff --cached)
- compatibility:
- Requires spec-kit project structure with .specify/ directory
- author:
- github-spec-kit
- source:
- security-review:prompts/security-review-staged.prompt.md
Security Review — Staged Changes
User Input
$ARGUMENTS
Objective
Review only the code that is currently staged for commit — the output of git diff --cached. Do not review the rest of the codebase. Produce targeted security findings with severity, location, and remediation guidance.
Steps
- Run
git diff --cachedto retrieve the staged diff. - If the output is empty, stop and respond:
"No staged changes found. Stage files with
git addbefore running this command." - Analyze only the staged diff for security issues across these domains:
- Injection vulnerabilities (SQL, NoSQL, command, template)
- Hardcoded secrets or credentials
- Broken access control or missing authorization checks
- Cryptographic failures (weak algorithms, hardcoded keys)
- Security misconfiguration
- Input validation gaps
- Authentication or session weaknesses
- Insecure data handling
- Vulnerable or newly added dependencies
- Supply chain risks in newly added packages
- For each finding, report:
- Severity: Critical / High / Medium / Low / Informational
- Location: file path and line number from the diff
- OWASP Category: 2025 code (e.g.
A05:2025-Injection) - Description: what the issue is and why it matters
- Remediation: specific fix with corrected code example where applicable
- Spec-Kit Task:
TASK-SEC-NNNaction item
- Produce an Executive Summary section with total finding counts by severity.
- Explicitly confirm any patterns in the diff that appear secure.
When user input is provided via $ARGUMENTS, use it to prioritize specific concerns (e.g. "focus on secrets and injection") within the staged changes.
Output Format
Use the same report structure as the full audit command:
# SECURITY REVIEW REPORT — STAGED CHANGES
## Executive Summary
...
## Staged Diff Reviewed
(show files changed)
## Vulnerability Findings
### [SEVERITY] Title
**Location:** file:line
**OWASP Category:** AXX:2025-...
**Description:** ...
**Remediation:** ...
**Spec-Kit Task:** TASK-SEC-NNN
...
## Confirmed Secure Patterns
...
Related Skills
pradeepmouli/zod-to-form
tools
VerifiedTrustedCommunity
Use when working with zod-to-form (core, react, cli, codegen, vite).
1SKILL.mdUpdated May 10, 2026
pradeepmouli/zod-to-form-vite
tools
VerifiedTrustedCommunity
Vite plugin for zod-to-form — transforms ?z2f imports into generated form components and optionally replaces <ZodForm> JSX call sites with generated components at build time Use when: You want `import SignupForm from './signup.schema?z2f'` to Just Work in a.... Also: vite, vite-plugin, zod, zod-v4, codegen, forms, form-generation, schema-driven, react-hook-form, build-plugin, jsx-transform.
1SKILL.mdUpdated Apr 20, 2026
pradeepmouli/zod-to-form-react
development
VerifiedTrustedCommunity
Runtime <ZodForm> renderer for Zod v4 schemas Use when: You need form rendering in storybook, playgrounds, or low-traffic admin UIs —.... Also: zod, zod-v4, react, forms, form-generation, react-hook-form, schema-driven, dynamic-forms, form-renderer, hookform-resolver, zod-form-renderer.
1SKILL.mdUpdated Apr 20, 2026
pradeepmouli/zod-to-form-core
development
VerifiedTrustedCommunity
Schema walker and processor registry for Zod v4 form generation Use when: You want per-field validation instead of whole-form validation. Also: zod, zod-v4, forms, form-generation, schema, schema-walker, processor-registry, react-hook-form, schema-driven, form-schema, zod-registry.
1SKILL.mdUpdated Apr 20, 2026